Over the past several weeks, news of a security breach at LastPass has gone from bad, to worse, to terrible.
LastPass develops a popular password manager app by the same name. News outlet BleepingComputer became aware in August 2022 that LastPass had suffered a security breach. Subsequent updates from LastPass have revealed new information as the company’s investigation of the breach has continued.
Following is a timeline of events, and everything we know so far about the LastPass security breach. We’ll also discuss how this impacts existing LastPass users, and whether it’s still safe to use LastPass.
In this article:
A tech news site, BleepingComputer, learned from “insiders” in mid-August 2022 that LastPass, a prominent password management company, had allegedly been breached. BleepingComputer contacted LastPass on August 21 but received no response.
On August 25, LastPass released its initial statement about the breach on the company’s blog. LastPass claimed that the breach was limited to their development environment, and that no customer information or users’ password vault data had been compromised. However, the company said that it had “engaged a leading cybersecurity and forensics firm,” and its investigation was ongoing.
Just over two months later, and about a week after the U.S. Thanksgiving holiday, LastPass released an updated statement about the breach on November 30. LastPass claimed that the company “recently detected unusual activity within a third-party cloud storage service” shared by LastPass and its affiliate GoTo. The company “engaged Mandiant, a leading security firm, and alerted law enforcement.” This order of events seems to suggest that by “recently detected,” LastPass was referring to the “unusual activity” that took place back in August. LastPass further stated that “certain elements of our customers’ information” had been accessed by an unauthorized party.
Three weeks and a day after that, LastPass released yet another updated statement on December 22. This is where things start to get much more interesting.
Allegedly, the “source code and technical information” that an attacker had accessed in their development environment were “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
At this point, LastPass admitted that the “certain elements” of customer information, to which the company had alluded in November, included “customer account information and related metadata” such as:
Such a customer data breach is pretty significant. This information could easily be used by an attacker to phish LastPass users and trick them into revealing their data vault password.
But the loss of customers’ personally identifiable information wasn’t necessarily the most troubling problem.
“The threat actor was also able to copy a backup of customer vault data,” LastPass continued. In the company’s proprietary data format, vault data includes “both unencrypted data, such as website URLs,” and encrypted fields, “such as website usernames and passwords, secure notes, and form-filled data.”
So the attacker can not only easily phish victims for their LastPass vault password, but they can also see every site for which the victim has stored a password, and phish victims for those individual site usernames and passwords as well.
Wladimir Palant, a security researcher best known as the original developer of Adblock Plus, has also developed a free password manager of his own: PfP: Pain-free Passwords. Palant had a lot to say about LastPass’s statements, alleging that they were “full of omissions, half-truths and outright lies.” He goes into a lot of technical detail that we won’t repeat here. But one interesting observation is that LastPass’s implementation of a password-strengthening algorithm is no longer considered strong by OWASP standards (and hasn’t been since mid-March 2021, I discovered; this seems to be based on FIPS 140-3, U.S. government standards last updated in March 2019).
But worse yet, many LastPass users’ vaults are still using horribly outdated implementations. To give a sense of scale without getting too technical, 310,000 hashing iterations is the current standard; newly created LastPass vaults since sometime in 2018 have used 100,100 iterations; but Palant learned that 5,000 and even 500 iterations are used by old LastPass vaults that were never upgraded since 2018. Palant is even aware of “one confirmed case” of a vault using only 1 single iteration.
In other words, many longtime LastPass users’ vaults could easily have been cracked by now.
That sentiment is shared by another LastPass competitor, 1Password (which admits that it still uses 100,000 hashing iterations, negligibly fewer than LastPass). In a blog post on December 26, 1Password alleged that only $100 or less of rented computing power would be sufficient to crack the master password of many LastPass vaults that use 100,100 iterations. (1Password offered reasons why it believed its password manager was nevertheless safer than LastPass.)
*Update: On this week’s Security Now podcast, host Steve Gibson had similar thoughts to those shared by LastPass’s competitors. First, Gibson said that “many listeners” had reported that their vaults used only 1 single hashing iteration—which confirms one of Palant’s claims. Second, Gibson had thoughts similar to 1Password’s allegations about cracking LastPass vault passwords, although Gibson’s focus was on the speed of cracking using personally owned equipment, rather than the cost of renting servers. Gibson posited that a threat actor could “crack a 100,100 iteration PBKDF2-protected password” with a strong password in roughly 71 days, using what he believed to be a plausible cracking rig. Given that same scenario, that same strong password could be cracked in about 62 seconds, for those whose LastPass vaults used only 1 hashing iteration. (You can watch or listen to the episode, or see pages 5–6 of his show notes PDF.)
This is a far cry from the “millions of years” that LastPass’s blog post claims it would take to break into a LastPass vault.
No. Given what we now know about LastPass—both how the company operates and its technology—we do not recommend using LastPass as a password manager.
At this point, LastPass users should assume that any password or other information stored within their LastPass account may have been accessed by an attacker. Thus:
Of course, LastPass would have you believe that such action isn’t necessary. But after reading the information above, you can decide for yourself.
Choosing a new password manager can be challenging; it’s difficult to know for sure whether similar incidents could happen with many LastPass competitors. We recommend choosing a password manager that has a strong reputation. If you just need to store passwords and don’t use a password manager for storing other information, Apple’s iCloud Keychain may be a good, free option for anyone who already uses Apple devices. If you need a password manager with more features, check out a few of the options listed in our article, How to Choose the Right Password Manager for You.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: