Update: LastPass' data breach woes continue...In a March 1 update, LastPass announced that the hacker behind the previous breach (August 2022) has hacked a senior engineer’s home computer and obtained access to a critical corporate vault available to only four top employees.
The vault gave the hacker access to a cloud-storage environment that contained encryption keys for 30 million customer vault backups stored on Amazon web servers, as well as “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
So, to recap, one hacker or hacker group now has encrypted copies of every LastPass customer’s password vault, along with the most sensitive internal company secrets and digital access credentials.
Lastpass hacks stretch back to last year
On December 22, 2022, online password management service LastPass revealed that hackers had obtained extensive information from user accounts such as billing and email addresses, end-user names, telephone numbers, and IP address info.
Also leaked was customer vault data, which includes both unencrypted data such as website URLs and encrypted data like website usernames and passwords, secure notes, and form-filled data. A previously announced hack of customer data in August 2022 apparently opened the door to this more serious data breach.
On January 23, 2023, LastPass parent company GoTo revealed in a statement that the initial hack of Lastpass had also affected several of its other products, including online meetings service Join.me; remote access business tool Remotely Anywhere, hosted VPN service Hamachi, and remote access tool business communications tool Central.
GoTo CEO Paddy Srinivasan explained that a hacker stole “encrypted backups for all of the listed services, as well as encryption keys for a portion of the encrypted backups. This may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.
Needless to say, this is a privacy disaster for users of all of these products. Here's how bad it could get, and what users can do to protect themselves from the fallout.
Risks for LastPass users
All 30 million LastPass users, with data stored on the company servers as of August 2022, are at risk. Hackers now have a copy of your entire password vault. Should they manage to crack your master password, they can take over your online life. That means full access to your emails, bank accounts, healthcare data, tax information, social media accounts – you name it.
According to LastPass, hackers may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. However, LastPass claims it would be extremely difficult – taking up to “millions of years” – to brute force guess master passwords for those customers who have followed their password best practices. But how many customers have done that?
Risks for other GoTo product users
The above risks apply equally for users of other hacked GoTo products Join.me, Central, Remotely Anywhere, and Hamachi. All of those encrypted backups and encryption keys are also now in the hands of hackers, who can use all of the private information to disrupt other parts of your digital life. GoTo stated that they are reaching out to affected customers directly with updates and recommendations for next steps to user safeguard accounts.
The company has also reset potentially compromised passwords, reauthorized hacked MFA settings where applicable, and migrated affected accounts into an enhanced “Identity Management Platform, which will provide additional security with more robust authentication and login-based security options.”
The overall damage may be relatively less severe for users of these four services, because the exposed passwords and data largely relate to customer activity on a single service. It may be cold comfort, but at least users of Join.Me, Central, Remotely Anywhere, and Hamachi haven’t lost every single one of their most sensitive passwords to criminals.
Experts question LastPass' claims
Noted cybersecurity experts have queries about LastPass’ recent updates. Wladimir Palant, security researcher and creator of AdBlock Plus, says that “The statement is full of omissions, half-truths and outright lies.” Senior security researcher John Scott Railton considers the hack a far more grave threat than reported – both to individual users as well as companies that employ LastPass for corporate password management.
Yahoo’s senior information security engineer Jeremi Gosney is also extremely critical of the response from LastPass, as well as its general approach to security. Gosney notes that “in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7.”
Competing password service 1Password also casts doubt on the “millions of years” to crack its security claim, noting that it appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process, which is far from the norm. It’s possible that hackers could crack your master password in as little as 30 minutes if they have the most up-to-date tech.
How to protect your online life
If you’re a user of LastPass or other GoTo products, consider all of your stored data at risk.
- Immediately update the passwords and MFA settings for your critical online accounts.
- Prioritize email accounts, banking, taxes, credit cards, insurance, healthcare, retirement accounts, secure document storage, etc. as recommended by TechCrunch.
- LastPass users may also want to switch password managers. Competing services Bitwarden, 1Password, and Dashlane offer similar features accompanied by stronger track records of protecting user data.
- When using any password manager, choose a strong master password that’s never been used elsewhere. The ideal password utilizes a minimum of 12 (or even up to 16) random characters and has no relation to your personal data, according to the digital password service NordPass.
- And whether you're a LastPass user or not, you should create an account on the hacking alert website Have I Been Pwned? which will send you updates on any breaches affecting you as soon as possible.
Ben Demers manages digital content and engagement at Kiplinger, informing readers through a range of personal finance articles, e-newsletters, social media, syndicated content, and videos. He is passionate about helping people lead their best lives through sound financial behavior, particularly saving money at home and avoiding scams and identity theft. Ben graduated with an M.P.S. from Georgetown University and a B.A. from Vassar College. He joined Kiplinger in May 2017.
Alaska Airlines to Buy Hawaiian: Get Bonus Miles Now
How to use the Alaska Airlines credit card and frequent flyer program to save on trips to Hawaii, Alaska and beyond.
By Ellen Kennedy Published
11 Reasons to Consider a 1031 Exchange
Deferring capital gains taxes might be at the top of the list, but growing your portfolio and your wealth and helping with estate planning are also compelling reasons.
By Daniel Goodwin Published