Skip to content

This article was written by Lead Ethical Hacker, Jeremy Aylott.

On 22 December 2022, the password manager service LastPass disclosed that an unknown threat actor obtained an encrypted backup of customer password vault data. Lots of speculation followed this announcement, as well as some understandable concerns. To reduce the confusion, below is a summary of key points from the breach with clear, easy-to-follow guidance. If you’re not a LastPass user and never have been, you can relax, stop reading, and return to your coffee. If you are a LastPass user like me, read on for vital information on how this breach impacts you.

Firstly, some background. The as-yet unknown party was able to steal a backup copy of password vaults (remember, your entire password vault is stored in the cloud) as well as some data about the owner of each vault. According to LastPass:

The threat actor was also able to copy a backup of customer vault data […] that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data.

The key takeaway is that the most sensitive stolen data, including usernames and passwords, was encrypted. Phew! This makes it useless to the threat actor in the short and medium term. No need to rush around changing passwords. Secure notes and form fill data, which often includes credit card details and addresses, were also encrypted, so there’s no need to cancel your cards.

All of the above means we can lower panic levels significantly. Your unencrypted password vault is not likely to be flying around on the dark web.

Decryption?

LastPass’ encryption is based on your master password i.e. the password you use to access your vault. The threat actor could use this same password to decrypt the encrypted fields if they knew it. For example:

  • If you have reused that same master password elsewhere, and it has been leaked, the threat actor could link the two together using the email address associated with your vault and the leaked password.
  • If you have a particularly weak master password, the threat actor could conceivably brute force (essentially guess) your password. However, this is very unlikely even in the medium term due to the volume of vaults involved.

In almost all scenarios, if you have followed password best practices, decryption of your password vault is very unlikely. 

Unencrypted Fields

The most concerning part of this breach is that the URLs associated with each vault entry were not encrypted. This means that while the threat actor cannot read your usernames and passwords, they can see what services you use. A hacker will likely use this information in phishing attacks, targeting the email address and phone number associated with your password vault. Please read our guidance to remind yourself how to spot the common signs of a phishing attack.

Additionally, by analysing the URLs in a vault, a threat actor could target “high value” vaults, prioritising them for brute force attacks or phishing the user. Of course, the definition of “high value” depends entirely on the hacker – criminals will be looking for crypto wallets and online banking logins to steal money and nation-state actors for initial access to large organisations for further attacks and espionage. Consider which services you store in your vault – and if an attacker will be more likely to target you for using them.

You might also consider if URLs containing sensitive parameters, such as API keys, are stored in your password vault, particularly if you use your password manager during software development.

Long Term

This breach is unlikely to affect the vast majority of people in the short and medium term. This is primarily because the sensitive data in the password vaults was encrypted to the point that it would take (to quote LastPass) “millions of years” to crack using generally-available software. This estimate is based on current technology limitations, which are constantly changing. Based on data from Hive Systems, a strong 8-character password which would have taken around 8 hours to crack in 2020, can be cracked in 2022 in just 39 minutes. Considering this, while your master password may be exceptionally strong by today’s standards, this is unlikely to still be true in 5 years’ time as technology advances, and your vault may be easily cracked then. So while you may not need to take action immediately, you should remind yourself of the services in your LastPass vault and consider what steps you want to take in the future.

Should I Keep Using a Password Manager?

Yes! While this breach is disheartening, the impact is minimal if you have followed password best practices. A password manager is an invaluable tool, allowing you to use a strong and unique password for each online service you use and securely sync those passwords across your devices. This is a huge boost to your online security.

Summary

Remember, if you use a strong, unique master password, the risk to your password vault is incredibly low. If you use a weak master password or believe you are at a higher risk of attack due to the services stored in your password vault, you should consider changing your passwords. The threat of a phishing attack is likely to increase, so always be vigilant for phishing attacks, and forward any suspicious emails to [email protected] where the National Cyber Security Centre will investigate them.

As always, you should create a strong and unique password for each online service you use – password managers are a valuable tool. You should also consider enabling two-factor authentication where it is available. For further advice, the Scottish Business Resilience Centre, NCSC, and CyberScotland offer a wealth of personal and organisational cyber security guidance, or you can get in touch with us at [email protected].