Updated Thoughts On Last Pass Breach

I just want to let you know my updated thoughts on this — now that I am more fully aware of what is going on.   Some of you I have helped move to another password manager 1Password or Bit Warden.  It’s entirely possible that you may want to stay with Last Pass and while they are not a company I would continue paying $36 a year to — it’s not the stupidest thing I’ve ever heard of (better then keeping passwords in an unprotected Word document on the computer, as some of my clients do.) 

If I were to give this situation a score I’m giving it a 5.5 out of 10, with 0 being nothing doing – walking to the sidewalk is a risk and 10 being nuclear disaster, call the lawyers. (However, I’m sure Last pass will be sued.)

Up until Thursday 12/22, Last Pass was a very respected commercial password manager, seen as an industry leader and widely praised among security experts — FOR YEARS.  Other competitors include 1Password, Dashlane, and Bit Warden.  In addition to personal use, Last Pass had a lot of corporate customers as well.  It’s estimated that there were as many as 37 million Last Pass accounts, just to give you an idea of their reach.  I had been a paying Last Pass customer since 2013. I think I first got started with formal password managers with 1Password back in 2010.  Back then I was primarily a Mac user.  I wanted to become fluent in both systems, so what I did for several years was keep my personal and business passwords in 1Password but keep all passwords related to my Master’s degree and the industry I was exploring in Last Pass.  Eventually around 2016-2017, I moved all of my passwords into Last Pass.  It wasn’t a better or worse situation, but since I was already paying for a Last Pass subscription and 1Password moved to a subscription model — I didn’t want to pay for a subscription to both.   The way I used to see things, I would recommend 1Password if a client was all Apple and and I would recommend Last Pass if there was a Windows device involved.  However, out in the wild there were plenty of Apple-only geeks out there that used Last Pass.  Today, it really doesn’t matter — both managers work fine on Windows and Mac interchangeably. 

Ending my story and back to the matter at hand — about a month ago Last Pass revealed that they discovered a minor security breach from back in August where no sensitive (ie. un-encrypted) data was revealed.   Companies are attacked all the time — insurance companies, the state government, etc, etc.  We never hear about it.  It’s like a vandal who breaks glass in a store but doesn’t steal locked goods.  It happens all the time.  Technically under the GDPR (European privacy laws, which are stricter than US), I believe notification is not required if ENCRYPTED data is stolen.  In general if data is truly well encrypted, it could take hackers multiple lifetimes — 1000s of years — to crack the data.  No one thought much of Last Pass’ previous announcement.  It’s nice that they let everyone know.

Then they made an announcement on 12/22.  Now that I have clarity on the breach, I want to be very specific.  These evil hackers did not have an active intrusion into Last Pass servers where they were running amok through customer data at the present time — like active shooters running through a mall — pardon the analogy.  The hackers breached a backup of Last Pass customer data that was connected to an employee’s computer in August 2022.  It all goes back to that breach.  It was an incident more than 4 months ago isolated to that point in time.

BUT BUT BUT — Last Pass’ claim to fame all these years was its ZERO KNOWLEDGE policy.   All customer data is locked with the Master Password right?  So the hackers got a big lump of coal, right?   Sadly — not true!!

While customers’ Master passwords and password data and secure notes WERE encrypted – customer names, email addresses and URL’s (meaning each website address they had a password for) WERE NOT encrypted.  Last Pass never let customers know this.  They certainly implied otherwise with that Zero Knowledge policy. 

It has not been revealed how many of the 37 million accounts’ data was stolen.  Logic would lead one to believe that this one employee did not have a backup of all of these accounts, but conservative estimates are perilous.  All customers should assume they were in the batch of stolen data.  The other key thing to remember is that this breach happened over 4 months ago and there haven’t been massive, widespread attacks against Last Pass customers.  According to experienced IT security professionals that I have interacted with over the past few days, this would indicate some sort of nation-state actor, likely looking to target specific individuals, such as their citizens or enemies. 

I think Last Pass failed on the communication front.  What did they know and when did they know it?   I do believe them that password data is secure if those passwords were protected with a secure Master Password. HOWEVER, some customers may have had WEAK master passwords. Uh-oh. Last Pass also failed in not having ALL data in a customer profile be encrypted. 

In conclusion, whether you are staying with Last Pass or moving to another password manager — you need a new master password and also the specific password for ALL SITES (all logins) need to be changed.  This will take you some time.  Do it deliberately and patiently.  Password managers like 1Password and Last Pass have a random password generator if you do not want to create your own.  I believe in also keeping a hard copy in a notebook as well.   I also like this tool for creating random passwords  https://www.random.org/passwords/  — your new passwords should be at the very bare minimum 12 characters long and ideally 14 to 16 characters plus, compliant with the website itself.  Some sites will not let you do 20 character passwords.

If there is any more help I can provide on this  — please let me know.

PS.  In case you are wondering — what password manager do your clients use the most?   They use the very limited password managers built into Safari, Firefox, or Chrome.  They are fraught with their own peril, in my opinion.  Frankly, many of my customers have dozens and dozens of insecure passwords.  So they have their passwords stored in a “manager” they don’t really use or maintain.