[Reading time: 3 minutes]
Firstly, Happy New Year. I hope you had the opportunity to take some time off to enjoy the holidays. Based on my trip to the glass recycling centre yesterday, it appears that we consumed a lot of cough medicine this time around. But there were plenty of other bottles in our collection, so it wasn’t all bad news.
Anyway, back to the world of cybersecurity.
Unfortunately, this first email of 2023 focuses on a major incident with a service that many people rely on to strengthen their cybersecurity.
That is the news that LastPass, one of the world’s most popular password managers, has suffered a major security breach.
What do we know?
Wired Magazine has published an excellent article with details of the incident. It also details the timing of LastPass’ public announcements about the breach.
LastPass first alerted users to an incident in late August, where it suggested that ‘only’ the source code of the product had been copied by the bad guys. It was not until December 22nd that they announced that the encrypted password vaults of LastPass users had also been copied.
LastPass has not answered Wired’s questions about when exactly the breach of these password vaults occurred, leaving Wired to suggest it may have occurred as early as August 2022 (over 3 months before LastPass users were informed).
The other revelation is that while usernames, passwords, and ‘secure notes’ are encrypted within each password vault, other information in the vaults (such as URLs) is not.
As a result, the bad guys can already deduce which vaults contain valuable information, enabling them to focus on trying to crack the master passwords of the vaults that may contain particularly valuable information (e.g. bank login details; crypto-wallet secret keys, etc).
So what should you do?
There are many real and perceived risks that arise from this incident – Too many to cover in just one email. So, I will delve into these over the next few days.
But right now – If you are a LastPass user, you should assume that the bad guys could eventually figure out your LastPass master password and gain access to everything in your LastPass vault.
This is particularly true if:
- Your LastPass password was not very long (e.g. less than 12 characters).
- Your LastPass password was not unique.
- Your LastPass vault contains valuable information (e.g. bank login details; crypto-wallet secret keys).
On this basis, you need to reduce the value of the data that the bad guys now have in their possession, by doing the following:
- Reset your LastPass master password – So if or when the bad guys figure out your current master password, it will only work on the copy of the password vault that they currently possess.
- Identify the most valuable accounts in your LastPass vault – Your crown jewels, such as your bank accounts, email accounts, social media accounts, and any cloud-based accounts that could contain valuable / sensitive data.
- Make sure these accounts are protected with Multi-Factor Authentication – So the bad guys need more than just a password.
- Make sure these accounts’ passwords are reset – So the bad guys no longer have the correct password.
It is also time to move to an alternative password manager.
We may assume that LastPass will find ways to ensure this type of breach does not happen again. But are you prepared to trust LastPass again?
Perception may not be reality.
But when it comes to security, perception matters.