Posted on by 2code monte

Last Pass, last chance?

I’m sure you’ve all seen the news surrounding the latest hack involving Last Pass, and all the subsequent stories and blogs ranging from “everything is fine, no need to panic”, right through to “if you use Last Pass then your world is over”, but to an average user in the real world, what does this all mean and what should you do?

We’re not going to be looking at the technical aspects of the hashing or encryption algorithms used, or the details of how they were hacked. We’re taking an objective look at the current situation, how things may change in the future and the steps to take if using Last Pass.

If you’ve not seen it the latest official post is here.

Notice of Recent Security Incident

If you just want the short version, and the steps I recommend you take if affected, you can skip to the last section “what should you do”.

Before we start, I use Last Pass (paid subscription) for my personal accounts, it’s convenient and easy to use so was perfect for my everyday accounts. I knew there was risk attached to using a cloud service for keeping passwords online which is why I enabled 2FA for the vault, and did not use it to store online banking credentials or credit card numbers to auto fill online shopping forms.

I work in cyber and so understand that even with the best will in the world, hacks will happen. I always stay objective rather than bashing every company who is breached, cybersecurity is hard, you can do everything right and still get hit. That said, as I use Last Pass and am directly affected I needed to assess how impacted I am and if I should be moving to a different solution, hopefully my thought process will help you make an informed decision.

The details

Last Pass had already suffered a breach earlier in 2022 where some technical documentation and source code was stolen, this was concerning but not enough reason to panic. This recent breach in December 2022 is much worse with LastPass confirming both customer information and vaults are affected.

The impact

The fact that attackers have customer phone numbers, names and addresses is bad enough as this can be used to target users by sending phishing emails or text messages, however back ups of vaults being stolen is extremely concerning, as is the fact that this is being downplayed by Last Pass.

If you use Last Pass, all data for all accounts stored in your vault is at risk, this includes email addresses, usernames, passwords, notes and URLs, even if your master password is 14 characters long and you use 2FA. Whether you do it immediately or not, you need to change every password for every account in your vault, and you should assume any credit card numbers or other information you had stored in your vault will eventually be readable by the hackers. Criminals have long timeframes in mind so even if it takes ten years to crack the master passwords, they will eventually succeed. This may appear to make it irrelevant, however if you consider how often you change your passwords you will still have accounts which have passwords that old. If you never change your email address password, and your Last Pass vault is cracked in the next few years, hackers will then have access to this account. We have so many different accounts, with many of them linked in one way or another. They only need access to one and that can help them access others and completely take over your digital life.

You may be thinking, that’s ok I can just delete my account and all the data so I can never be affected, well unfortunately not. The issue is that backup copies of the vault data was stolen, which means that deleting your data won’t help as the attackers have a copy of your vault. They can crack your vault and if your passwords are the same, they can login to all your accounts. Even if you delete your account and migrate to a different password manager, you still need to change all your passwords for all accounts saved in your vault.

The communication

As previously mentioned, I have found the communication released by Last Pass to be disingenuous and misleading. They are stating vaults are safe if we have followed password best practice but this is not the case as some parts of the vaults are not encrypted and so some of the information could already be accessible to the attackers. If you use a weak password for your vault then all your information may already be compromised. I really feel that the impact to customer’s is being downplayed, as when you consider the type of information Last Pass encourages you to store in its platform, it could result in considerable harm to individuals.

The decision

Initially I had considered staying with Last Pass, I decided if I changed all my passwords and ensured I was using a 2FA app for all accounts where it’s supported even if my vault was decrypted in the future the impact to me would be minimal.

I started updating my accounts and changing passwords, however after 30 minutes the size of the task ahead of me became clear. I had a lot of accounts stored and it was going to take me about 8 hours to change all the passwords! Then I considered that “what if” the full extent of the hack is still not known, and that in a few months time some new information comes to light which means I may need to change all my passwords again!

The thought of spending 8 hours resetting all my accounts then having to do it again in the near future was too much for me. The fact that I believe this is a possibility made me realise that I don’t trust Last Pass, and that I believe the likelihood of the full impact of the hack not being known is quite high.

This made me realise I need to move away from Last Pass.

What should you do?

Whether you intend to stay with Last Pass, or migrate to a new password manager, I recommend the following actions.

  • Change your Last Pass master password and enable 2FA on your vault.
  • Go through every account saved in your vault, change the password and enable 2FA if available. Prioritise by importance, for example email, banking, social media and any website where you have your credit card details stored such as Amazon, PayPal or EBay.
  • Any accounts you no longer use should be closed and deleted. Some websites allow you delete your account from within your account page via their website, however some require you to contact them and request it be closed and your data deleted.
  • Any notes stored in your vault will be in plain text so if these fields contained sensitive or important information assume this is compromised and act accordingly.
  • Assume any secure notes you created and the information stored in these will eventually be compromised. For example if you have stored crypto currency keys, you need to create new wallets and move your coins, or if they contain information related to health care, banking, insurance etc, consider how this could be used if known, then contact the providers and ask how you can be protected from future theft or fraud.
  • Don’t use Last Pass for high value accounts. Store the details for these accounts somewhere else such as an encrypted USB.

If you are affected I hope this has been useful, I know the commitment and time required to reset every account however this is the only way to reduce the likelihood of future theft or fraud linked to this hack. I’ll post a blog soon on where I migrated to, how I did it, and how to delete your Last Pass account.