The LastPass Breach, and How it Might Affect You 

In August of 2022, LastPass announced that one of their developer accounts had been compromised, with the attackers having stolen some of their source code. They said at the time that none of their customer data had been taken. However, in December, they announced that information gathered during that attack had subsequently been used to target another employee, and the second attack resulted in the theft of customer data, including password vaults. 

What was taken? 

The stolen vault data includes some unencrypted fields, as well as encrypted data. The unencrypted data includes things like your customer data, such as the company name, your billing address, and your contact email. It also includes the url for the website associated with a password entry. Encrypted data includes the username and password for the password entry, as well as secure notes. 

How does this impact me? 

At a basic level, the attackers now know that you use LastPass, and they have your contact information. They also know which websites you use LastPass on. This information could be used for phishing attacks or financial crimes. 

Since the password data is encrypted, they do not have immediate access to all the websites you saved credentials for. The impact of this is dependent upon a few factors: 

1. How secure your master password is. The easier it is, the quicker they can crack it and gain access to all of your credentials. Having 2 factor enabled on your LastPass account does not help in this situation, as they already have your password data, and do not need to log into your LastPass account. Note that things like making sure you use Upper and lower case, numbers, and special symbols does not necessarily mean your password is more secure. For example, Password@1234 fulfills all of those requirements, but to someone attempting to crack it, it would likely be broken sooner than Gkdhwkdn$0185, even though both of those use the same sequence of characters. This is because the crackers are going to try to target the more common passwords first, as it is cheaper to do that for them than to just randomly let the computer run and guess every possible combination. 

2. How recently you signed up for LastPass or changed the default security settings. When LastPass encrypts your password, it uses the PBKDF2 algorithm. With this, there is a specified number of iterations that are run. The more iterations, the longer it takes to encrypt/decrypt the password, but the more secure it is. Currently, LastPass sets the account to 100,100 iterations. However, older accounts are using significantly less iterations, a few years ago it was only 5,000. So if you have an older account, and have never updated the number of iterations, your master password is easier to calculate, and thus your vault data is less secure. 

3. How badly they want your data. Cracking passwords costs time and money. More computing resources costs more money, so it becomes a question of how badly they want into your accounts. If you are a major politician, or some famous journalist, you are more likely to be targeted than some grandmother who only checks Pinterest and talks to her grandchildren on Facebook. 

What should I do about this? 

If you are a high-risk individual, change every password for every account you had stored in LastPass. Yesterday. And enable 2 factor on as many of those accounts as possible. That way, even if they do get the credentials for the site, the 2^nd factor will prevent them from gaining access. 

If you are a much lower-risk individual, you should still change all the passwords. How quickly you do that is dependent upon what you feel the threat is to your accounts. Things like banking or your main email accounts are likely a higher priority than random accounts for forums that you barely use. Also, take this opportunity to improve the security of any of the accounts that you are using, like improving the passwords being used that might not have been updated in years, to adding 2 factor for sites that support it.