I’ve been using the LastPass password manager application for almost 10 years. I’ve had it on iPhones and Android phones; used the Mac application; and for a while used its browser extension across various browsers. Over the last few years Bitwarden has become my favorite and most-used password manager, but I have also continued using LastPass. That’s partly due to some dread around the housekeeping needed to fully move away from LastPass, and also because I liked the backup/resilience element of using both (even if they’re not 100% synced).
After reviewing some bad news from LastPass this week, I had to think a little and review my usage of the software. This week’s email to users from LastPass is an update on their investigations into a data breach they suffered back in August, which stated that “… an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.”
This week’s update shares worse news:
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
The update does then point out that the sensitive data held in encrypted fields is protected with strong (AES 256-bit) encryption and can only be decrypted using an individual user’s master password used for LastPass, and states that the master password is not known to or stored by LastPass. The argument here is that this is a still a relatively high bar for the original attackers or others to discover users’ passwords.
I imagine that some LastPass users will feel that this update is concerning enough to stop using the application. I’m going to stick with it for now, as effectively my secondary password manager. I’m also going to think of this as a nice reminder and do some housekeeping related to my data stored in LastPass. I’ve already started on my short list of things to do:
Check the wonderful HaveIBeenPwned site to see if and where my email or other data has been found in data breaches. I do this on a fairly regular basis and never use the same password at any two sites/entities.
Set about changing *all* my passwords that are stored in LastPass, just to err very much on the side of caution
Continue to move slowly towards using only Bitwarden for password management
Review all my entries (logins, secure notes etc) in LastPass, and delete any that are no longer used and many that have not been used in several years) - just for more general housekeeping
I hope if you’re a LastPass user - or a user of a different password manager - you might find time to share a comment with your thoughts on the latest LastPass news.
Left LastPass when they changed their business model a few years ago. Moved to Bitwarden (backup) and 1Password (mainly for their family plan). So I also manage two password management systems for redundancy, and although 1Password can be a bit non-intuitive sometimes, their integration with HaveIBeenPwned is excellent. Passkey is looking like a great option moving forward.
While this could happen to any company, I'm glad it didn't happen to 1Password. That was my choice when I decided 2 years ago to stop using Google and Apple to manage my credentials. I'm not saying that based on this news, I made the "right" choice, but I really can't complain about 1Password. It's been fantastic since I started using it and the company is continuously adding new features and improvements. Passkey support is already in the works and I think that will help mitigate some of these hacks in the future, regardless of the company.