Did you hear it over and over again: you need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, especially in the 2010s, it was probably LastPass. However, for 25.6 million users of the security service, the company made alarm announcement December 22: The security incident the firm reported earlier (November 30) was actually a massive and serious data breach that exposed encrypted password vaults — the gem of any password manager — along with other user data.
The details provided by LastPass about the situation a week ago were so troubling that security experts quickly began urging users to switch to other services. Now, almost a week after the disclosure, the company has not provided additional information to confused and worried customers. LastPass did not respond to multiple requests from WIRED for comment on how many password vaults were compromised in the hack and how many users were affected.
The company did not even specify when the violation occurred. It seems to have been sometime after August 2022, but time is of the essence because the big question is how long it will take attackers to start “cracking” or guessing the keys used to encrypt stolen password vaults. If the attackers had three or four months with stolen data, the situation is even more relevant for the affected LastPass users than if the hackers had only a few weeks. The company also did not respond to WIRED’s questions about what it calls the “proprietary binary format” it uses to store encrypted and unencrypted vault data. Describing the scope of the situation, the company said in a statement that the hackers “may have copied a backup copy of customer storage data from an encrypted storage container.”
“In my opinion, they do a world-class job of detecting incidents and a very, very lousy job of preventing problems and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass more than seven years ago. “I would either be looking for new options or would like to see renewed focus on building confidence over the next few months from their new management team.”
The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format, where items like passwords are encrypted while other information, like URLs, is not. In this situation, unencrypted URLs in a vault can give attackers an idea of what’s inside and help them prioritize which vaults to hack first. Vaults that are protected by a user-selected master password present a particular problem for users seeking to protect themselves after a breach, because changing that master password now with LastPass will do nothing to protect vault data that has already been stolen.
Or, as Johnson puts it, “With the vaults restored, the people who hacked LastPass have unlimited time to attack offline, guessing passwords and trying to recover the master keys of specific users.”