Password managers should keep passwords safe. They also help generate strong and unique passwords for all your websites. You know something about the password managers world, right? If you do, you have certainly heard about the latest LastPass security incident.
This is a part of what LastPass wrote on the last 22nd of December:
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
Okay, but what kind of user data did the threat actor have access to? Well, it seems a lot of them.
The threat actor copied a backup of customer vault data. This backup contained a lot of information, both in cleartext and encrypted. Luckily the passwords are encrypted but, as the statements say, some fields are not:
a backup of customer vault data […] that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data
But hey, the usernames and passwords are protected with 256-bit AES encryption. What can go wrong, right?
The answer is that it depends. It depends on who are you.
If you are a manager that has access to relevant data, a diplomatic, a journalist, a dissident or any other personality that handles sensitive information, you should immediately change your passwords starting from the most important ones. Then, you should adopt Two-Factor Authentication, if you don’t use it already.
Why do I say this? Because if you are a person that might be targeted by some state-level actor, chances are that they will, in somehow, get some very useful information out of this data breach. If not even your passwords directly. The unencrypted fields the threat actor now has can reveal the complete list of websites where you have a profile. This information can be used in a variety of ways. For example, they might choose to target users who have a profile on government websites, rather than on large companies (banks, energy companies, ISPs). E-mail address and website info could be used to conduct sophisticated phishing attacks aiming at stealing your access credentials.
Is it that bad?
According to LastPass:
Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.
These are the LastPass recommendations when creating the master password:
- Use a minimum of 12 characters, but the lengthier the better
- Use upper case, lower case, numeric, and special character values
- Make it pronounceable and memorable, but not easily guessed (e.g., a passphrase)
- Make sure that it is unique only to you
- Never use personal information
Are you sure you follow those guidelines for every important website you have access to?
Because, according to those guidelines, a secure master password could be something like this “PasSWord123=”, which is completely different in terms of security from “b8Urdam$CuiN”.
As said in the most recent LastPass Notice, “this remains an ongoing investigation”. This statement doesn’t exclude anything, not even that there could be something more.