December of 2022 saw the biggest and most worrying hack of any Password Manager we’ve ever seen...
But what does it all mean, what impact does it actually have on us as individuals, and what should we learn from this?
My name is Pete Matheson, and over the past few years, I’ve published a number of posts and videos around Password Managers, reviews, and comparisons, some of which are now the most viewed Password Manager videos on YouTube - which is just crazy.
So when news of the LastPass breach broke on December 22nd, 2022 - it was kind of expected of me to say something.
So this post is going to be broken down into 3 pieces.
What happened in the LastPass Breach.
What Impact does it have on you as a LastPass User.
Finally, how can you make sure this doesn’t happen to you?
Now, 1Password reached out to me and asked if I could make a video about the LastPass breach, and so did two other Password Managers. All of them wanted to get their name out as the one password manager to migrate to from LastPass.
So I won't lie, this video I made about this breach is sponsored by 1Password and yes, there will be some discounted links at the bottom of this post to sign up to.
In my opinion, it’s not that you should be moving to 1Password or any specific password manager - it’s that you make the right, well-informed decision that works for you. And, if you're not using a Password Manager already, then stick around, because I'm going to tell you why you should be!
What happened in the LastPass Breach?
So let’s tackle the question - in a non-technical way so that it’s easy to understand.
On September 22nd, someone broke into the backup system for LastPass and stole copies of data.
The stolen data included Unencrypted Data, including your LastPass Username, the associated email address, LastPass account names, and URLs, along with encrypted information that includes usernames, passwords, notes, credit card, and form fill data.
Basically, this means that they can easily see your account name, email address, and the URL associated with your account.
But, they can’t access your actual LastPass Username, master password, or any data stored within your LastPass vault.
BUT - what that does mean, is that if you used an easy-to-guess Master Password on your account then it won’t take much time at all for someone to break into the backup copy of your account that they now hold.
Something to also be aware of is that a few years ago LastPass updated the strength of the encryption being used to encrypt your password database from 5,000 to 100,100 which with some quick maths is over 20x more than it was before.
Check yours by following this guide: https://support.lastpass.com/help/how-do-i-run-the-security-challenge-for-lastpass-on-my-mobile-device
Not that this won’t actually help with the current issue at hand, because the attacker already has a copy of your database from September 22nd, so your change won't affect the copy they’ve stolen.
And you might be sat there, much like I was - thinking. Nah that’s cool - I used LastPass a few years ago but it doesn’t affect me now.
Well unless you closed your account down, and you TRUSTED LastPass to actually remove your account properly - then yes, this does affect you.
After my paid-for account expired, it just reverted to a free account. So still with all my Usernames, my passwords, and credit card information, though some if not most would have expired by now. But still, many logins that I still wouldn’t want other people to have access to would be available.
Now, this all sounds pretty bad because this is basically the worst-case scenario for a comment that I see almost daily throughout my other posts and YouTube videos.
Those of you who are saying that it’s a bad idea to store everything in one place, because if that one place gets compromised then you’re done for.
And unfortunately, LastPass has brought that point right home to roost.
What Impact does it have on you as a LastPass User?
So if you are a LastPass user - or if you WERE a LastPass user then it affects you across both Business and Personal LastPass accounts.
LastPass’s advice is that if you followed their best practice of setting a secure Master Password, then it is near impossible for them to get into your password database.
And that might be true - if they have a tonne of data then they’ll probably target those accounts that are easy to get into first.
If you didn’t have a secure password, then the advice is to change ALL of your passwords, for everything. I would possibly go as far as being overly cautious and requesting new debit and credit cards too if you know you had a poor master password.
But - that still means that somewhere out there, someone has a copy of your password database. And I bet you anything that someone is selling your database to someone else who will have a damn good go at cracking it.
So my advice, something I wish I’d never have to say - but thanks to LastPass, you need to find a better password manager, and reset all your passwords.
Whilst you’re there resetting your passwords, I’d also HIGHLY recommend setting up 2-Factor Authentication using either an App like Authy or a hardware key - which I’ll talk about more in a sec.
I have plenty of posts on this website reviewing password managers so check them out to find which one would work best for you.
Nobody needs yet another YouTuber trying to flog something they’ve been paid to flog - because that’s exactly what LastPass did to get a huge number of people in this mess!
They paid a tonne of YouTubers to advertise their free product. LastPass then rug-pulled everybody to force them to pay to upgrade, and they’ve had at least 1 breach a year since then!
And finally, what should we do differently next time?
So, how do we avoid this happening again?
What’s to say that you move to a different password manager and then it all happens again?!
There are a few things that I’d like to say here. Firstly, get a Yubikey. You can also get a Google TitanKey but I like Yubikeys - and they work like a physical key to your password manager like you have a key to your front door.
If you don’t have your key, then you can’t get into your password manager.
Any GOOD password manager will support the use of one of these.
That means that to get into your password manager you’d need a username, and a complex master password, AND you would physically need to hold this key AND be physically there to plug it into your computer and touch the sensor before you could log in.
That’s SO much better than just a username and password. Some password managers also offer the option of an additional decryption key to decrypt your password manager. Synology is one that will let you manually create a decryption key, but that is open to you setting yet another easy-to-guess password if you so wished.
To their credit, one thing I will say about 1Password here is their unique Secret Key. When you sign up with 1Password, the computer you are using automatically generates a decryption key. This is something that 1Password has no knowledge about because it’s created by your own computer, locally. And it never gets sent or stored by 1Password.
Whenever you sign in to a new device, you need that key. So with 1Password as an example, that takes you from needing just a username and password to login into your password database, to a Username, Password, The Secret Key, which is only known by you, AND if you’ve taken my advice, a YubiKey physically inserted into your computer and the sensor touched.
1Password say it’s uncrackable, and having used them for years now, even whilst using a dodgy copy of 1Password way back in the day - I’d actually be inclined to believe them.
So I hope that helped those of you going through the nightmare of a LastPass breach. I'll see you in the next one!
💌 Sign up for the weekly newsletter: https://www.petematheson.com/newsletter
MY TOP RECOMMENDED TOOLS: The Best Password Manager: (up to 50% off) https://geni.us/BestPasswordManager, https://geni.us/FamilyPasswordManager, https://geni.us/TeamPasswordManager, https://geni.us/WorkPasswordManager