Office of Information Security

December 23, 2022

LastPass data breach

Post updated on 1/13/2023

What happened? 

LastPass notified customers in November 2022 that an attacker had gained access to customer data. We have received questions from some users about this issue, and this post attempts to answer some of them.  

Please note that nothing in this post is intended to be an endorsement of any particular service. It simply reflects what we know about the situation and about how the company has handled this, and other, events. 

Is there anything I need to do right now? 

For most people, not in the short term. As long as you used a reasonably strong master passphrase (in accordance with LastPass recommendations) to secure your LastPass account, it is unlikely that there is any immediate risk to your data.

Nevertheless, there are best practices which apply here, and which you can perform periodically, to improve the security of your data now and in the future. We’ll discuss them below. 

What data was accessed? 

LastPass has said that the breach exposed unencrypted customer data, including web URLs and email addresses, as well as encrypted copies of customer passwords and secure notes.  

Specifics have been harder to find. According to a moderator in their customer support forum: 

Encrypted data within the Vault includes user names, passwords, associated login notes and secure notes. Unencrypted data included basic customer account information and related metadata including company names, end-user names, website URLs, billing addresses, email address, telephone numbers and IP addresses from which customers were accessing the LastPass service.”  

As we’ll explain further, this suggests some best practices going forward. 

Are my passwords now compromised? 

Probably not. Your passwords, and other data in LastPass, are as safe as the strength of your “master passphrase” (and the value of “password iterations” in your settings; explained below). 

The design of LastPass is consistent with the principle of “assumption of breach”, which means it anticipates being attacked, and remains robust even if the attacker is in possession of your encrypted vault. Because LastPass only has an encrypted “blob” of your data, and does not know or store your passphrase, the attacker will have stolen only gibberish, and will be unlikely to gain access to your actual data. 

To access your data, the attacker will still have to try to guess your passphrase. LastPass has taken steps to slow down this process significantly, which makes it much more expensive (in terms of computing time) to accomplish. The main weakness in the system is the strength of your passphrase: the stronger it is, the less likely that an attacker will find it worth the expense and time to crack it.  

However, there is one account setting which can affect the time it takes to guess your passphrase, and that is “password iterations”. This is in your advanced settings. The recommended value (according to LastPass) is 100,100. The default has changed over the years, so older accounts may have a lower value. If yours is set to anything lower than 100,100, it will be easier to crack your vault, and you should consider changing all your saved passwords.

The actual risk to your encrypted data depends on several things: 

  • the strength of your master passphrase
  • the value of “password iterations” in your settings 
  • the motivation of the attacker to access your data specifically 
  • the amount of computing power (meaning money) the attacker has available to use in brute force attacks, and 
  • how much time has passed, since passwords get easier to crack over time as computing power increases. (This is why rotating critical passwords occasionally is wise – the theory being that by the time the stolen snapshot of your vault is cracked, the passwords within it will have already been changed.) 

Given enough time (which could be days, months, or years, depending on all of the above), it’s reasonable to assume that the vaults will eventually be cracked, if you’re an entity of interest to the attacker. 

Who is at greatest risk?

If you are in one of these categories, your vault is more at risk of being cracked, and you should prioritize changing all the passwords within it: 

  • If you are someone who may be targeted by motivated adversaries, you have less time to respond, because the attacker may prioritize cracking your vault with their available resources. 
  • If you used a weak master passphrase (according to LastPass recommendations), your vault will be much easier to crack.  
  • If the value of “password iterations” is lower than 100,100, your vault will take less computing time to crack.  

In all of these cases, you should consider changing all the passwords in your vault as soon as practical.  

Everyone else should plan to rotate passwords periodically as a matter of best practice. 

Does this breach mean LastPass should not be trusted? 

This is a complicated question. On its own, the occurrence of this breach shouldn’t change the risk picture for LastPass users.  

There are legitimate criticisms of how LastPass has handled communication and marketing. In particular, it is misleading that they claim a “zero knowledge” model when in fact some data fields in your vault are not encrypted (in part, this facilitates add-on features like “dark web” monitoring). Their cryptographic architecture, however, is well documented and reasonably sound.  

All internet service providers are vulnerable to attacks by increasingly persistent and usually sophisticated actors. Despite the disappointing way that LastPass has handled communication about this incident, they have historically been transparent about security concerns, which means we’re more likely to know about it when a breach or other security event occurs. They have designed their service to protect user data against reasonably foreseeable attacks, and that includes events just like this one. If you have followed their recommendations and your settings are up to date, the service is probably as reasonably secure as any cloud service can be. 

Given that we have a large user base invested in LastPass, moving from LastPass to some other password manager will have significant institutional costs, in time, money, and support. Based on the information we have at this time, there is not a compelling technical reason to move immediately off the platform. Since, unlike just a few years ago, there are now other products with similar features, it is certainly worthwhile to revisit the available offerings and reevaluate our needs. 

What can I do to manage this type of risk? 

For most people, simply committing to changing all your passwords regularly, particularly the most critical (email and phone accounts, financial accounts, etc.), is a reasonable strategy for many reasons. This breach is just one more reason. 

It is important to realize that no data are 100% safe from an actor with sufficient time, resources, and motivation.  Your goal is to increase the time and cost required to get to your data, to put it out of reach of all but the most well-resourced and determined adversary.  

The most important thing you can do to increase this cost is use a strong master passphrase. The passphrase is the “key” which unlocks your data, and the stronger it is, the more computing power and time (and thus money) are required to crack it. 

You must also review the value of “password iterations” in your settings. You will find it in Account Settings -> Show Advanced Settings. Hovering over the “i” will display LastPass recommendations, which in this case is a value of 100,100. While you’re at it, review all your settings and the recommended values, and ensure that they are up to date and aligned with your requirements.  

Note that neither changing your master passphrase nor the value of “password iterations” will have any effect on the risk of your already-stolen vault snapshot being cracked. Because the attackers already have a copy of the vault with your previous settings, that particular risk is now fixed in stone, cryptographically speaking. Changes will only affect your risk in future breaches. 

Additionally, a prudent strategy would be to assume that an adversary has (or will have sooner or later) a copy of your encrypted vault, and eventually – after enough guesses, and perhaps months or years – will open it. This is a threat that would exist for any encrypted data stored on a networked device, “cloud” or otherwise.

The defense against that is straightforward:

  • Assume (eventual) breach.
  • Periodically change not only your master passphrase, but also critical passwords within your vault, particularly any which are not protected by multi-factor authentication.
  • Changing passwords once a year or so would be reasonable and not too onerous; that increases the odds that if someone eventually does manage to open an older snapshot of your vault after working on it for a long time, the data will be stale and of no use. 
  • Finally, never store 2-factor codes in your LastPass vault! The point of 2FA is to require the attacker to have not only your password, but also your 2FA key. Giving both away at the same time defeats that purpose.  

What other risks should I consider? 

Be aware that the exposure of unencrypted fields in the stolen data, such as URLs and email addresses, will make it much easier to craft convincing phishing messages. In this regard, this event is similar to many other breaches which (routinely, sadly) expose customer data. Our risk advisories page has information on protecting yourself from this ever-present threat. 

By far, the most likely place that your passwords could be compromised is on your own computer. That’s because it is the only place that your password vault is (and must be) unencrypted, and is thus vulnerable to any malware running there, or any scams to which you fall victim. Your first line of defense, therefore, should always be to familiarize yourself with smart computing practices in general and know your responsibilities for securing UW (and your own) data. 

References

Sophos: LastPass admits to customer data breach caused by previous breach

LastPass blog and documentation:

OIS resources: