The LastPass security breach: What you need to know, do, and watch out for

What do you do if you're a LastPass user? Is it time to panic and find a new password manager? Here's some advice.

Online password manager LastPass is in lockdown mode after the company discovered unusual activity on its network late last week. That activity turned out to be hackers who got away with user email addresses, password reminders, server per user salts, and authentication hashes, according to LastPass.

The good news is it appears hackers didn't get away with anyone's encrypted password vaults. Still, it certainly sounds like a bad breach, but the consensus among security experts is that it could've been a lot worse.

First of all, LastPass is currently defending against potential account theft by requiring email verification--or multi-factor authentication if enabled--whenever a new login comes from an unknown device or new IP address. An attacker would need access to your email account or authenticator app on top of cracking your LastPass master password to get in.

Speaking of which, cracking that master code is going to take a long time unless your LastPass password is unbelievably weak, such as 1234LastPass or something similar. To crack your master password, hackers first have to get past your authentication hash--which includes 100,000 rounds of PBKDF2-SHA256 hashing--on the LastPass servers. Hashing uses an algorithm to convert one string of text into a longer string so that is difficult to reverse engineer and discover what the original text was.

One security expert told Ars Technica that he's so confident in LastPass' hashing that he doesn't even feel compelled to change his master password.

That said, LastPass is nothing if not prudent, and the company will soon prompt all users to change their master password.

So what's a LastPass user to do? Is it time to give up on this popular password manager and switch to something else? As a paying user of LastPass I'm not taking that drastic step, but here are a few things you should do.

Enable multi-factor authentication

This is the most important step you can take if you haven't already. Even if the worst happens and hackers get your master password, they'll still need the authentication code to access your account if you have two-factor authentication enabled. Multi-factor authentication isn't important just for LastPass--you should be using it on any site that offers it, including social networks, email accounts, and so on.

Beware of the phish

With hackers in possession of the email addresses of LastPass users, at least some of us are likely to see phishing attacks. This is when attackers send a phony email dressed up like an authentic message from LastPass. The difference is this email will ask you to click a link and change your master password--something you should never do.

Never, ever click on a link in an email asking you to change your password. Chances are that link will take you to a fraudulent version of the LastPass site that exists solely to steal your login credentials.

Change your master password

That said, LastPass will be asking all users to change their master passwords in the near future. I take that to mean we'll be notified via the LastPass mobile apps or browser extensions. We are confirming this with LastPass, but to reiterate, do not change your password by a following a link contained in an email or ,instant message.

Also, if you've used your LastPass master password on any other site--you shouldn't do that, by the way--you should change it there as well.

Be careful with your password reminder

Security specialist Martin Vigo discussed the LastPass breach on his personal blog. (Ironically, Vigo is about to do a talk on hacking LastPass.)

Vigo advises you not to bother filling out your password reminder on LastPass. Let's say your password was MMxy80pyt. You probably thought it was smart to make your reminder, "My Mare's xylophone is 80 playing years today." Now, it doesn't sound like such a great idea with that sentence in the hands of the bad guys.

The problem is LastPass requires a password reminder. To skirt around the requirement without potentially giving too much info to would-be hackers, just add something like "the password I entered just now" or something similar. Then keep a real reminder (or the actual password) written down on paper and secured at home.

Finally, while it's sad to say, this probably won't be the last breach LastPass has to deal with. In fact, the company already dealt with a potential breach four years ago.

Thanks to all that personal data LastPass houses--including login details for banking sites, and in some cases even credit card data--the service is a prime target for hackers. However, thanks to LastPass' high level of salting and hashing and its pretty good transparency (at least so far), any user with a strong password and multi-factor authentication enabled should be able to ride out these occasional breaches without much worry.

Join the CSO newsletter!

Error: Please check your email address.

Tags breachintrusionLastPasssecuritypasswordshacking

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts