The last password manager you’d ever want to use
In August 2022, popular password manager developer LastPass experienced a data breach from an “unknown threat actor” who gained access to an unsecured third-party cloud storage instance. We can pretty safely assume this “third-party storage instance” was an unsecured Amazon Web Services S3 data “bucket”.
These so-called “leaky buckets” have been front-and-center in a number of high profile data breaches over the last several years. While it’s convenient to place the blame on AWS for these breaches, since AWS is hosting the S3 storage objects, the fault lies squarely with the companies who use S3 and fail to secure their S3 instances properly.
In the case of LastPass, the original event in August 2022 turned out to be much worse than LastPass initially revealed. On December 21st, 2022, LastPass published a new blog post admitting that this unknown threat actor obtained access to sensitive customer data, including encrypted master passwords. Master passwords are used, in password manager parlance, to unlock a user’s password vault, giving a hacker access to every password a user has saved in LastPass, if the hacker manages to decrypt the master password.
This is a big deal. It’s almost a worse-case scenario from the perspective of LastPass, but they won’t say as much because the optics are already terrible for the embattled company. In 2015, LastPass was acquired by LogMeIn, a popular developer of remote access software. In 2021, LastPass was spun off from LogMeIn, but remained under the ownership of the private equity firms that acquired former parent company, LogMeIn. During all of this buyout and spinoff drama, LastPass significantly altered the terms of its free product tier in early 2021, leading to a substantial shedding of its customer base.
Password managers are high-profile targets for hackers and many contain security vulnerabilities, unfortunately. As these programs are essentially just storehouses for every password a customer regularly uses, threat actors prioritize gaining access to them. In 2020, researchers from the University of York discovered security vulnerabilities in popular password managers Dashlane, LastPass, Keeper, 1Password, and RoboForm. In LastPass’s case, the vulnerabilities were apparently not rectified at the time the study was published. These types of attacks are also distinct from, and potentially more damaging than, the more common phishing attacks that affect millions of people every year.
So what should you do? If you’re a LastPass user in 2022, you have to assume that the threat actor has access to your encrypted master password and that they have the ability to decrypt it. At this point, LastPass’s word is essentially worthless. With that said, and painful as it may be, your best course of action is to change every password you stored in your LastPass vault and close your LastPass account.
Which password manager should you use? We recommend BitWarden. So far, BitWarden’s security posture has led the pack in the field of password managers. BitWarden offers a free online password manager option, as well as paid versions with additional features, such as the ability to self-host your BitWarden instance (or have a technical service provider like Geek Housecalls do it for you!)
This is especially critical in business and enterprise environments. In a 2020 report by Rapid7, researchers found effective password management and two-factor authentication were both very underutilized in corporate IT environments. Such failure to implement appropriate credential management and two-factor authentication has led to billions of dollars in lost productivity as well as in funds paid to ransomware hackers and to outside security companies.
If you’re struggling with password management at home or credential security at work, give Geek Housecalls a call or email today. Our business division, Geeks for Business, is ready to help you secure your enterprise environment. Our home division, Geek Housecalls, can help you migrate away from LastPass and we’ll perform a full security audit to ensure that your online passwords are as secure as possible.