Perhaps best to call it the “Last warning you’ll ever need to flee LastPass” breach.

Best summary and take I’ve seen is from Wladimir Palant:

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.

Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.

And over on, Jeremi M Gosney writes:

But things change, and in recent years I found myself unable to defend LastPass. I can’t recall if there was a particular straw that broke the camel’s back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass…

The entire list is worth a read, if you’re curious to relive all of LastPass’ sins. You can also find support in his thread for the things 1Password and BitWarden are doing right.

All in all, choosing a password manager is hard because managing a bunch of passwords is hard. For the moment, 1Password and BitWarden are top choices and are doing things that can seem user-hostile (wtf is this Random Key, 1Password?) but actually improve overall security. You don’t know you need it until a breach like LastPass’ happens, and then…

If there is any light at the end of this tunnel, it is Passkeys. A Passkey is a new (to you) way to authenticate to a website or service, although it relies on tried and tested technologies which have been around for quite some time1.

A simple example is that you have a cell phone, (presumably) only you can authenticate to that device using FaceID or a fingerprint or a password, and that device can contain a secret that is accessible only once it is unlocked. Using the magic of cryptography2 that device’s secret can prove to a website or service that you are who you say you are, and log you in without ever typing in a password.

Expect this soon.


Update 7 March 2023.

This story only seems to get worse and worse:

In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

This is a complicated story, so here are the other salient bits:

  • The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault
  • As reported 2 months ago, customer vault data was stolen. This new story explains how that happened, since the presumption was that LastPass storage of customer vaults encrypted them - using a common key, kept separate from the vaults themselves.
  • According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex.
  • Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident at LastPass.

What to make of all this. First, if only four (4) people have access to a resource that can decrypt backups of the most sensitive data, it’s an interesting question as to why any single person can access that in isolation. A restriction that requires multiple people to combine data/knowledge to unlock this vault seems wise. Second, I am a big fan of allowing personal devices for corporate use, but in this case the access to such sensitive data should have been controlled better. Again, if only 4 people are granted access, forcing that access to come from a trusted, corporate-managed device seems like a hassle worth undertaking.

Hard to imagine this is not the end of LastPass’ business. I certainly would not recommend them to anyone, for any purpose. If your bank gets robbed and the reason was that the guy who had keys to the vault left them sitting in his locked, yet rusty lunch pail, well then you find a new bank!

  1. Public key cryptography, that is. ↩︎

  2. Again, the public key stuff. ↩︎