Keeping track of all our passwords is a hard thing, especially because it’s a bad practice to re-utilize them across multiple accounts, they also must be strong and hard to guess. Our best solution is to use a password manager, this way we can get strong and hard-to-guess passwords and we avoid the hassle of memorizing all of them (which btw I can’t), they are all in one place, but what happens if your password manager has a security breach and your passwords vault gets leaked? That happened four months ago, and they are only telling you now.
A Quick Recap of What Was Happening
August 25, 2022
LastPass posted an official note that they had noticed an unusual activity two weeks earlier and started investigating it, but there was no evidence of access to any customer data. Apparently, the attacker only had access to a portion of the source code through the development environment.
September 15, 2022
They had completed their investigation and forensics with the Mandiant team, after finishing the investigation they concluded that the attackers activity was limited to a 4-day time frame in August and that the team was quick to contain the incident.
Also according to their investigation, the breach happened in the development environment, which technically has no access to customers data or password vaults.
Even having access to users encrypted passwords vaults, nothing can be done without the user’s master password, which is part of their zero-knowledge security model (keep that last sentence in mind though)
November 30, 2022
As part of their transparency commitment, they added an update to the breach situation, stating that they noticed unusual activity on a third-party cloud storage service, which is both shared by LastPass and GoTo, and again, they launched an investigation with the Mandiant team.
This time they stated that the breach that happened in August actually gave the attacker access to “certain elements” of customers information, but that all the passwords are safe, again, due to their zero-knowledge security model.
What is Happening Now?
The day is December 22, 2022, LastPass came to the public to tell that, on the security breach of August, the attacker was able to get personally identifiable information, including company name, end-user name, emails, billing addresses, telephone numbers and IP addresses, as well as, wait for it, Password Vaults. 🤯
According to LastPass, your password vault is totally safe and is uncrackable, considering you have followed all their guidelines to secure master-password creation.
At the moment there is no evidence that any unencrypted credit card data had been leaked, which at this point, I have my concerns since they took 4 months to come to the public saying that PII and password vaults are in the attackers hands.
You can check the entire Notice of Incident here
How Safe Are my Passwords?
If you have followed the entire LastPass guideline for password creation, you are probably safe, attackers will start using dictionaries of billions of already leaked passwords (RockYou2021 dictionary has incredible 8.4 billion passwords) to speed up the process.
Attackers may also try to brute-force your password, but if you think it would take them a really long time, think again. As technology evolves, it also decreases the time to crack passwords, the jump between an RTX 3090 and an RTX 4090 is almost 2x for nearly every algorithm.
You might be wondering how much time then, would it take for someone to crack a complex password, someone actually tested that with the most recent hardware, they used an RTX 4090 8-card rig and were able to crack a highly complex 8 digits password in 48 minutes using Hashcat, according to this BitDefender article.
So to be extra sure that your accounts are safe is highly recommended that you change all the accounts passwords that you have stored within LastPass, including your master password.