{"id":2356,"date":"2023-01-12T05:00:04","date_gmt":"2023-01-12T13:00:04","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=2356"},"modified":"2023-09-27T13:13:58","modified_gmt":"2023-09-27T20:13:58","slug":"the-expert-response-to-lastpasss-latest-breach","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/the-expert-response-to-lastpasss-latest-breach\/","title":{"rendered":"The expert response to LastPass\u2019s latest&nbsp;breach"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.ssls.com\/blog\/wp-content\/uploads\/SSL_Blog_The-LastPass-disclosure.png\" alt=\"\" class=\"wp-image-2327\"\/><\/figure>\n\n\n\n<p>Being secure online often requires putting some amount of trust into companies that claim to have our best interests at heart. While these security companies may indeed have their users&#8217; best interests at heart, that\u2019s not enough to prevent security breaches. When a breach then occurs, it can shake people\u2019s trust in what was once considered a foolproof element of <a href=\"https:\/\/www.ssls.com\/blog\/lets-encrypt-revoked-about-2-7-million-mis-issued-ssl-certificates\/\">security<\/a>.&nbsp;<br><\/p>\n\n\n\n<!--more-->\n\n\n\n<p>That\u2019s precisely what has been happening with LastPass over the last few weeks. A company once held up as a beacon in password security revealed that hackers managed to gain access to user password vaults. Basically, their key promise to customers was broken.<br><\/p>\n\n\n\n<p>In this article, we\u2019ll go through the ins and outs of the LastPass breach, how the company handled it, and whether or not you should use a password manager going forward. Let\u2019s get into it.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The latest breach<\/h2>\n\n\n\n<p>LastPass had a few security scares in 2022, but reassured customers that everything was fine. Unfortunately, in December, the company posted an update to its advice regarding their August breach, revealing this was not actually the case. As it turned out, malicious actors had managed to copy customers\u2019 data and encrypted password vaults.<br><\/p>\n\n\n\n<p><a href=\"https:\/\/blog.lastpass.com\/2022\/12\/notice-of-recent-security-incident\/\">According to the company<\/a>, hackers stole some source code and technical information, using it to target an employee and steal credentials and keys for accessing and decrypting several storage volumes within the company\u2019s cloud-based storage service. The threat actor managed to access basic customer account information, end-user names, billing addresses, email addresses, telephone numbers, and customer IP addresses.&nbsp;<br><\/p>\n\n\n\n<p>Despite the password vaults being stolen, LastPass assured customers that it wouldn\u2019t be possible to access their actual passwords since they\u2019re <a href=\"https:\/\/www.ssls.com\/blog\/no-more-mixups-google-gets-even-stricter-about-https\/\">protected<\/a> by \u201c256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user\u2019s master password\u201d. They said that master passwords should be impossible to crack, and that theoretically it would take a million years even using the latest available technology.\u00a0<br><\/p>\n\n\n\n<p>However, security experts have not responded well to LastPass\u2019s update, accusing the company of playing down the seriousness of the situation and even holding back information.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The expert response<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.theverge.com\/2022\/12\/28\/23529547\/lastpass-vault-breach-disclosure-encryption-cybersecurity-rebuttal\">According to The Verge<\/a>, Wladimir Palant, who helped develop AdBlock Pro, is one security researcher who\u2019s unhappy with how LastPass has handled the situation. He believes the company is trying to portray August and the latest incident as two separate incidents when in reality, they just failed to contain the initial breach.&nbsp;<br><\/p>\n\n\n\n<p>He has also cast doubt on the company\u2019s claim that a user\u2019s master password would take a million years to crack, considering the company doesn\u2019t enforce password best practices. This is despite the company claiming that 12-character passwords have been the default since 2018. Palant said, \u201cI can log in with my eight-character password without any warnings or prompts to change it.\u201d Jeffrey Goldberg, 1Password\u2019s principal security architect, also weighed in on the claim, <a href=\"https:\/\/blog.1password.com\/not-in-a-million-years\/\">stating that<\/a> it presumes users create their passwords based on a completely random process, such as that of a password generator. Golberg believes that all human-created passwords are crackable and could be potentially cracked quickly, for the price of $100.<br><\/p>\n\n\n\n<p>It\u2019s also not insignificant that these hackers have access to all the URLs users have saved passwords for. Palant has expressed concern that hackers could paint a complete profile of users from that information. It could also be dangerous for users accessing websites with information that\u2019s illegal in their country.&nbsp;<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What you should do about it<\/h2>\n\n\n\n<p>As some experts say, if you use LastPass, now is probably the time to move to a different password manager, especially considering it\u2019s the company\u2019s seventh security incident in just over ten years. Don\u2019t let it turn you off password managers entirely, though. Experts say they are <a href=\"https:\/\/twitter.com\/SwiftOnSecurity\/status\/1606087999254454272\">still a better option than the alternative<\/a>, even with this recent controversy. Your best bet is going for a manager that encrypts everything, not just your passwords. And you should always use the strongest password possible for your master password. Don\u2019t leave it to chance. \n\n<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Being secure online often requires putting some amount of trust into companies that claim to have our best interests at heart. While these security companies may indeed have their users&#8217; best interests at heart, that\u2019s not enough to prevent security breaches. When a breach then occurs, it can shake people\u2019s trust in what was once [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2356","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=2356"}],"version-history":[{"count":3,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2356\/revisions"}],"predecessor-version":[{"id":2664,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2356\/revisions\/2664"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=2356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=2356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=2356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}