The LastPass hacking is VERY big. What’s the best way to manage passwords?

Edwin Chabuka Avatar

Lastpass, one of the most popular password manager providers suffered a data breach that exposed data for their 33 million customers. A scary amount of data!

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. 

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

LastPass Press Statement

So essentially the hackers were able to access ALL the customer data. As much as most of it is still encrypted, the data that is not which they highlighted as URLs is still pretty valuable data. It essentially shows the hackers all the websites that you access using LastPass and if the websites are interesting enough they can make you a target.

Every LastPass user is at risk and they are silent

At the moment the ONLY thing stopping the hackers from decrypting a LastPass customer’s data is the customer’s master password which is used to generate the encryption key for that particular account. This master password is one you use to access your LastPass account. And if your password is one of those weak ones then you are at the highest risk of getting hacked. LastPass is also handling this in a very shady manner. Their press release was only published on their blog and they quote that they only notified less than 3% of their users who happen to be their business clients even though the hack affected all their customers.

We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations. If you are a Business customer and you have not already been contacted to take action, then there are no other recommended actions for you to take at this time.  

LastPass Press Statement

So after telling everyone that these hackers have EVERYTHING and that the only form of safety left is the user’s master password, they say that if they didn’t contact you then relax. You are fine. This is the worst advice they can give to their customers. It is in stark contrast to the way Google handled its data breach which up to today still advises all Google Password Manager users to update passwords for any website that still uses a password from a time before the data breach. Why LastPass only advised less than 3% of their users and kept it hush-hush for the other 97%+ makes it look like they are trying to save face by keeping quiet and only informing clients that can make the most noise for them giving them bad press.

What then is the best way to manage my heaps of passwords?

There are plenty of ways to manage passwords. And I will list them here so you can pick which ones work best for you.

Continue using LastPass

A majority of LastPass users are definitely going to stay with it for a couple of reasons. Maybe because it is a familiar platform and they do not want to invest time and energy into learning a new one, or they still have an active subscription holding them hostage. It’s still fine.

These people can still continue using LastPass but they cannot avoid the painstaking task of updating every password in their LastPass as well as the master password of their LastPass account to something strong, and random with at least 12 characters. This needs to be done immediately.

The hackers copied data so if you update your details then whatever they took will be old data that no longer works to access/decrypt your information.

Use a different password manager

You may actually not need to download or subscribe to a 3rd party password manager. Most platforms come with built-in password managers. Google comes with one built into Android smartphones and the Chrome browser on PC. All the passwords are saved in your Gmail account. In the Apple ecosystem, you have the option of iCloud as your password manager and if you wish to take this service to the cloud you can also activate iCloud Keychain.

Mobile devices like smartphones also have built-in password managers for apps that store passwords on-device or on the cloud. In the Android world, you have Google’s solution that saves passwords to your Gmail account. There is also a first-party option that saves the passwords in a password vault provided by the device manufacturer. A bit of a benefit with these methods is they come with an additional security layer of biometric authentication via fingerprint or 3D face recognition. These can be slightly more secure than PC options.

You can also use 3rd party password managers which are in direct competition with LastPass. They will definitely see the LastPass hack as an opportunity to make their solutions more secure for their customers. One such app is 1Password.

Setup 2-Factor Authentication

2-Factor authentication is a security measure that requires an additional verification step when logging in on top of the user name and password combination. The most common forms of it are a code sent via SMS or call. It gives any potential hacker a second barrier to entry because they will need to have physical access to your device so they can access this code. Moreover, the code expires after a few minutes and once this happens a new one will be required.

Whether you use a password manager or not, you need to activate 2-Factor authentication, especially on your email that is used to sign into social media accounts, bank accounts, apps, and other important websites.

The best way to not get hacked is to not be on the internet. So these methods will not keep you 100% safe from hackers. However, they definitely will make it many times harder for them to succeed which is the next best option.

Also Read:

11 comments

What’s your take?

Your email address will not be published. Required fields are marked *

  1. Anonymous

    that’s why I use my brain as my password manager, try hacking that

    1. Wizard Intern

      I’m the grandson of great wizards and witches in this country. We come from Gandavaroyi home of wizardry and I’m going to hack your world into oblivion

    2. Wizard Intern

      I am the grandson of great wizards and witches located in the esteemed Gandavaroyi home of wizardry and I’m going to hack your world into oblivion

  2. -_-

    Trusting some company with all your login credentials is the same as giving a random stranger your bank card along with the pin

  3. Lock Picking Not Lawyer

    The inevitable has inevitably happened. Thankfully only the highly motivated and state backed will be in positions to fully take advantage of the breach.

    Contrary to the emerging opinion here, I still think password managers are valid. I use 2 myself, with my accounts split about 60/40 between them. It makes it easy to respond to breaches service side or password manager side. Without managers, people will sink back to old habits like using whole words, birthdays, repetition etc to secure their myriad accounts.

  4. Tops

    My eco pin git blocked..ndaona moto and ndichiri kuona moto the ecocash chatbot is as useless as they come, when talking to the chatbot once you agree to the terms, nothing more happens the chat restarts again to the same conclusion.. then there’s the *150# ussd, that ussd is useless to the fullest every option of resetting your password there doesn’t work, as far as i noticed the only selection working on that ussd is the money changing option..apa customer support ahisikudairwa…im only left with one option ndakutombozama sosho media

  5. M

    An critical vulnerability users of LastPass need to be on the lookout are phishing attacks: the hackers have uencrypepted personally identifiable information, websites email addresses etc. The hackers can sent phishing emails that look convincing enough that even sophisticated users with their guard down can fall prey to the phishing attacks. The attackers have enough information to profile of targets to launch convincing phishing attacks.

    1. Iwe Munhu So

      decrypted*

      1. M

        https://www.cnet.com/tech/services-and-software/lastpass-says-november-breach-exposed-basic-personal-data/

        The breach at the end of November resulted from an older one in August, when bad actors broke into one of LastPass’ back-end code bases. They stole company data that was then used recently to break into another LastPass database to capture unencrypted customer data like names, email and billing addresses, phone numbers, and IP addresses. No unencrypted credit card data was exposed.

  6. Anonymous

    Me I don’t even trust any third party with my credentials. On all my accounts, I use different passwords. Sadly I trust Google or Microsoft Edge to keep mine passwords.
    But the Lastpass users should simply change their credentials even with being told or notified to do so.

  7. Aim Tech

    If you are interested in web development and programming, making your own application and working as a freelancer and have some side income… WhatsApp us at 0786251758