What's going on?
The password manager LastPass has been under attack by hacking groups twice in the past year. The last time this happened was last month. According to available information, the attackers gained access to user data such as names, addresses, e-mails, telephones, and IP addresses of the last accesses. Attackers can sell this data or use it for phishing and spear-phishing campaigns aimed at both users and organizations.
The attackers also managed to get the crucial element – backups of users' encrypted passwords. Thanks to the "Zero Knowledge" policy, LastPass does not store the passwords themselves. Therefore, the attackers' next step will be to crack the obtained encrypted passwords. They can try to do this by using a brute-force attack, where the attacker's program tries all possible combinations until it cracks the password.
Along with the encrypted passwords, the attackers also obtained unencrypted data. The most sensitive are the addresses of websites to which users have saved their passwords. Overall, these attacks represent a significant disruption of privacy for LastPass users.
What to do?
If you use the LastPass password manager, be extra careful. Nevertheless, the best solution is to switch to another application (see below) because the attackers got access to the users' contact information. Using social engineering techniques, they can use this information to lure them with personal and sensitive data. Learn more about social engineering and how to defend yourself in our online course Phishing guide: don't be an easy target.
Cracking encrypted passwords using a brute force attack can be difficult or even impossible. However, only if the user has chosen a sufficiently strong password. The brute force attack tends to be the "Achilles heel" of short and weak passwords. So if you want to continue using LastPass, we strongly recommend setting a sufficiently strong master password for your password manager. It is also advisable to set up two-phase verification. Our online course, Passwords: How properly are your treasures guarded? will help you to create new and strong passwords.
For English speakers, you can find detailed instructions on how to import passwords from LastPass to Bitwarden here: Import Data from LastPass | Bitwarden Help Center.
Due to severe security incidents, the Cybersecurity Team of Masaryk University strongly recommends no longer using the LastPass password manager. It is, therefore, advisable to choose a new password manager. For example, we can recommend Bitwarden. This password manager is user-friendly and provides enough functionality for the average user. Above all, unlike LastPass, it is not associated with any security incidents and is an open-source application, meaning that the community members verify it. This makes Bitwarden currently the best choice among password managers.