LastGasp (Premium)

LastPass used to be easy to recommend, and even the occasional security breach was understandable and, to date, handled correctly. But not anymore: with its latest episode, LastPass has done the unthinkable and betrayed the trust of its customers. If you’re one of them, it’s probably time to migrate to a new solution.

In many ways, this isn’t about technology. Instead, it’s about communication and trust, two issues that come up a lot in my world because of the way Microsoft has been mismanaging Windows—to my mind—for the past several years. But the LastPass incident is more worrying than silly UI changes in Windows. LastPass is a service that exists solely to securely store some of your most sensitive information.

That hackers would target LastPass is not surprising: the prize here is the same as it’s ever been for thieves: go where the money is. And these days, the money is behind the personal data most of us all store online: the passwords and other credentials that let us access our bank and credit accounts. And so LastPass is under constant attack. Of course it is.

What we can do, as current or potential customers, is evaluate how well LastPass protects its customers’ data from these attacks and, as importantly, how it responds when things go poorly. This is as true of companies as it is of individuals: how one reacts in times of emergency or conflict is in many ways the true value of that person (or business).

And, to date, LastPass has responded well. Because negative opinions are amplified online, of course, we hear from every Chicken Little when things go wrong: “Time to leave LastPass!” they’ll declare each time. We have the same debates when prices rise or when feature sets change. It’s the nature of the Internet.

But this time, it may really be time to leave LastPass. In August, the firm reported a security incident in which hackers breached a developer’s account to gain access to the LastPass systems for four days. At the time, the firm said that customer data and passwords were unaffected, and so the story shifted to the usual rigamarole about social engineering and how humans are always the weakest link in the chain. LastPass might have lost some source code, but its customers were protected, it said at the time, by its “zero knowledge” architecture in which it can’t store or access the master passwords used by its customers.

And then three long months went by. And right before Christmas, LastPass finally admitted that the August hack was worse than it had said originally. Happy Holidays, everyone!

“The threat actor copied information from [a] backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” LastPass revealed. “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Now, that data is encrypted, and it can only be decrypted using unique encryption keys that are derived from each user’s master password, which, again, LastPass does not store. (And, as LastPass notes, it does not store complete credit card numbers and credit card information in the impacted cloud storage environment.)

The issue is that the hackers can now undergo brute force attacks on this offline encrypted data, and that it could perhaps use other social engineering hacks against customers to obtain their master passwords. LastPass says that this would be “extremely difficult.”

I’m not a security expert, but there’s something weird going on here. For example, the LastPass disclosure in December hints that there was a second breach since August, and it’s likely that the hackers used the information they had gathered in August to make the second breach. The timing of this second breech is important for a few different reasons, but the company’s silence means that customers should act quickly and change their master password and, more problematically, all of the passwords they store in LastPass too.

And then there’s this troubling tweet from security expert Zach Whittaker, who points out that LastPass’ parent company, GoTo, hid its official response about the hack from Google’s search engine on purpose, no doubt to try and keep the story from exploding further, triggering a customer exodus.

At the very least, LastPass customers should change their master passwords immediately and enable two-factor authentication, which you already are using, right? But you should also change all your passwords, starting with the most damaging ones related to online identities, banks, online merchants, and anything else that has your bank or credit card information.

And then you should consider closing your account and leaving LastPass.

Of course, many will be looking for advice here, and I’m sure readers will chime in with some good choices. I don’t have a lot of experience with password managers because I’ve stuck with what’s built into whatever web browser I’m using at the time: Chrome, Edge, and, most recently, Brave, which I trust more than the others. But part of the appeal of any of these solutions—whether they’re standalone solutions or part of a browser—is that they work everywhere. And that includes using them for autofill on iPhone, iPad, and Android.

And for now, at least, one can’t use Brave as a password autofill choice on mobile. That’s not a huge problem for me, since 99-ish percent of my passwords are still in Chrome, and I can use that on both iPhone and Android. But choosing a standalone password manager, like 1Password, that works everywhere, might make even more sense. It’s something I do think about, and research. It’s why LastPass, trustworthy until recently, has almost 30 million customers.

I’m not sure if I will switch to a standalone password manager yet, but this incident is making me rethink the proliferation of many of my passwords across several services. I have some work to do as well.