LastPass reports new data breach but there’s no cause for panic

LastPass, one of the world’s most popular password management apps, announced this week that it had been hacked.

In a blog post published late on Thursday, August 25, company CEO Karim Toubba said an unauthorized third-party obtained unspecified proprietary information and source code.

Sure, this incident is bad, but customers are unlikely to face any real consequences. According to Toubba, the attacker did not access customer data or compromise any encrypted password vaults.

LastPass hack, as @troyhunt and others have said is a headache for the company but not a concern for customers. Passwords and vaults are safe. So these sorts of warnings from cyber firms are… excessive. pic.twitter.com/Fe3S1rEdCR

— Joe Tidy (@joetidy) August 26, 2022

Password managers allow users to create strong, unique passwords for every service they use and store them in an easily-accessible vault. To access these vaults, customers must provide something called a “master password.”

READ MORE: Uber was hacked by a teenager – here’s what we know so far

This sounds like a single point of failure, but it isn’t. LastPass processes all master passwords using something called “hashing and salting.” In effect, this means every password is unknowable to anyone other than the customer.

LastPass calls this its “Zero Knowledge” model. It’s a lovely, PR-friendly way to describe an industry-wide best practice. Every business that handles user credentials should do it – not just those in sensitive industries.

Protecting passwords with hashing and salting

Hashing and salting takes a bit of explanation. Let’s start with the first element: hashing. Here, algorithms create a fixed-length fingerprint (called a ‘hash value’) of something.

Every hash value is unique. If you run the word ‘password’ through a hashing algorithm, you should get two different hash values. If the algorithm produces two identical hash values, that’s called a collision. It’s bad. It effectively renders the algorithm useless.

READ MORE: LastPass is reporting yet another security breach

Hashing is also a one-way street. Sure, it’s technically possible to infer the data from a hash value, but this requires ridiculous amounts of computational power.

When I say ‘ridiculous,’ I mean it’s beyond the scope of what governments can currently do, let alone individual hackers.

There are some caveats here. Some hashing algorithms are stronger than others. LastPass uses SHA-256 to protect master passwords, which is one of the best.

Other hashing algorithms are trivial to reverse. The best example is SHA-1, which has been known to be vulnerable since 2005.

Its inherent weaknesses (and the plunging cost of computational power) means even individual hackers can reverse hashed SHA-1 passwords. Often with devastating effects.

In 2012, hackers penetrated the servers of LinkedIn and accessed 117 million user records. Because LinkedIn used the SHA-1 hashing algorithm (with no salt – I’ll get to that later), the attackers were able to convert the hashed passwords into human-readable plaintext.

With plaintext passwords and their associated email addresses, hackers can re-use these credentials on other websites and services. This approach is called “credential stuffing.”

According to the 2022 Verizon Data Breach Investigations Report, credential stuffing was to blame for half of all data breaches. It’s common, and it lends well to automation.

The best way to protect against this attack is to ensure your passwords are unique for every service you use. Password managers like LastPass make this easy.

How salting works

The second component, salting, takes less time to explain. Salting merely describes adding a unique element to a value before hashing.

Let’s imagine someone creates an account with the password of ‘password.’ Your website has a pre-determined salt of ‘salt.’ Therefore, the value sent to the hashing algorithm is ‘passwordsalt.’

This just adds an extra layer of security. However, salting only works when the salt value is secret. If the salt value becomes known, the attacker can simply factor it into their brute-force attacks.

Websites should ensure salts are unique for each user. This extra step is vitally important and it renders stolen passwords useless to hackers.

Back to the breach

I digress. Let’s talk about LastPass again. This incident shouldn’t make you rethink your decision to use LastPass. In fact, it should make you want to use them more.

LastPass, and its CEO Karim Toubba, have conducted themselves with exceptional transparency. It quickly disclosed the existence of the breach, was clear about the scope of the incident, and calmed the fears of customers.

Additionally, LastPass’ technical competency has protected customers from any real damage. If the attacker stole millions of plaintext passwords, it would be a different matter. They didn’t.

Shit happens. Even the biggest, most successful companies get hacked. The real test shouldn’t be whether they get hacked, but the damage that ensues.

How to protect yourself

I’m going to refer to the 2022 Verizon Data Breach Investigations Report (DBIR) again.

Of the security incidents it investigated, many of them involved stolen credentials. Credential stuffing was the most popular tactic, followed by phishing.

Tools like LastPass protect consumers by making it easy to practice good password hygiene. You should use a password manager, whether a third-party tool, or one baked into your operating system or web browser.

To protect yourself further, ensure that multi-factor authentication (MFA) is enabled in every service that supports it. MFA is another layer of protection.

If an attacker somehow obtains your password, MFA prevents them from accessing your account without also providing something only you know.

These one-time passwords are generated through an app on your phone (like Google Authenticator), a physical device (like a YubiKey), or sent over text.

Where possible, you shouldn’t use MFA sent through text messages, however. Sure, SMS-based MFA is better than no MFA at all. But it’s flawed.

Hackers can circumvent this by stealing your phone, or simply get your cellular provider to move your number to another SIM card.

SIM Swapping is an especially popular tactic among hackers targeting crypto users. While cellular providers are increasingly aware of its existence, it remains a risk.

App-based MFA (like Google Authenticator) is ridiculously easy to set up. You can buy a YubiKey for $25. And, let’s face it – you can’t put a price on security.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• How to see saved Wi-Fi passwords on Windows and Mac
• A new exploit lets hackers unlock any Honda made since 2012
• Sharing Netflix passwords? Here’s how they may start charging you
• Mark Zuckerberg is being sued over Cambridge Analytica breach, but does it matter?

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.