It’s Time to Ditch LastPass
The password manager’s most recent data breach is especially concerning
You've heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And, if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service's 25.6 million users, though, the company made a worrying announcement on Dec. 22: A security incident the firm had previously reported (on Nov. 30) was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data.
The details LastPass provided about the situation a week ago were worrying enough that security professionals quickly started calling for users to switch to other services. Now, nearly a week since the disclosure, the company has not provided additional information to confused and worried customers. LastPass has not returned WIRED's multiple requests for comment about how many password vaults were compromised in the breach and how many users were affected.
The company hasn't even clarified when the breach occurred. It seems to have been sometime after August 2022, but the timing is significant, because a big question is how long it will take attackers to start "cracking," or guessing, the keys used to encrypt the stolen password vaults. If attackers have had three or four months with the stolen data, the situation is even more urgent for impacted LastPass users than if hackers have had only a few weeks. The company also did not respond to WIRED's questions about what it calls "a proprietary binary format" it uses to store encrypted and unencrypted vault data. In characterizing the scale of the situation, the company said in its announcement that hackers were "able to copy a backup of customer vault data from the encrypted storage container."
Please select this link to read the complete article from WIRED.