I'm switching to a new password manager after LastPass hack, says expert: Internet Scambusters #1,052
Thirty million people are affected by the recent LastPass hack, a data theft from one of the world's biggest password managers.
The breach is still under investigation but has left many customers wondering what to do and if their data is safe.
In this week's issue we have some answers, plus signposts for where to learn more and explore your options.
Let's get started…
LastPass Hack: Should You Switch Password Manager?
The online security world has been rocked by the recent disclosure that password manager LastPass has had its member database compromised.
Here at Scambusters, we're big fans of password managers, and at least one member of our team uses LastPass.
Managers do a brilliant job of generating unique and complex passwords, remembering them and, if you want, automatically inserting them on websites.
They also aid your security because, usually, they won't insert the info if you happen to land on the wrong page as a result of a phishing attack or keying mistake.
All you need is a master password that only you know, which will unlock access to your manager. Not even the app provider knows it. Settings allow you to decide if or when you have to enter this master key. And, of course, that key itself has to be as unguessable as possible.
This last point is important because if a hacker launches what's known as a "brute force" attack, they'll try every possible combination of letters, numbers, and symbols until they get the right one, which might give them access to all your passwords.
In the LastPass incident, the company - which has about 30 million subscribers - said the crook, or "threat actor" as they call it, stole customer names, email addresses, phone numbers, and some billing information, though not credit card numbers.
Furthermore, they copied a backup of customers' password vaults. They might then be able to use this, it said, to launch a brute force attack that could enable them to read that data.
That's why, as we said earlier, it's so important to have a long and complex master password. This could take ages, even millions of years, to crack with current technology.
You can read the full statement, which includes advice on creating a good, unique master password.
In other words, if you have a good key, your passwords are probably safe, though the other stolen customer information may not be.
And the company has taken a series of actions to avoid the same type of incident happening again.
What is worrying is that a security incident happened at all.
What To Do?
So, what should you do if you're a LastPass user or if indeed you use any other password manager that is compromised in the future?
The first thing is to change your master password. It won't protect the stolen data copy, but it would prevent the crooks, if they make the right guess, from accessing your current data vault.
If you have a weak master password - or one you've used elsewhere - you should then begin the lengthy process of changing every password in your vault, starting with the most important ones, such as those connected with your finances.
Include your cell phone account with these priorities because, if you use second factor authentication - a texted code or number generator - via your phone, this will stop thieves from accessing your device.
Should You Switch?
Should you switch to a different password manager? Some online commentators suggest you should. And our team member is planning to do so, not because we believe it'll happen again but because the incident has damaged our trust.
One highly respected expert who has been a long-time friend of Scambusters, Leo Notenboom, agrees.
He doesn't think brute force attacks on vaults represent a big threat. Instead, he suggests, the other stolen data - especially customer names and the addresses of websites they visit - will prove far more valuable for use in phishing attacks.
And even though his master code was strong, he still quickly changed other key passwords in his vault. But he also is moving on to a new manager. He recommends either 1Password or Bitwarden. He's going with 1Password.
Leo says he's still very much in favor of using a password manager, even though there are no guarantees against future breaches.
Safer Than Alternatives
"I remain firmly convinced that using a reputable password manager, including those with a cloud-based component, is safer than any alternative you might devise," he writes.
"Most importantly, it enables using long, unique, and truly random passwords for every site, which is perhaps the single most important thing you can do for password security."
We recommend reading Leo's article, LastPass Breach 2022: My Recommendation, (which is free to access but you may have to register). It includes lots of sage advice on changing passwords over time, how to migrate your passwords to a new manager, plus a final, simple message: "Do. Not. Panic."
National Consumer Protection Week
There's a great opportunity to focus on scam risks and security with the upcoming National Consumer Protection Week, which runs from March 5 to March 11.
Among other activities, the US Federal Trade Commission (FTC) will run a series of free online webinars, and offer resources for media and community use, such as information packs.
Go to the FTC's National Consumer Protection Week info page for more information and ideas.
This Week's Scam Alerts
SNAP out of it: Customers of the nation's Supplemental Nutrition Assistance Program (SNAP) are being targeted with fake text and email warnings that their electronic benefit transfer (EBT) card is about to expire. It's an attempt to steal identity information with the scammers' aim of getting their hands on benefits. If you receive one of these messages, it's almost certainly a scam. If in doubt, check with your state's Department of Human Services.
Code danger: Scammers are using advanced printing technology to create realistic looking parking tickets, complete with smart QR codes - those boxes of black squiggles and dots. If you mistakenly scan one, you'll end up sending your money straight to the crooks. The Better Business Bureau in Hawaii, where the scam has surfaced, says it's always best to pay for citations with a credit card.
That's it for today -- we hope you enjoy your week!