Blog

LastPass Security Breach: Here’s What to Do

Password management company LastPass has announced that it suffered a security breach in which attackers stole both encrypted customer account data (which is bad) and customer vaults containing encrypted usernames and passwords (which is much, much worse). On the positive side, the data of users who abided by LastPass’s defaults and created master passwords of at least 12 characters in length will likely resist cracking attempts.

Although 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes.

The Breach

According to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account. The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup.

The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure—everyone must be mindful of security at all times. It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. Any organization can learn from that error—if backups contain sensitive data, they should be equally protected.

What Was Stolen

LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. However, for inexplicable reasons, LastPass failed to encrypt website URLs associated with password entries.

Because LastPass left this information unencrypted, it’s now available for the attacker to use (or sell for others to use) in targeted phishing attacks. A forged password reset request from an unusual website you regularly use has a better chance of fooling you than a generic one for a big site that millions of people use. It’s even possible that the unencrypted website URLs could lead to extortion attempts, as in the infamous Ashley Madison data breach.

The larger lesson is that a high-value attack target like LastPass should never have stored customer data in unencrypted form. If your company handles customer data along these lines, ensure that it’s always stored in encrypted form. You may not be able to prevent attackers from accessing your network, but if all the data they can steal is encrypted, that limits the overall damage that can ensue.

Potential Problems

By default, LastPass requires master passwords to be at least 12 characters in length. Plus, LastPass applies 100,100 iterations of the PBKDF2 password-strengthening algorithm to make it harder for brute-force attacks to crack passwords. The company says:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

Unfortunately, LastPass increased the master password minimum length only in 2018 and did not require users with shorter master passwords to reset them at that time. Similarly, the PBKDF2 setting now uses 100,100 iterations, but it previously used 5000, and some long-time users report it being set to 500.

LastPass was correct to increase the default level of security for new accounts as hardware cracking capabilities became faster. However, allowing users to continue using insecure master passwords that were too short and not forcing higher PBKDF2 iteration counts was a major mistake. If your organization steps up its security policies, bite the bullet and ensure that no accounts or users are grandfathered in with old, insecure options.

By not recommending any actions, LastPass missed an opportunity to encourage users to increase their security through multifactor authentication. LastPass also downplayed the concern over phishing attacks. That was likely a decision made by PR (and possibly Legal), but the company could have served users better. Should your organization ever be involved in a breach, make sure that someone involved in the transparency discussions represents the users’ best interests alongside those of the organization. And consider requiring multifactor authentication!

Finally, it’s worth noting that other companies significantly increase the security of their systems by mixing passwords with additional device-based keys. Apple does this by entangling device passcodes and passwords with the device’s unique ID, and 1Password strengthens your passwords with a secret key. LastPass has no such additional protection.

What LastPass Users Should Do

There are two types of LastPass users in this situation: those who had long, secure master passwords and 100,1000 iterations of PBKDF2 and those who didn’t:

  • Strong master password users: Despite LastPass’s claim that you don’t need to do anything, we recommend enabling multifactor authentication. (For instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.) You could change your master password too, but that won’t affect the data that was already stolen. That horse has already left the barn, whereas enabling multifactor authentication would prevent even a cracked master password from being used in the future.
  • Weak master password users: Sorry, but you have work to do. Immediately change your master password and increase your PBKDF2 iterations to at least 100,100. We also recommend enabling multifactor authentication because LastPass is such an important account. Next, go through all your passwords and change at least those for important websites. Start with the critical accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data.

Regardless of the strength of your master password, be on high alert for phishing attacks conducted through email and text messages. Because the stolen data included both personal information and URLs to websites where you have accounts, phishing attacks may be personalized to you, making them harder to detect. In short, don’t follow links in email or texts to any website where you have to log in. Instead, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify.

Should you switch from LastPass to another service, like 1Password? It comes down to whether you believe LastPass has both a sufficiently secure architecture despite not entangling the master password with some device-based key and sufficiently robust security practices despite having been breached. It would not be irrational to switch, and we would recommend switching to 1Password. Other password managers like Bitwarden and Dashlane may be fine too. If you have to change numerous passwords and choose to switch, it may be easier to change the passwords after switching—see how the process of updating a password compares between LastPass and 1Password or whatever tool you end up using.

We realize this is an extremely worrying situation for LastPass users, particularly those with weak master passwords or too-few PBKDF2 iterations set. Only you can reset your passwords, but if you need assistance switching to another password manager, don’t hesitate to contact us.

(Featured image by LastPass)


Social Media: Password management company LastPass suffered a breach in which encrypted customer passwords were stolen. We explain what happened, how LastPass users should react, and what lessons other organizations can learn.

What Is Advanced Data Protection for iCloud? Should You Enable It?

In early December, Apple made a surprise announcement: Advanced Data Protection for iCloud. It’s not as though iCloud’s standard data protection is problematic, but it hinges on one architectural decision that makes some iCloud data theoretically vulnerable: Apple holds the encryption keys necessary to decrypt iCloud data. Because Apple controls those encryption keys, an attacker or rogue Apple employee who could gain access to them could theoretically steal iCloud data. (There are many more safeguards; it’s not like there’s a big printout of keys anywhere.) Plus, since Apple has the technical capability to read that data, law enforcement agencies could legally compel Apple to hand it over.

Not all iCloud data is vulnerable in this way. Of the 26 types of iCloud data, 14 already support end-to-end encryption, where you control the encryption keys. That’s true of Health data, Passwords and Keychain, Apple Card transactions, and so on. You may not realize you’re managing these keys because Apple has baked that into the security architecture of its overall ecosystem. Apple hadn’t previously extended end-to-end encryption to more iCloud data types because doing so prevents Apple’s support engineers from recovering accounts for users who forget their passwords. Even when Apple can recover an account, the end-to-end encrypted data isn’t included.

So that’s the tradeoff. Advanced Data Protection increases security by extending end-to-end encryption to 9 of the remaining 12 iCloud data types. Those include iCloud Backup, iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks, Siri Shortcuts, Voice Memos, and Wallet passes. But if you turn on Advanced Data Protection and forget your password, Apple won’t be able to help you recover your data.

Apple isn’t being cavalier about this risk. When you enable Advanced Data Protection, you must set up an alternate recovery method, preferably two. The simplest is a printed recovery key that you should store with other important papers, perhaps in a safe deposit box, and the other is an account recovery contact, a trusted person who can verify your identity and help you regain access to your account.

Nor is Advanced Data Protection a one-way street. If you ever decide the risk of forgetting your password is too great, you can always turn it off and fall back to iCloud’s standard data protection.

Several types of iCloud data remain under the standard iCloud protection even after you turn on Advanced Data Protection. For iCloud Mail, Contacts, and Calendars, the need to interoperate with external email, contacts, and calendar systems requires that Apple manage the encryption keys. Similarly, the collaboration capabilities of Pages, Numbers, and Keynote and the Shared Albums feature of Photos don’t support Advanced Data Protection. Also, although Advanced Data Protection can protect shared notes, reminders, and iCloud Drive folders, plus iCloud Shared Photo Library, that’s true only if everyone involved in sharing has Advanced Data Protection turned on. If not, the shared content falls back to standard iCloud protection.

There are also two notable downsides to turning on Advanced Data Protection:

  • System requirements: All devices signed in with your Apple ID must be updated to at least iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, or the latest version of iCloud for Windows. As a result, you’ll have to sign out of iCloud on any device too old to upgrade to the necessary operating system version. That may be a deal-breaker for some people. You must also have two-factor authentication enabled for your Apple ID and a password or passcode set on your devices, but everyone should already have done that, regardless of Advanced Data Protection.
  • iCloud.com Web access: Turning on Advanced Data Protection automatically disables Web access to data at iCloud.com. You can re-enable Web access, but every subsequent visit to iCloud.com requires authorization from a trusted device, and the connection only lasts for an hour. If you make heavy use of iCloud.com, Advanced Data Protection may be burdensome.

So, should you use Advanced Data Protection? As long as all your devices support it, you’re not perturbed about the repeated iCloud.com authorizations, and you’re capable of maintaining both account recovery methods, go ahead. Although the benefit to most people isn’t huge—Apple’s security is excellent, and most people won’t be targeted by law enforcement—the downside is minimal as long as you understand the risk of Apple not being able to recover your account.

To enable the feature, navigate to Settings > Your Name > iCloud > Advanced Data Protection, tap Turn On Advanced Data Protection, and follow the prompts. Remember that you’ll need to set up the Account Recovery options before turning on Advanced Data Protection, and you may need to remove older devices from your iCloud account.

(Featured image by iStock.com/TU IS)


Social Media: Do you want more security for your iCloud account? Apple’s Advanced Data Protection can now provide end-to-end encryption for nearly all iCloud data. But be aware that Apple won’t be able to recover your account if you forget your password.

Apple Delivers Promised Features in End-of-Year OS Updates

Every year at its Worldwide Developer Conference in June, Apple previews planned features in the upcoming versions of macOS, iOS, iPadOS, watchOS, and tvOS. However, not all of those features are necessarily ready for the initial releases of those operating systems. In part, that’s because iOS must ship in sync with the latest iPhone models that Apple releases in September, whereas iPadOS and macOS often come out later. Even then, some of Apple’s promised features may not be ready for public consumption until the .1 or .2 updates.

Just before the holidays, Apple released a full set of updates, including iOS 16.2, iPadOS 16.2, macOS 13.1 Ventura, watchOS 9.2, and tvOS 16.2. Between those updates and the ones immediately preceding them, Apple has now delivered on all of its 2022 promises.

Here is a rundown of what’s now possible. Some features are specific to one of Apple’s operating systems; others cut across several and may work only on updated devices or even require that all your devices be upgraded:

  • iCloud Shared Photo Library: Starting in iOS 16.1, iPadOS 16.1, and macOS 13.0, you can create another photo library and share it with family and close friends. It’s a great way to create a single shared space for photos and videos, but note that everything you contribute moves out of your Personal Library and into the Shared Library. Plus, everyone with whom you’re sharing has equal permissions to add, edit, and delete content in the Shared Library. The person who creates the Shared Library must have space in iCloud for it; it doesn’t count against anyone else’s iCloud storage.
  • Live Activities: With iOS 16.1, Apple also unveiled Live Activities, a new type of dynamic notification that can appear on the iPhone’s Lock Screen or the iPhone 14 Pro’s Dynamic Island. Live Activities allow apps to display data like live sports scores (from the TV app), active weather (in CARROT Weather, below), flight tracking (in Flighty), and more.
  • Freeform: The most notable addition in iOS 16.2, iPadOS 16.2, and macOS 13.1 was Freeform, Apple’s digital whiteboard app designed for collaborative brainstorming. It enables users to lay out a wide variety of content on a flexible canvas without worrying about fixed layouts or restrictive page sizes. Boards can contain text, hand-drawn graphics, sticky notes, shapes, and attachments—nearly any file on your Mac, iPad, or iPhone. Data syncs to your other devices through iCloud, and you can invite others (who must also be running a supported operating system) to collaborate on a board in real time.
  • New Home architecture: Apple promised that the new Home architecture would be more reliable and efficient, although it’s not clear what that means. It does require an explicit upgrade, and once upgraded, devices that aren’t running the latest versions of iOS, iPadOS, macOS, watchOS, tvOS, and HomePod Software won’t be able to access the home. Apple has temporarily removed the option to upgrade after problems were reported, so perhaps wait until the company restores the upgrade and others have had a chance to test it.
  • Stage Manager on external displays: The feature that initially caused iPadOS 16 to be delayed was Stage Manager, Apple’s new windowing paradigm for the iPad and the Mac. However, even when it first shipped in iPadOS 16.1, Stage Manager didn’t support external displays on the iPad. With iPadOS 16.2, you can finally have four apps in Stage Manager on the iPad display and another four on an external display. However, using Stage Manager on an external display requires an M1 iPad, which means the fifth-generation iPad Air, the third-generation 11-inch iPad Pro and later, and the fifth-generation 12.9-inch iPad Pro and later.
  • Race Route and automatic track detection: In watchOS 9.2, the new Race Route feature gives you the option of racing your last or best time on any route you’ve run or biked at least twice. Plus, if you start an Outdoor Run workout while at a track, you’re prompted to begin a Track workout that optionally provides track-specific metrics like lap time and pace.
  • Advanced Data Protection: In a surprise announcement in December, Apple unveiled Advanced Data Protection for iCloud, which extends end-to-end encryption to many more types of data in iCloud. For those concerned about breaches of Apple’s security or overreach by law enforcement, Advanced Data Protection is a very good thing. The downside is that when the feature is enabled, Apple cannot recover your data if you forget your iCloud password. For most people, the standard iCloud data protection remains sufficient. If you want to upgrade, note that all devices that you want to connect to your iCloud account must be running the latest operating system versions, which may not be possible for some otherwise fully functional older devices.
  • Apple Music Sing: If you’ve been hankering to sing along with your favorite songs, Apple Music Sing is essentially karaoke for Apple Music subscribers on the iPhone, iPad, and third-generation Apple TV. Alcohol not included.

Between these new features and some important security updates, we strongly encourage anyone running iOS 16, iPadOS 16, watchOS 9, and tvOS 16 to update to iOS 16.2, iPadOS 16.2, watchOS 9.2, and tvOS 16.2. And if you’re still running an earlier version of one of those operating systems, you can upgrade to the latest at any time—they’re fine.

Similarly, if you’re already running macOS 13 Ventura—perhaps on a newly purchased Mac— you should update to version 13.1 to take advantage of security fixes. However, if you haven’t yet upgraded from macOS 12 Monterey, perhaps wait a little longer. There has been only one macOS update with bug fixes since the initial release of Ventura, so it feels as though another bug fix update might arrive soon, after which we may recommend general upgrades.

(Featured image based on original by iStock.com/champpixs)


Social Media: At the end of 2022, Apple released operating system updates that delivered previously promised features like Freeform, Stage Manager on external displays, Advanced Data Protection for iCloud, and more. See what’s new at:

Here’s How to Stop Getting Paste Permission Requests

In iOS 16, Apple tightened security by displaying a confirmation alert when you copy data from one app and paste it into another. More security isn’t bad, but these alerts can become annoying if you copy and paste frequently. In iOS 16.1, Apple added a setting to control the behavior for each app. If you get these alerts too often when pasting in an app, go to Settings > AppName > Paste from Other Apps and switch it from Ask to Allow. Many apps don’t include the setting; hopefully, any apps where you paste often will have this setting or include it soon.

(Featured image based on an original by iStock.com/AaronAmat)

Delete Contacts More Easily in iOS 16 and iPadOS 16

Deleting contacts on the iPhone and iPad used to be a pain, especially if you wanted to trash multiple contacts. You had to open the contact, tap Edit, scroll to the bottom, and tap Delete Contact. Although you still can’t swipe left on a contact in a list, as you do when deleting in Mail and Messages, iOS 16 and iPadOS 16 provide a simpler method. Touch and hold a contact in the Phone or Contacts lists, and then tap Delete Contact at the bottom.

(Featured image based on an original by iStock.com/anyaberkut)

You Can Now Use Siri to Reboot Your iPhone or iPad

Although iOS and iPadOS are extremely stable, there are times when rebooting your iPhone or iPad can eliminate odd or problematic behavior, and there’s no harm in trying it. In the past, you’ve had to remember which buttons to press or select Settings > General > Shut Down and then press a button to turn the device back on. In iOS 16 and iPadOS 16, however, Siri has learned a new trick: how to reboot iPhones and iPads. Invoke Siri by holding the side button or Home button, and then say, “Reboot” or “Restart this device.” (Using “Hey Siri” can result in unexpected results, and saying “Restart” on its own tends to cause Music to start playing the last song.) Tap Restart, and your device reboots. If only this worked for the Apple Watch and HomePod too!

(Featured image by iStock.com/Wachiwit)