In August 2022, LastPass, a popular password management service, suffered a breach.
LastPass disclosed news of the breach on August 25th, 2022.
On December 22nd, 2022, after further investigation, the LastPass Blog revealed more detail: “While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
The attacker was also able to copy a backup of customer vault data. This backup is stored in a proprietary binary format that contains both unencrypted data such as website URLs, and fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data.
This is a serious cybersecurity concern for all LastPass clients.
Does this mean that my passwords in LastPass have been stolen?
According to LastPass, password data is encrypted and protected by your master password. A strong master password should make it difficult for the attacker to gain access to the fully encrypted sensitive fields like passwords, and form-filled data.
However, you should be aware of heightened levels of risk due to this breach and informed on what steps you can take to mitigate risk.
What does EXP Technical recommend LastPass users do?
It is important for LastPass users to take the following precautions to protect themselves:
- Change your master password: If your Master Password is less than 12 characters, if it is otherwise weak, or if you believe that your master password may have been compromised in any way, change it to a new, strong password TODAY.In fact, just to be safe, change it to a new strong password today regardless.To do this, log into your LastPass account and go to the "Account Settings" page. From there, you can change your master password by clicking on the "Change Master Password" button.
- Use a long passphrase: 12 characters minimum, 14-20 characters or more is even better! Long passphrases can be easy to remember but difficult to guess. Create a passphrase that is unique to you and unique to each account. Don’t re-use or share passwords. Include upper and lowercase, numerical, and special characters.
- Do not use the same password for multiple accounts: It is especially important that you do not use your LastPass master password for ANY other account.
- Change other critical passwords: This is especially important for accounts that contain sensitive or financial information, such as your email, online banking, or social media accounts.
- Enable Multi-Factor Authentication (MFA) Everywhere: MFA adds an extra layer of security to your account. This added layer of security requires you to provide an additional form of authentication, such as a code sent to your phone or a fingerprint scan, in addition to your password. To enable MFA for your LastPass account, log in and go to the "Security" page. From there, you can choose to set up MFA using one of the available options.If you need help with this step, contact EXP Technical!
- Be extra cautious: Even without your passwords, an attacker may have gained a lot of information via this breach about where you do business. He may use this information to craft sophisticated and highly targeted spear phishing attacks.He may try to break your resolve with an MFA fatigue attack.It is important to be extra cautious. Do not click on any suspicious links or provide personal information to anyone you do not trust. Do not approve any MFA request that you did not initiate!
If you or your staff members are confused by terms like “phishing,” “spear phishing” and “MFA fatigue,” we strongly encourage all to enroll in Security Awareness Training at EXP Academy. (It’s free!) EXP Academy students are better able to recognize threats and are able to minimize risk through evasive action.
- Consider an alternative product: Work with your consultant from EXP to determine if it would be prudent to migrate to a different password manager.
A Broader Lesson and a Plan for the Future
The LastPass breach is a stark reminder that even the most secure systems can be vulnerable to attack. The steps outlined above help LastPass users to protect themselves and their sensitive information. Business leaders should also ensure that their employees are aware of these precautions and encourage them to take steps to secure their accounts.