LastPass Security Incident

Written By Craig Sixta

On December 22, 2022, LastPass released a blog post titled “Notice of Recent Security Incident.” In this post, they notified users that an unknown bad actor gained access to their cloud-based storage system.

Element has reviewed this post and other related notices from other parties which have determined that, with our current information, your passwords should still be safe and there is no immediate danger of that changing.

The bad actors were able to gain some customer data, such as the “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” That’s not great to hear, but it is also not the end of the world. We would expect an uptick in LastPass-related phishing attacks to LastPass users, but not much else.

The other information the bad actors took was encrypted vault data. Your vault is where your passwords and other secure information are kept. It is not clear how many user’s vaults were taken, but LastPass was adamant that these vaults are encrypted with a key that is derived from the user’s master password and that not even LastPass has access to them. Because of this, it is highly unlikely that a bad actor could access your vault unless your master password was weak. Even then, LastPass requires a minimum of twelve-character passwords, so no master password is going to be “weak” in the traditional sense.

So, what are your takeaways? First, LastPass is still secure and many of us on the Element team are still using it. Second, be extra careful with any emails or communications from LastPass, as phishing attacks will likely be on the rise with the new customer information that was leaked. Lastly, if you don’t already have a strong master password, consider changing it. Your master password is the most important password you have, so it should also be your strongest. (Note that the encrypted vault data that was stolen will still be protected by the master password you had at the time of the breach.) One final note would be to enable MFA on your LastPass account if you haven’t already.

If you are still concerned about any of your accounts, change your password on key sites like banking or 401k to be 100% sure they are secure.

To read the notice LastPass sent out, click this link https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ or go to blog.lastpass.com

Craig Sixta

Chief Technology Officer at Element Technologies

https://www.linkedin.com/in/craig-sixta-cissp-8b0b157/
Previous

Security Risks Associated with QR Codes
Next

Offices Closed: Bad Actors are Celebrating