At one time, Lotus strongly encouraged people to use LastPass password management software. We used it ourselves as a company and individually. It passed all the rigors of the Trust No One standard. Though we moved to another solution for password management some years ago, we continued to hold LastPass in high regard in the space.
We were first alerted to a potential data breach by LastPass on August 26th last year. They disclosed that attackers were able to compromise a development server, siphoning private source code and ‘proprietary technical info’. LastPass quickly clarified that no user data was accessed in the August attack and wrapped up their investigation in mid-September.
November brought a bombshell development in the story. Information obtained by the hacker in August allowed the attacker to exploit a 3rd-party cloud service used by LastPass to access customer information. It was unclear which customers were affected and whether the stolen data contained encrypted password vaults.
Almost a month later on December 22nd, 2022, LastPass released an update. The hacker was able to obtain a copy of customer data backups. The full impact was still unclear, but the vault data includes details such as usernames, passwords, notes, form data and even URLs.
According to LastPass, most of the stolen data was encrypted, such as usernames and passwords. However, URLs used in password vaults are not. As a result, a jacker would still need access to a vault owner’s master password to decrypt all the stolen data.
Researchers later discovered that many vaults of early LastPass users were not sufficiently password protected. An underlying key was too short and allowed hackers a better chance of breaking a vault password by brute force. LastPass has also been vague about how long the maintained backup vaults that were accessed by the hackers.
Just the unencrypted data could be used to launch targeted phishing attacks, and many security firms have warned that hackers may try using leaked customer information to check the Dark Web for re-used passwords that may match master passwords.
To protect yourself and your customers, here are a few actions items we advise:
- Rotate any passwords and keys stored in LastPass.
- Check for password re-use across your sites and services.
- Enable multi-factor authentication on everything.
- Warn your users of an increased risk of phishing.
- Pay careful attention to your accounts for breaches and suspicious activity.
Lastly, remember that LastPass will never ask you for sensitive data via text, phone, or email. They also will not send you a link to verify your personal information. However imposters will in a phishing attempt by impersonating LastPass support.
