LastPass security breach has caused a serious and very real security threat for businesses. LastPass is a password management application which allows you to store passwords for websites, applications and credit cards. It utilises an encrypted vault which should keep your passwords secure but recent information indicates that your vault is now vulnerable. In this article we will look at what has happened as part of the LastPass security breach, how this impacts business security and finally what you can do to fix it.
What happened to LastPass?
LastPass has suffered a few security breaches since 2011 but the most recent, reported in August 2022, is significant. Initial reports from LastPass suggested that a breach had occurred but that all customer data was unaffected. Later updates then reported that unencrypted subscriber account information was leaked. This includes LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.
On December 22nd LastPass posted an update which stated that the breach was MUCH more devastating. Customers password vaults have been downloaded by hackers. Although these vaults are still encrypted it will now be possible for attackers to attempt to brute force the master password revealing your stored usernames and passwords.
What data do hackers now have?
The hackers now have your:
- LastPass username
- Company name
- Your billing addresses
- IP addresses you have used
- Your password vault (encrypted)
One area of concern is the fact that the password vault stored the website links without encryption. This means hackers know which websites you have accounts with and potentially they know your username for these sites, assuming you keep your username the same.
How can hackers use this data?
There are two potential threats here; the first relates to the leaked usernames, company names, and email addresses. This is a perfect set of information for hackers to begin a socially engineered attack as described below.
The second concern is the fact that hackers now have your encrypted password vault. If they manage to crack the encryption, they will gain access to all of your passwords and this could be devastating.
Realistically, how likely is it that they will get my passwords?
The answer to this depends on how good your master password is. If you used a strong password with 20+ characters including a splattering of numbers and special characters, then chances are it will take a while to crack.
If your password includes words such as the name of your kids, dogs, cats, spouse, football team, the year you were born and an exclamation at the end then I would start worrying. People give this information away freely in social media and so it is not difficult for hackers to piece the clues together to increase their chances of cracking your vault.
What should I do to protect against the LastPass Breach?
I believe the safe way to approach this is to change everything. Your master password, all of the passwords in your vault and potentially your password manager. Let’s go through them in order.
1. Change your master password.
This is job one for good reason. If you don’t change this first and hackers do crack it, they now have access to your live vault.
2. Change ALL of your passwords.
I know this is a big ask but – will you sleep at night knowing hackers might be accessing any of your online accounts?
REMEMBER… Ensure they are strong and unique passwords.
- I would obviously start with the high-risk ones first such as bank accounts, company finances, credit cards and anything containing personal information such as HR databases etc.
- Next up, change the passwords for apps that allow people to impersonate you such as email accounts, social media, CRM systems etc.
- Lastly, work your way through general websites ensuring you enable 2FA on sites that allow it – whilst you are going through this process you may as well strengthen your security position.
3. Finally you might want to change to a different password manager. Personally, I think LastPass has done a poor job of updating their customers and this is not the first security issue they have had.
Nothing is 100% safe, but I would expect a rigorous and prompt series of updates after a serious breach such as this but none of this seems to have been on their radar.
A word of warning – if you change your password manager then you still need to change all of your passwords. Remember the hackers have a copy of your vault so even if you delete your live account, they may have access to your passwords.
Is there anything else to be aware of?
The hackers have access to LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses. All of this information is a great starting point for a socially engineered attack.
Imagine one of your staff receives an email appearing to be from you. It says something along the lines of:
“I am really worried about this LastPass breach, but my signal is awful up here on the slopes. Can you please log into the bank and change the password to ARand0mPa55word!”
Hackers have become much better at socially engineered attacks and they do this by gathering information from multiple sources. By utilising your Facebook feed they know you are skiing and so personal information is added into an email to make it seem very authentic.
What can I do to protect against socially engineered attacks?
My advice to business owners is to create a system that your staff follow at all times. Make it clear that you will never override this system and that they should never be concerned about disciplinary action if they disobey a request they believe is a hacker.
In order to maximise the security of this system there needs to be ideally an offline component. This is most easily done with a personal phone call that includes a spoken code word in order to authorise certain transactions.
Should I change my password manager?
Nothing is 100% and so the fact that LastPass has had a security breach is not necessarily the reason you might change.
My concern is that this is not the first security breach for LastPass and I question whether lessons have been learnt and systems implemented as a result of previous breaches.
The biggest concern is the length of time it has taken for this information to be disclosed. The initial breach was 6 months prior to the statement in December and this is a long time for such a significant breach. This by itself would make me want to move to another password manager.
I need more advice – what should I do?
Absolutely PC has been operating as a business IT support company with a focus on managed services and specific IT security for over 18 years. If you would like to speak with one of our IT security experts, then click the button below.
- There are no hidden charges – this is a 100% free 15 minute consultation in order to help you.
- We will never spam you or sell on your contact details.
- We will treat your information with absolute confidentiality.