LastPass security breach has caused a serious and very real security threat for businesses.  LastPass is a password management application which allows you to store passwords for websites, applications and credit cards. It utilises an encrypted vault which should keep your passwords secure but recent information indicates that your vault is now vulnerable.  In this article we will look at what has happened as part of the LastPass security breach, how this impacts business security and finally what you can do to fix it.

What happened to LastPass?

LastPass has suffered a few security breaches since 2011 but the most recent, reported in August 2022, is significant.  Initial reports from LastPass suggested that a breach had occurred but that all customer data was unaffected.  Later updates then reported that unencrypted subscriber account information was leaked. This includes LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.

On December 22nd LastPass posted an update which stated that the breach was MUCH more devastating.  Customers password vaults have been downloaded by hackers.  Although these vaults are still encrypted it will now be possible for attackers to attempt to brute force the master password revealing your stored usernames and passwords.

What data do hackers now have?

The hackers now have your:

  • LastPass username
  • Company name
  • Your billing addresses
  • IP addresses you have used
  • Your password vault (encrypted)

One area of concern is the fact that the password vault stored the website links without encryption.  This means hackers know which websites you have accounts with and potentially they know your username for these sites, assuming you keep your username the same.

How can hackers use this data?

There are two potential threats here; the first relates to the leaked usernames, company names, and email addresses. This is a perfect set of information for hackers to begin a socially engineered attack as described below.

The second concern is the fact that hackers now have your encrypted password vault.  If they manage to crack the encryption, they will gain access to all of your passwords and this could be devastating.

Realistically, how likely is it that they will get my passwords?

The answer to this depends on how good your master password is.  If you used a strong password with 20+ characters including a splattering of numbers and special characters, then chances are it will take a while to crack.

If your password includes words such as the name of your kids, dogs, cats, spouse, football team, the year you were born and an exclamation at the end then I would start worrying.  People give this information away freely in social media and so it is not difficult for hackers to piece the clues together to increase their chances of cracking your vault.

What should I do to protect against the LastPass Breach?

I believe the safe way to approach this is to change everything.  Your master password, all of the  passwords in your vault and potentially your password manager.  Let’s go through them in order.

1. Change your master password.

This is job one for good reason.  If you don’t change this first and hackers do crack it, they now have access to your live vault.

2. Change ALL of your passwords.

I know this is a big ask but – will you sleep at night knowing hackers might be accessing any of your online accounts?

REMEMBER… Ensure they are strong and unique passwords.

  • I would obviously start with the high-risk ones first such as bank accounts, company finances, credit cards and anything containing personal information such as HR databases etc.
  • Next up, change the passwords for apps that allow people to impersonate you such as email accounts, social media, CRM systems etc.
  • Lastly, work your way through general websites ensuring you enable 2FA on sites that allow it – whilst you are going through this process you may as well strengthen your security position.

3. Finally you might want to change to a different password manager. Personally, I think LastPass has done a poor job of updating their customers and this is not the first security issue they have had.

Nothing is 100% safe, but I would expect a rigorous and prompt series of updates after a serious breach such as this but none of this seems to have been on their radar.

A word of warning – if you change your password manager then you still need to change all of your passwords.  Remember the hackers have a copy of your vault so even if you delete your live account, they may have access to your passwords.

Is there anything else to be aware of?

The hackers have access to LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.  All of this information is a great starting point for a socially engineered attack.

Imagine one of your staff receives an email appearing to be from you.  It says something along the lines of:

“I am really worried about this LastPass breach, but my signal is awful up here on the slopes.  Can you please log into the bank and change the password to ARand0mPa55word!”

Hackers have become much better at socially engineered attacks and they do this by gathering information from multiple sources.  By utilising your Facebook feed they know you are skiing and so personal information is added into an email to make it seem very authentic.

What can I do to protect against socially engineered attacks?

My advice to business owners is to create a system that your staff follow at all times.  Make it clear that you will never override this system and that they should never be concerned about disciplinary action if they disobey a request they believe is a hacker.

In order to maximise the security of this system there needs to be ideally an offline component.  This is most easily done with a personal phone call that includes a spoken code word in order to authorise certain transactions.

Should I change my password manager?

Nothing is 100% and so the fact that LastPass has had a security breach is not necessarily the reason you might change.

My concern is that this is not the first security breach for LastPass and I question whether lessons have been learnt and systems implemented as a result of previous breaches.

The biggest concern is the length of time it has taken for this information to be disclosed.  The initial breach was 6 months prior to the statement in December and this is a long time for such a significant breach.  This by itself would make me want to move to another password manager.

I need more advice – what should I do?

Absolutely PC has been operating as a business IT support company with a focus on managed services and specific IT security for over 18 years.  If you would like to speak with one of our IT security experts, then click the button below.

Our guarantee:

  • There are no hidden charges – this is a 100% free 15 minute consultation in order to help you.
  • We will never spam you or sell on your contact details.
  • We will treat your information with absolute confidentiality.

Other Posts for you to Enjoy

Let’s operate in the “Arena”

  Introduction Back in 2002 the media did their usual frenzied attack on Donald Rumsfeld after he introduced them to the conept of "Known Unknowns" and "Unknown Unknowns": “Reports that say that something hasn't happened are always interesting to me, because as...

Happy Birthday Absolutely PC

Absolutely PC celebrates its 18th Birthday in March 2023.

What is the difference between a MSP and IT support

What is the difference between IT Support and a managed service provider (MSP). By understanding the difference you will be better able to choose the right type of support for your business.

Backup Disaster Recovery – Protected

Backup disaster planning allows your business to recover quickly and simply and has an affordable budget which is consistent. Choosing what, how and where to backup will be explained within this series of articles and allow you as a business owner to make an informed choice about how to protect your business.

Super Deduction, HMRC pays for IT

HMRC have a tax relief available called super deduction. Super deduction allows your business to buy IT equipment and offset 130% of its cost against your corporation tax. In order to take advantage of this relief you need to purchase equipment before 31st March 2023.

Disaster Planning

Is Disaster Planning a useful exercise?  For this business, the worst nightmare possible happened last weekend.  They had a major fire!  What actually happens when a fire occurs in a business and is it something you should plan for? Today we look at planning for the...

IT Security: Folina Vulnerability Fixed

IT security update: Folina vulnerability has been fixed by Microsoft. How to ensure your system is protected and reverse the temporary fix we suggested.

IT Security: Zero Day Attack – Take Action Now

A new zero day attack is in progress and it threatens all computer systems that have Microsoft Office installed. A simple piece of code will thwart this attack until Microsoft have had a chance to release a patch

IT Support Company Helps with Your Tax

As a leading IT support company, we are helping Bristol businesses to buy new IT equipment and utilise the UK super deduction tax relief. If done correctly businesses can claim 130% capital allowances on IT hardware.

Business IT Security – Using 2FA

Business IT security is often about doing the basics really well, like securing your accounts using 2FA. In this post find out why 2FA helps to keep your business cyber secure

Can your business cope with winter disruption?

Thanks to the unseasonably mild weather we’ve enjoyed this autumn, it’s easy to forget that winter, and all the potential havoc it can wreak, is soon to follow. It’s hard not to feel that our weather has become more unpredictable and freak storms just aren’t, well,...

How To Fix Windows ‘PrintNightmare’ Vulnerability – Video

Microsoft is warning Windows users about a currently unpatched security flaw in the Windows Print Spooler service which is being actively exploited. Whilst waiting on a fix from Microsoft, Window's PCs are potentially vulnerable to be hacked whenever they are switched...

4000 small businesses a day: the vicious spread of WannaCry

In May this year the online world witnessed the Wannacry ransomware attack, a cryptoworm which spread like wildfire, demanding payments in the cryptocurrency Bitcoin in over 230,000 computers using the Windows operating system. The National Health Service, the UK's...

How to Protect your Business from Cybersecurity Threats

With UK small businesses targeted with 65,000 attempted cyber attacks per day, having robust measures to deal with cyber security threats is more important than ever. The recent attack on SolarWinds proves that no business is safe from hackers and that businesses both...

8.4 Billion Passwords Leaked In “RockYou2021” Hack – How To Protect Your Business

The largest password collection of all time was recently leaked onto a hacker forum, with an eye-watering 8,459,060,239 (8.4 billion) unique entries stored in a 100GB TXT file putting potentially billions of logins at risk.  Dubbed as ‘RockYou2021’ after the RockYou...

IT Security: Folina Vulnerability Fixed

IT security update: Folina vulnerability has been fixed by Microsoft. How to ensure your system is protected and reverse the temporary fix we suggested.

WordPress Security – Attacks leave 1.6 million sites damaged

Are you confident that your WordPress website is secure? Yesterday, on the 9th of December 2021, 1.6 Million WordPress Sites were Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs. It’s safe to say this is a major concern to businesses everywhere. WordPress...

New Password Management Tool Available from Absolutely PC

With cyber attacks on the rise and remote working becoming commonplace, now, more than ever - businesses need to keep on top of the security of their passwords or be at risk of suffering a costly data breach. A study by Verizon Data Breach Investigations found that...

Another Cyber Security zero-day exploit

On 9th November Microsoft released a fix for Windows based computers that allowed an attacker to take control of your systems as an admin.  This was known as CVE-2021-41379 and was the latest in a series of cyber security issues involving Elevation of Privilege...

Business IT Security – Using 2FA

Business IT security is often about doing the basics really well, like securing your accounts using 2FA. In this post find out why 2FA helps to keep your business cyber secure