2022 was not LastPass’s year. For those unaware, the Password Mis-manager has been the target of a number of security incidents. The last in November resulted in a significant breach of customer information.

The saga started in August when one of LastPass’s developer accounts was compromised and used to extract technical information about LastPass’s platform including some source code from their development environment (essentially the blueprints to LastPasses environment). No production information (customer information or vaults) was accessed at this time.

Then in November, a further attack was detected against LastPass’s backend storage services used by LastPass. This storage service was used to store archived backups of LastPass’s production data (including customer information and copies of encrypted password vaults) and was able to copy all the information out of the storage service.

LastPass confirmed in late December that a copy of customer information and encrypted vaults were taken by the malicious actors, which included non-encrypted information such as:

• Customers names
• Email address
• Billing address
• Telephone Numbers
• Partial Credit card details
• Website addresses for each password entry
• Metadata, including the last time an entry was modified or changed.

Encrypted information included in each customers vault:

• (Encrypted) Password Entry Account Name
• (Encrypted) Username
• (Encrypted) Password
• (Encrypted) Secure Notes

LastPass state in their breach notification that providing a user has used the defaults recommended by LastPass to create their master password, that it would be very difficult to brute force the master key.

However,

This assertion relies on the customer using the secure defaults recommended by LastPass to create a secure master password. Unfortunately we’re not always good at creating secure passwords as found when the UKs National Cyber Security Centre (NCSC) revealed that the most popular passwords breached was ‘123456′.

In addition, if you have used the same master password elseware in other online accounts you have, the risk is even larger if that online service has been or is compromised in the future (and we’ve certainly seen plenty of those occurring in 2022 and before).

Bottom line: If you used a weak master password or you have re-used it for other online accounts then you will be at greater risk of a potential breach.

That’s not the only, or most probable risk from this breach

The fact that malicious actors have gained access to LastPasses systems and downloaded a copy of every customers vault and related customer information is bad, but it’s not actually the most probable risk that you will experience from this breach.

If you have used a good master password and not used it elseware, it’ll take years to brute force those master passwords. However there’s some really juicy information just in the un-encrypted customer information, lets refresh:

• Email addresses
• Telephone Numbers
• Website addresses

Immediately from just these few pieces of information you can tell what websites and accounts someone has setup, so for example it may tell you that the customer uses Xero for their accounting, HSBC for their business banking, Wix for their website and Trello as their project board. Using this information malicious actors can create Phishing and Scam calling campaigns specifically customised for those websites to attempt to gain the user passwords through social engineering (effectively tricking the password out of a victim).

So what do I do?

If you are a LastPass user, there’s a few things that are recommended for you to do:

1. Check your Master Password – Because the breach has already occurred, whatever your master password is now is what’s used to encrypt your data, so ask yourself is it secure enough? If you used good password practices such as Think 3 Random Words or some secure characteristics then you may be ok. We talk more about passwords in this blog post.
2. Be aware that you may be targeted by phishing or other social engineering attacks – And yes, unfortunately, you probably already receive a few of these, but keep stay alert for ones that appear to come from your online services if these were stored in your vault.
3. Change your passwords – Now, unless you have determined that your master password is not secure, you don’t need to suddenly go out and change every password and spend a whole day on it. But you now have to consider that your username and passwords are out there in enemy hands, so we recommend you do prioritise and schedule a change of password, starting with those accounts that are a higher risk to your business if they were breached e.g. your online banking, google or office 365 accounts or those used to store sensitive information first.
4. Find a new password manager? – Unfortunately, LastPass has been the victim of a continuing number of security incidents and these in 2022 were not the first. As much as they want to play the ‘your data is safe providing you use a good master key’ card, it’s still a massive breach for those who put trust in them. Whether you choose to use them is up to you, but it’s certainly not going to be one of our recommended vendors going forward.