Critical Security Update: LastPass Compromise Details Reveal Encrypted Customer Data Stolen, Can Be Potentially Decrypted

Direct iT's Security Operations Center has an update from LastPass with newly-discovered information about a breach that started back in August.

At the time of the breach, they believed that only source code (and no customer data) was stolen. Now, after an investigation, LastPass yesterday announced that the hackers were able to use the initial breach to steal the credentials of a LastPass employee and then used those credentials to steal a backup of ALL LastPass customer vault data.

You can read LastPass' announcement here: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Some critical takeaways and recommendations from this announcement:

1. All LastPass customer data is now in the possession of the hackers.
2. That data is encrypted with the customers' passwords so it is not easy for hackers to utilize it immediately.
3. That encryption, however, can now be cracked by the hackers in multiple ways including:

• Brute force - note that when the data was on LastPass servers, LastPass could control brute force attacks and only allow hackers to try a few passwords before being locked out. Now that the hackers have captured the data, the hackers can try millions of passwords every second and try lists of stolen/common passwords until they successfully crack the data as LastPass can no longer limit the number or speed of "attempts".
• Common / previously breached passwords - any LastPass account using a common or previously breached master password will be easy for the hackers to view all the data from.

Direct iT recommends that any customer of LastPass IMMEDIATELY change every password that was stored inside their LastPass account and assume that hackers have access to all of the data/notes in the account.?