LastPass Breach Recommendations for End-Users

LastPass (Password Manager) was breached. Here is my take on the situation and recommendations.

LastPass issued a Notice of Recent Security Incident on December 22, 2022. This was an update to a previous notification that they disclosed in August 2022. The latest update contains some concerning revelations. During the August incident, no client data was accessed. However, source code and technical info was accessed. A threat actor used this info to target and compromise a LastPass developer, which is what lead to this newest incident. As a result, they were able to access LastPass storage volumes that contained backups. These backups contained customer contact information and other metadata for customers. They were also able to access customer vault data that contained both encrypted data such as usernames and passwords, as well as unencrypted customer data such as URLs of the websites saved in LastPass. For the encrypted data, the threat actor does not have access to your passwords. But they can attempt to get access to them over time. Action is needed to mitigate this.

?So what does this mean to the end-user?

Threat actors have access to LastPass users’ billing info and other metadata. They also have access to LastPass users’ websites.

• Expect an uptick in Phishing and social engineering campaigns. Now that attackers have a list of the sites that you use, (i.e. banking, shopping, personal, etc.) they can craft targeted social engineering campaigns.
• Be alert – Do not fall for the typical phishing emails, password reset emails, account alert emails, etc. Never click on these links. If you receive an alert from a service provider, go straight to them. Go to their official website, or call the official number for the company. Never use the contact info that is provided in the email.

Threat actors have downloaded and have access to your encrypted password vault.

• Changing your LastPass Master Password won’t help. They have access to your password vault (offline). New Master Password Changes won't apply to the copy that they have.
• They can now attempt to brute force your vault using wordlists. The longer and more complex your LastPass Master Password is, the harder it will be to crack. A long passphrase is the best option. If this is you, then I am recommending that you still take the actions listed below, but you may have some more time.
• Was your LastPass Master Password a password that you also used on other sites? Was it a variation to passwords that you use elsewhere? Did you use common names/words for your Master Password? If so, you should take the actions recommended below sooner rather than later.
• Did you have Multi-Factor Authentication (MFA) enabled for your LastPass account??Unfortunately, this won’t help. MFA will protect against password spraying attacks and other types of password attacks in most cases, but not in this case because the threat actors already have access to the vault itself. This does not mean that you should ever abandon using MFA. (See next bullet point)
• Do you have MFA set up for EACH INDIVIDUAL site that you access? (i.e. your company sites, banking, email, etc)
• If you don’t already have Multi-Factor Authentication (MFA) enabled for EACH site that you log in to, then do it immediately. Start with the most important ones, such as banking, taxes, email, etc.

Anyone can be hacked. Often, you will see a company become more secure after a breach. However, LastPass had a few incidents over the years and I am not certain of the true extent of this incident. We will have to wait and see what is to come.?If you are using LastPass today, I am recommending users migrate to another Password Manager such as Bitwarden, 1Password, or KeePass. However, as I mentioned, anyone can be hacked, and they can be as well.

?Password Managers are still relevant today. I still recommend the use of a password manager, in combination with strong, unique passphrases and MFA for each site that you access. There are on-premise password managers and there are cloud-based password manager services. Determining which type is best for you depends on your risk appetite. On-premise password managers are more secure, but also less convenient to use for many users.

MFA should be mandatory for all services. Passwords alone are not enough.

My recommendations are:

1. If you do not have MFA enabled across all of the websites that you log into, then do that now.
2. While you are at it, I know that this is not an easy task, but change all of the passwords for sites that you have stored in LastPass. Start with the critical ones first such as banking, email accounts, and business accounts.
3. Migrate your accounts into a new Password Manager.
4. Finally, Be aware that attackers will use the data from this breach to attempt to social engineer you. Never click on links or call phone numbers in unsolicited emails. If you receive an alert from a service provider, go straight to them. Go to their official website, or call the official number for the company. Never use the contact info that is provided in the email.