Password management service says no cause for concern; cybersecurity experts disagree…
Current and former users of LastPass password management services, be advised:
LastPass Data Breach
On December 22, 2022, LastPass posted an official notice on their website of a recent security incident involving a breach of their data storage systems, which contained both encrypted and unencrypted data.
What was accessed?
According to the notice, the threat actor was able to make copies and access unencrypted data such as “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” and encrypted versions of data such as “website usernames and passwords, secure notes, and form-filled data.”
LastPass goes on to claim that their systems are secure through a Zero Knowledge architecture protecting users’ master passwords, which will keep data encrypted while the master password remains unknown to the breachers.
However, data security experts and analysts have criticized the notice and security protocols of LastPass in light of this recent breach. Some respondents have even advised caution with continuing to use LastPass as a password management service. Read more about what the cybersecurity community has to say in this related article from The Verge.
As the story continues to unfold, concern is growing about the security of passwords stored in LastPass as well as master passwords.
What should LastPass users do now?
Given the level of impact related to this type of risk, users should take action immediately.
If you use or have used LastPass to manage passwords in the past, consider changing your master password and begin refreshing all your passwords saved in LastPass. Start with your most critical accounts and identify any that have the most sensitive information, like your banking and other financial accounts.
Additionally, we asked Jeff Oden, our VP of Information Security, for this thoughts and recommended next steps:
- We expect to see more developments and the true impact of this breach is not fully known
- Focus on changing passwords immediately, including your LastPass master password
- Take this opportunity ensure MFA is enabled wherever possible
- Ensure staff understand the impact and how it could lead to social engineering and targeted phishing attacks as well
- Take a risk-based approach to protecting your business and begin by understanding your own specific areas of risk
- Remember, nothing is 100% secure, so people need to consider the impact factor of risks when using a password manager
How to learn more about your risks
With Adar IT and Rigid Bits Cybersecurity now working closely together, this is a great time to take advantage of our free cybersecurity resources.
When you take a risk-based approach to cybersecurity, you step outside of specific scenarios like this LastPass event and can begin to look more holistically at how to protect your systems from any kind of attack. Not only is this more realistic, but it allows for businesses to more effectively identify and prioritize the efforts that will address their highest areas of risk.