In the News

December 28, 2022   •   3 minute read

The Latest Update on the LastPass Breach

There have been a lot of updates over the last few days about the potential fallout from the security incident that LastPass, a leading password manager, suffered back in November 2022.

This is not so much a new incident as it is new information coming to light during the course of the original, ongoing investigation. Initial findings are just that: initial. A quality review of an incident may discover more facts and details over time as investigators pull on investigatory threads to uncover the full scope and breadth of what occurred within the initial incident. It was during this ongoing process that LastPass discovered the situation was worse than they had initially believed and reported it to be.

A copy of a user’s password vault was obtained by the threat agent. Usernames and passwords were included in the dataset, but that data is encrypted within it. So, they are not clearly available to anyone with access to the database. LastPass also says that they invoke certain security and cloaking measures that help ensure that keys can not be broken (this is a light mention of the full technical details of their process at large, which is beyond the scope of this write-up).

LastPass states that if you followed their minimum rules when creating your account with them, it would take millions of years for a cracking rig (a computer system set up specifically to crack passwords) to break the encryption of your username and password.

LastPass has their full disclosure and write-up on their blog site here and Ars Technica has an excellent, technical write-up with implications here. The main question is what should the individual user do?

The Validity of Password Managers & Action Items

This breach does not invalidate the use of a password manager. No solution will ever be 100% fail-proof, including password managers or password management systems. Security solutions are designed to have defense-in-depth and be resilient under attack.

However, all things will always retain a certain level of risk. It’s important to be fully aware of that risk and to make an informed decision when accepting that risk. Now that we have that out of the way, let’s talk about action items you can take:

  1. Confirm that you have multifactor authentication (MFA) set up for all accounts within your vault that allow some form of MFA. You should especially make sure that your password vault’s master password is covered with MFA.
  2. Strongly consider changing your master password if you’ve ever used it as a password elsewhere. Password reuse is a far more common issue when it comes to credentials being compromised than the encryption being cracked.
  3. Strongly consider changing the passwords to some of your more ‘vital’ accounts. These are accounts that are especially important to you: i.e. email, banking, healthcare, finance, etc. If you are still concerned about residual risk from storing the password within a manager, don’t store the entire password within the vault. When logging in, manually input the last few characters.   
  4. Update the security questions to vital accounts. You do not need to be honest if you’re using your ‘mother’s maiden name’ or ‘high school mascot’ as verification questions. Use random answers for each site and save those in a separately secured file (Standard Notes is a common choice among privacy enthusiasts).
  5. Audit your accounts and close out ones that you no longer need. Many of us create accounts over our lifetimes that have a short shelf life. They can still be used as phishing lures or become potential points of exposure should they be breached. An annual account clean-up can go a long way in helping mitigate that kind of risk.

The question is always one of risk acceptance: knowing as much of the facts and information available in the moment. Are you making an informed decision that aligns with the level of risk you were willing to accept in these specific circumstances? This is an important question to consider for all situations, whether they’re headline-popping news items or mundane points such as patching cycles.

Cybersafe Solutions is a state-of-the-art, managed security provider. With more than 20 years of experience in the online threat landscape, our team of certified specialists is equipped to bolster your organization's security posture with cutting-edge tech and continuous monitoring—expertly thwarting attacks before they occur.

Contact us today to learn more about how to proactively protect your organization against prevalent threats.