LastPass Breached! Options To Address the Current LastPass Security Breach

Once again, vendor LastPass, known for their Password Management solution, has disclosed a cybersecurity incident involving their platform.

In this latest announcement from LastPass they have publicly admitted that an unauthorized individual was able to access a third-party cloud storage service utilized by the company to store backup copies of their production data. The unauthorized individual was able to make off with a copy of LastPass' backup data and more importantly a copy of customers individual vault data. (See the LastPass announcement here.)

What LastPass is Saying About the Theft

LastPass is ensuring the public and their clients that even though a copy of vault data was taken during the breach, due to their Zero Knowledge architecture and encryption algorithms, vaults secured with a strong master password would be "extremely difficult to attempt to brute force guess master passwords". LastPass additionally notes that if you are following their best practice guidelines and default settings for securing your LastPass account, it would take "millions of years to guess your master password using generally available password cracking technology". This is a claim made by LastPass that has come under scrutiny by some cybersecurity professionals and other password manager providers.

What Should You Be Doing in Response to The Breach?

Since at this time we can only take LastPass at their word on the extent of this breach, customers of LastPass should consider exercising the following steps to ensure that their accounts and data are protected against any future attempts of unauthorized access should the backup copy of their vaults become un-encrypted:

1. If you plan to continue using LastPass as your password manager service, update your master password, preferably to a password that is not used for any other account. 12+ characters and a combination of upper, lowercase, numbers, and symbols are a good start.

2. Update the password for any accounts that you have stored in LastPass. This will render the data stored in the stolen backup copy of LastPass stale.

3. Enable multifactor authorization on any account stored within your LastPass vault where it is available. Should your passwords become compromised due to the decryption of the stolen LastPass backup, your accounts will remain relatively secure with a secondary layer of security that is unknown to the thieves. This will also give you a method to spot check your accounts in the event someone knows your password and tries to use it to access your account as most MFA options alert the account owner to attempts to login to their accounts.

4. Any stored notes, credit cards, security questions, and other information stored within LastPass that could be used to validate access to sensitive information or accounts should be updated as well.

Should I Continue to Use a Password Manager?

The common knee jerk reaction to hearing a password manager as large as LastPass has fallen victim to a breach is to question whether or not continued use of such applications are smart. While many may have varying opinions on the use of password managers, we are here to say that much like storing all your passwords in a text file or keeping them written down on a post-it note tucked under your keyboard, a password manager alone is not a one stop solution to password security, but rather a tool to help bolster security. You should never just rely on a password manager and assume your accounts are safe. In combination with a password manager, you should practice proper password etiquette by using complex passwords, refraining from re-using passwords across multiple accounts, and enabling multifactor authorization where possible.

LastPass customers should keep an eye out for any suspicious account login attempts and phishing attacks. In the event the stolen LastPass backup is decrypted, you can be sure those with stored account information will become the target of spear phishing attempts.