Late in the year, just in time for the holidays, LastPass released more information about the security breach they experienced in August of 2022. And as could be expected, it wasn’t good news. It wasn’t the worst news, but in my estimation, it’s still going to create a lot of headache and work for their customers, some of whom are using their service based on our recommendation. C2 uses LastPass internally but not to store client passwords, but regardless we will be migrating away from them as soon as practically possible.
What this means for you
If you’ve read their statements regarding this security breach you might be under the impression than your passwords are safe. The encrypted vault that was stolen was a backup of customer data from September 22, 2022. If you started using LastPass after that date, you are not part of the breach and you are actually in the clear (for the moment). If you’ve been using LastPass before that date, it’s highly likely that hackers have access to your encrypted passwords. Per LastPass, if you choose a strong master password, those passwords are relatively safe. However, given enough time and computational resources, any encryption can be broken, so the clock is ticking on how long they will remain encrypted. It’s more important that you should know that each password’s associated login name and URL were also captured in the data stolen and those important bits weren’t encrypted. This gives hackers many more points of data to hone their phishing attacks and will result in highly targeted, realistic phishing emails that purport to be from services you actually use, utilizing specific information you will recognize, to lend credibility to fake emails. Given that it is definitely easier to trick humans than to crack 256-bit encryption, we’re banking on the fact that everyone, not just our clients will be facing numerous phishing attempts in the coming year. What can you do to combat (I do not use that word lightly) this?
- Any passwords stored in LastPass should be changed. If you have lots of passwords stored, this may take some time, but it will be well worth it.
- Any opportunity you are given to utilize multi-factor authentication to further protect an account should be taken.
- Review your master password. If it is not complex and/or easily guessable, you should change it. Be careful! If you mess this process up and lose your master password, they will not be able to recover it. You will have to abandon the account and the data within.
- Regard emails received from your known services very carefully, especially if it results in a login prompt or a password inquiry. Phishing emails are getting very sophisticated. If you receive an email that looks legitimate, don’t use the links embedded in the email regardless. Hand-type the URL of the service you need to use into your browser or use a favorite/shortcut you created to get to the website. Make sure you don’t mistype the URL – there are plenty of fake domains created specifically to capture mistyped URLs. Don’t search for the website using your browser – this can also lead to fake websites if you aren’t paying close attention.
- Consider moving to a different password management platform. Industry opinion is mixed on whether or not LastPass was using best-in-class technology and methodology to store your data at the time of the breach, but they are being widely criticized for their lack of transparency and urgency in addressing the breach. Understand that with a breach on this scale, multiple lettered agencies will be involved as well as numerous lawyers, so transparency will always suffer in these types of matters.
If you have questions about how you might be impacted by this breach, or what your company can do to implement password management at an organizational level, please give us a call or send us an email. We can provide a platform that can provide secure password sharing for you and your co-workers that is also administered and supported by C2.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net