In 2022, the popular password manager LastPass was the victim of a major data breach. If you’re a current or previous LastPass user, you may be wondering how this security incident impacts you. In this blog, we will summarise the incident and provide some tips for minimising the risk of further impact.
Last December 22, 2022, LastPass CEO Karim Toubba announced in a blog post that a security incident, first disclosed in August 2022, resulted in an unknown threat actor stealing sensitive customer information. This included LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses. More importantly, customer password vaults were also stolen, which consisted of unencrypted website URLs and encrypted login credentials for all websites that LastPass users have stored.
In a later update, LastPass revealed that the threat actor gained access to LastPass systems by installing a keylogger on an employee’s home computer, enabling them to record the employee’s keystrokes and steal credentials. Initially, LastPass only said that the threat actor was able to do this by exploiting “a vulnerable third-party media software package”. It has since been reported that the threat actor exploited the employees unpatched Plex Media Server.
In response to the breach, LastPass says that it prioritised and initiated significant investments in security, privacy, and operational best practices. The company also performed a comprehensive review of its security policies and made changes to restrict access and privilege, where appropriate.
The LastPass breach is just one of many incidents that the company experienced since it was founded in 2008. In 2011, a security scare, forcing its users to change their master passwords. A similar incident happened four years later. And just last year, users were forced to change their master passwords after the company detected malicious login attempts.
This also isn’t the first time that a cyber criminal targeted an employee’s home computer. Back in 2012, Russian national Yevgeniy Nikulin hacked the personal iMac of a LinkedIn engineer who sometimes used the computer to work remotely. From there, he stole the employee’s username for the LinkedIn corporate virtual private network, which enabled him to access LinkedIn’s database of more than 100 million usernames and passwords.
All LastPass users with information stored on the company’s servers until August 2022 are impacted by this breach. So unless you created an account since the incident, your LastPass vaults are likely already in the hands of cyber criminals.
At this point, they may try to use brute force to guess your master password and decrypt the copies of vault data they stole. While LastPass says that doing this would be “extremely difficult,” this would only apply if you followed the company’s password best practices. So if you used weak passwords, your account could easily get hacked.
Once threat actors infiltrate your LastPass account, they can easily gain access to your online accounts, resulting in a security breach. If you run a business, this can cause reputational damage, loss of customer trust, legal and regulatory fines, as well as operational disruptions. This is a risk you can’t ignore as a study has shown that data breaches can cost firms as much as $4.35 million. Some businesses even end up closing down within six months after a breach.
If you’re an individual, on the other hand, cyber criminals may use your data for identity and financial fraud. For instance, they can use your login credentials to access your bank and credit card accounts, and make large purchases or take out loans in your name.
Now that you better understand the risks of the LastPass data breach, it’s important to mitigate the breach’s effects and protect yourself from future incidents. Let’s take a look at some of the things you can do:
As a precaution, you should change any passwords that were stored in your vault immediately, as well as your LastPass master password.
To create a complex password, you may wish to use a passphrase – combining several seemingly unrelated words that you use as a password. For instance, according to Useapassphrase.com, it will take cyber criminals 189,289,229,106 centuries to crack the passphrase “gleaming premiere strongman crabbing.” Because passphrases are composed of words, they are easier to remember than passwords that contain random letters, numbers, and symbols.
Alternatively, you can use LastPass or another password manager to generate a strong password. Password managers automatically encrypt and save passwords, eliminating the need to memorize them or write them down.
Whichever type you choose, make sure to create unique passwords for each account.
MFA is a security solution that enables users to protect their accounts better by requiring another proof of their identity aside from their username and password. This could be a physical security key, one-time PIN (OTP), or a facial or fingerprint scan. By enabling MFA, a threat actor won’t be able to access your account even if they get a hold of your username and password.
As much as possible, avoid using SMS-based authentication as it is not a secure method. Cyber criminals, for instance, can engage in SIM swapping, wherein they impersonate you and convince a telecom provider to transfer your number to a SIM card in their possession. This gives them access to your OTPs and password reset links.
It’s worth noting that you are not more secure from the breach’s effects if you already have MFA enabled on your LastPass account. This is because the attacker might already have access to your password vault and they would just need to decrypt it to access your online accounts.
Have separate devices and email accounts for your personal life and professional matters. This way, if a threat actor gains access to one of your devices or accounts, you can limit their attack surface and reduce the potential damage they can cause.
Share this content: