LastPass, a popular password manager, recently announced that, “an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.”
The threat actor was able to copy a backup of customer vault data from the encrypted storage container. However, because of the encryption, sensitive information like usernames and passwords can only be accessed with the user’s master password. LastPass does not store master passwords, therefore the threat actor was not able to access them as part of the breach.
However, LastPass has warned users that the threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. Best practices include:
- Using a minimum of 12 characters – longer is better
- Including a combination of upper case, lower case, numbers, and special characters
- Never using information that is personal to you
- Never re-using passwords
If your LastPass master password is short/weak or you have used it elsewhere, it is easier to crack. Immediately begin changing the passwords in your vault. Start with your most critical accounts first, such as banking and email, then work your way through. You should consider your critical passwords regardless, just to be on the safe side. Enable two-factor authentication wherever possible.
LastPass also states that the threat actor may target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. Be on the alert for targeted phishing attempts. Also, do not approve any unexpected 2FA requests via phone or email.
LastPass customers should remain vigilant and follow recommended precautions to ensure the security of their personal information. If you believe your account has been compromised, the company recommends you follow these steps. Contact Invario if you need assistance with any of the above.
Feedback
If you have questions about this article, or if there is an IT topic you would like to know more about please email me your suggestions.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.