Experts Blog

LastPass, a popular password management tool, enables its customers to store all their usernames and passwords for online accounts, including sensitive financial, healthcare, email, and social media accounts. Users are also able to store personal identity documents and data on the platform. This past August, LastPass disclosed a breach in which unauthorized users accessed the company’s development environment.

On December 22, 2022, LastPass disclosed that, as part of its investigation into the August breach, it had uncovered evidence that threat actors had successfully accessed unencrypted portions of LastPass customers’ vaults where individual data, including company names, billing addresses, email addresses, phone numbers, and IP addresses, is stored. While LastPass reports that its customers’ sensitive data remained encrypted, the breach suggests that a threat actor would be able to discern a customer’s banking website, though they would not have access to their username or password. More troubling, threat actors were able to copy a backup of customer vault data from the encrypted storage, which means if they were able to find a way to decrypt the customer vault data, they would be able to access all your online accounts and information stored in LastPass.

How to Protect Your Organization and Yourself

If you or your organization uses LastPass, there are a few immediate steps you can take to mitigate the risk:

• Change your LastPass Master Password. If you are a LastPass user, changing your LastPass password immediately will mitigate the risk posed to users. LastPass requires the master password to be 12 characters.  

• Change passwords for sensitive site credentials. Change the passwords for all accounts in your LastPass vault, beginning with sensitive sites (e.g., financial, health care, email accounts). LastPass has a password generator built into its platform or you can generate your own secure password. Ensure all new passwords are longer than 10 characters and that all passwords are unique to each site.

• Ensure you are using Multi-Factor Authentication. More and more sites are offering multi-factor authentication (MFA) at log-in. MFA generates a temporary code to be entered in addition to the username and password. Some sites allow you to use authenticator apps, such as Microsoft Authenticator or Google Authenticator, to generate temporary codes.  

• Recognize Phishing and Smishing Attempts. Given the decryption of email addresses, company names, and billing addresses saved to your LastPass vault, be on the lookout for potential social engineering and phishing attempts. Know the red flags for social engineering attacks, including a sense of urgency, grammar or spelling errors, malicious links in an email, an odd domain or URL, inconsistent information, or suspicious attachments. If you receive a phishing attempt, you can always verify the legitimacy of the message by opening a new browser and going directly (i.e., not using the provided link of phone number) to the company’s website.  

We value you as customers, and we understand incidents like these can be unsettling. We are here to help. Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions or assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us via email at watchmen@fortalicesolutions.com or by phone at 877-487-8160.

‍

‍