LastPass Security Incident and Recommendations

Envision IT Pressroom | December 30, 2022

Envision IT Pressroom
December 30, 2022

On August 25, 2022 LastPass sent out a communication to their customers indicating they had detected “unusual activity” within their (development) environment. LastPass stated that no access to your Master Password or vault data was obtained, so no action is needed.

On September 15, 2022 LastPass sent out a new communication that they finished their investigations and it was confirmed “that there is no evidence that this incident involved any access to customer data or encrypted password vaults”.

On November 30, 2022 LastPass issued a new communication that they “have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information”, however “passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture”.

On December 22, 2022 LastPass provided an updated communication indicating that the information from the August 25, 2022 incident was used to access their data backups, which contained “both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data”. This means that the stolen backup data is their customer password vaults.

While this is bad news for LastPass and their customers, it’s not all bad. If good password practices and good multi-factor authentication (MFA) were used wherever possible, it will be very unlikely that the bad actors could use the stolen data to compromise the accounts stored in their vault. If weak passwords were used for the Master Password or if the same password (or very similar) was used for multiple accounts then it is very possible for the bad actors to brute force their way into the backup of the vault and access accounts. If those accounts don’t have MFA then the bad actors can login and steal, impersonate or cause other damage. The other bad news is that LastPass did not encrypt all parts of the vault contents, so items like customer account information and website URLs can be used in phishing campaigns.

What actions you should take now depends on your situation.

  • If you didn’t have a strong and unique LastPass Master Password and MFA everywhere, you should urgently change all your vault contained passwords and enable MFA everywhere possible.
  • If you had a unique and strong Master Password and used good MFA wherever possible you can take some time and decide if LastPass and their new security procedures are still a fit for your needs.
  • If you are uncomfortable staying with LastPass you should still absolutely use a great password manager, consider Keeper Security (great for businesses) or Bitwarden (great for personal/families) and start migrating your data to them. With either solution you can export your vault data from LastPass and import it into your new vault. Be sure to purge your old data in LastPass when you are done.
Tags: Cybersecurity, Password, Security, Technology