LastPass breached.. here are your REAL risks!
Back in August 2022, reports hit the web indicating that password manager LastPass, a product of GoTo, was breached. They stated that an employees account was compromised to gain unauthorized access to the development environment, that the incident was contained, and that customers had nothing to worry about. At this time, there were no signs that customer information was accessed as this was a development environment and that password vaults were unaffected.
November 2022 came and LastPass was back in the press with reports stating they were breached again. This time around, LastPass said that the intruder had gained access to customer information, but again, stated people had nothing to worry about. At that time, LastPass CEO Karim Toubba said they were investigating the incident.
Fast-forward a month later to December 2022, days before Christmas, Lastpass published another article with their findings. They stated, "some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service." They also stated that the threat actor stole a copy of customers' encrypted password vaults.
Yet again, the company stated that customers had nothing to worry about and that the data was encrypted blah blah blah.. even though the stolen data contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. They also got basic customer information like company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service
In our opinion, there was a real lack of transparency in the entire investigation period and the company was more focused on protecting its reputation than they were invested in protecting its end users. We find it odd (shady may be a better word) that the most information that was provided the entire time was 3 days before Christmas when LastPass knew many people would be offline for the holidays celebrating and spending time with their families.
The real risks
The problem with the breach is that not only did the threat actor(s) get a copy of encrypted password vaults, but they got basic customer information which includes email addresses used to create the LastPass account, as well as unencrypted data, superficially, URLs.
First, a threat actor with this information can easily go on the dark web to purchase username and password data from previous breaches unrelated to LastPass. They can then match that data with the email addresses from LastPass to build out entire profiles for each user. If any user reuses passwords (which we never recommend), a hacker may be able to use that third-party data to sign into your LastPass vault and get everything in there, even if you already changed your LastPass password, as they have an offline version of the vault already.
Whether that work or not, since the hacker also knows the URLs each user use, even without accessing the vault, they can use third-party data from the dark web to try and access those websites. This eliminates the need to guess what services a user might be using as they have a list of exactly what you use now available to them.
Here's how you protect yourself
As we extrapolate how an attacker might use this information, we've come to the conclusion that there are three actionable steps to better protect yourself.
First, and this is going to be extremely tedious, you should sign into every website saved to your LastPass and change all your passwords. Changing only your LastPass password is not an option here, especially if you use the same password on multiple websites. Again, the hackers have an offline copy of your vault, so even if you change your password to LastPass it will have zero impact on what they have, though it will help protect you moving forward.
Second, we recommend you NEVER use the same password for multiple websites. The benefit of a password manager is that you do not have to remember all your passwords, so there is no reason to make them the same or use the same password for multiple websites. If this was to happen in the future, it would also prevent having to change all your passwords again as it will never match third-party data available on the dark web.
Third, we recommend you ALWAY use multi-factor authentication when available on third-party websites. This way, even if someone was able to determine your password, there are still barriers in place to stop them or at least make it not worth the effort.
Lastly, as you go through changing your passwords for individual accounts, we suggest you focus on accounts not using MFA. While changing all accounts is recommended, the biggest risks are the websites where you do not have MFA.
Check out these six steps to help you improve your productivity and build good habits.
5 simple steps to increase your productivity.
Seven steps to help you reach your goals and avoid procrastinating.