LastPass users must act now in order to protect themselves
Recommendations for LastPass Users
LastPass users should go through their vaults and take extra steps to protect themselves. Here’s our recommendations:
- Change all passwords for all accounts stored in LastPass, including your LastPass vault password
- Turn on 2-factor authentication (2FA) and/or multi-factor authentication (MFA) for the following:
– e-Mail, personal and professional
– Financial Services
– Social Media Accounts like Facebook, Pinterest, YouTube, etc
– Mobile Device Accounts with Verizon, T-Moble, Sprint, etc
– Any and all websites you access ie Amazon, Macy’s, USPS, UPS, Spotify, Etsy, Udemy etc - Switch to a new password manager.
You can review other recommended password managers at CyberNews.
Are You at Risk?
Possibly. All LastPass users may face a security risk.
Information stolen by the hacker included customer metadata, such as business names, individual names, mailing addresses, email addresses, telephone numbers and IPs of people using LastPass services.
Additionally, both encrypted and unencrypted customer vault data were replicated. This included website credentials, secure notes, form data, and partial credit card details. As these components stayed encrypted because the encryption key can only be acquired via the user’s main password using LastPass’s unique (Zero Knowledge) design. The encrypt/decrypt process is able to occur exclusively on the company’s account within the LastPass client. The non-encrypted material contained website URLs and incomplete credit card information; albeit, LastPass does not spare or archive entire credit card info in their repositories.
Malicious actors possess key information from LastPass and they will take advantage of gaining more information through social engineering and brute-forcing attacks that may result in stolen credentials from customers.
Don't Lose Faith in Password Managers
A senior security engineer who asked to be anonymous due to the sensitivity of the LastPass breach said, “One hundred percent, yes, people should switch to other password managers. LastPass failed to do the one thing they are supposed to provide cloud-based secure credential storage.”
Experts in the cybersecurity industry universally emphasize that the situation with LastPass shouldn’t deter people from using password managers in general.
Lukasz Olejnik, an independent privacy researcher and consultant said, “As someone with experience handling and communicating EU data breach notifications, I’d say that LastPass’s chosen communication strategy may undermine user confidence.” Additionally, Olejnik “The big issue is also the timing. Why do it just prior to the end-of-year holidays, when the initial investigation began months ago?” A member of Yahoo’s security team, Jeremi Gosney, who is skilled as a password cracker and senior principal engineer there, wrote this week about the LastPass issue: “I used to support LastPass. I recommended it for years and defended it publicly in the media… But things change.”
Recommendations from Barracuda MSP
Review these recommendations to limit the impact of this LastPass security incident:
- Review the password policies outlined by LastPass (https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014)
- Ensure Federated Login Services by LastPass are implemented into your business (https://support.lastpass.com/download/lastpass-technical-whitepaper)
- Conduct phishing campaigns and trainings onto your organization to create awareness of social engineering attacks
- Audit and take inventory of user/admin accounts and their access to LastPass
- Review LastPass’s Zero Knowledge architecture (https://www.lastpass.com/security/zero-knowledge-security)
- Be informed on the latest updates to LastPass’s security incident (https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/)