LastPass Breach – Everything you need to know about the August 2022 incident

UPDATE 03/03/2023: More news continues to come out about the breach. We are no longer comfortable recommending LastPass as your password management solution. If you have any questions about a good alternative or need help migrating off LastPass, give us a call.

What we recommend.

1. Migrate off of LastPass. Good alternatives include Keeper, Bitwarden, and 1Password
2. Reset sensitive passwords, such as those used with bank accounts and other financial institutions, social media accounts, and email accounts
3. Save your new passwords in your new password manager
4. Be sure to use MFA for your new password manager!

Original Article

LastPass recently notified customers about a data breach of their systems. Such an incident is cause for concern. But there are a lot of scary headlines out there that don’t paint the full picture. Here’s everything you need to know about the August 2022 LastPass breach.

What happened in the LastPass breach?

In August 2022, a hacker gained access to LastPass’s development network. Although details are scarce, it appears that the cybercriminal gained control of a LastPass employee’s computer. Through that access, they were able to steal proprietary information from the company.

Next, the cyber criminal used the stolen information to gain access to LastPass backup servers. That allowed them to steal some customer data such as names, addresses, email addresses, and phone numbers. Additionally, they were able to steal some encrypted vaults where customers store sensitive data like usernames and passwords.

It’s important to note that your credit card information is safe and has not been compromised.

What do you need to do?

First, take a deep breath and relax. Data breaches are never fun – especially when it’s a security product you use like LastPass. However, LastPass is handling the incident professionally and proactively. Let’s face it – no one can say they won’t ever be hacked. That’s why we are more interested in how the company handles the breach, than the fact that they were breached in the first place.

LastPass has provided many details about the data that was stolen and how the criminals may attempt to access the encrypted data. They have continued to update us as more facts are discovered on their blog. It is our opinion that this was not caused by negligence on LastPass’s part, and they have handled the situation appropriately.

If you haven’t already, you should use a LastPass Master Password of 12 characters or more. Never reuse that password anywhere else online, since that greatly increases the likelihood of a criminal accessing your vault. Lastly, be cautious about any emails that claim to come from LastPass and ask for any confidential information.

It is very likely the criminals will use the information obtained in the breach to phish LastPass clients. They will try to trick them into freely giving up sensitive data or granting direct access to their LastPass account. If you’re ever in doubt – give us a call! We’re happy to provide advice about any suspicious communication you may receive.

So, what’s the good news?

The good news is that the hackers will have a very hard time accessing your sensitive data stored in your LastPass vault, if they can access it at all. The data is encrypted with state-of-the-art technology that won’t easily be cracked.

If you’re a LastPass Business user that takes advantage of Federated login, your information is even safer. In this particular type of setup, there is additional authentication required to decrypt your vault. This means it’s even less likely that the cyber criminals will gain access to your vault.

Please reach out if you have any questions about the LastPass breach or how you can implement layered cybersecurity in your business. We will continue to update this article with more information as it becomes available.