LastPass Security Incident

 Nexus IT has closely followed an incident involving LastPass, a commonly used password management tool for businesses and consumers. The incident began in August 2022 and LastPass posted updates to their blog in November and December of 2022.  

 What Happened?

 A threat actor gained access to a cloud storage container that stored backups of individuals’ data. LastPass detailed what was compromised in their most recent December post.

 ..basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

 In November 2022 LastPass Stated

 We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

LastPass only gave vague details in November and previously insisted in August that customer data was not at risk. Nexus IT did not feel it was necessary to take on LastPass’ responsibility to inform customers of the incident until their latest post.  

 Am I at Risk Now?

 To put it briefly, yes. Some personal information was exposed as LastPass indicated (customer names, billing addresses, email addresses, phone numbers, URLs, and IP addresses). As our security partner Sophos put it, “Loosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.”  

 What Should I do To Protect My Passwords?

  1. Change your LastPass master password
    1. A strong master password must include 12 characters minimum, an upper and lower case letter, a number, and a symbol.
    2. Enable Multi-Factor Authentication (MFA) for your LastPass Account LastPass nor any other legitimate party will contact you to ask for your master password. Never give out your master password.
    3. Never use your master password for anything else. If your master password was leaked from some other site, then your entire password vault may be at risk.
    4. Change all passwords in your password vault if any of the following are true for you.
      1. If your master password was reused for any other account or website.
      2. If your master password is easy to guess or a commonly used password.
      3. If your master password did not follow the recommended password requirements above.
      4. If you’ve given out your master password to anyone else.
      5. For good measure, even if step 5 doesn’t apply, change all your passwords in your vault anyway. For a complete explanation of why this is recommended, please review Sophos’ blog post about the incident.  

 For assistance or additional details of the incident, one of our expert cybersecurity consultants would be happy to help!

 LastPass full blog post:

Sophos blog post:

 Written by Brock Arveseth

Nexus IT Special Ops Manager