How Should You Respond to LastPass' Latest Security Incident?

On December 22, 2022 LastPass released a statement regarding new details about a security breach they had experienced in August. Let’s dive into how you/your organization should respond to LassPass’ security incident.

Despite originally ensuring customers that there was no evidence any customer data had been taken, it seems that is no longer the case. LastPass states:

"To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service."

Obviously, this has major security implications for customers and businesses that work with LastPass to secure their various applications. LastPass has reached out to the accounts they think have been impacted directly, however regardless of whether you have been contacted by LastPass we recommend taking action immediately.

All of these steps can be taken within the LastPass application.

• Change or Strengthen Your LastPass master password: LastPass recommends and defaults to a minimum of 12-character passwords. However, this option can be overridden within LastPass' settings. Your password should be a minimum of 16 characters and contain letters, numbers, and special characters. The longer and more complex your password the harder it is to crack. Remember not to use personal or basic passwords such as "password", or "1234".

• Implement Multi-factor authentication: If you don't already have MFA implemented on LastPass then it's time to start using it. Not only should you set up MFA for LastPass, but for all your accounts within your vault.

• Take stock of what information is held in your vault: Do you have any extremely sensitive information held in your LastPass vault? If you use LastPass for work you may have private information that could be used to gain a foothold into your organization. Additionally, you may have logins to your bank account or other applications you wouldn't want a bad actor to get a hold of.

• Do not reuse your master password on other accounts: Your master password should be unique and one of a kind. Do not use your master password on any other accounts within your vault. If bad actors gain access to you an account within your vault they may have access to everything else.

So how you respond to LastPass’ security incident is your decision but, if you decide to stick with LastPass then it is important to take these steps to reduce the likelihood of your vault being exposed. Passwords are your first line of defense so protecting them at all costs is imperative.

Details surrounding the LastPass security incident or forthcoming. These details are up to date as of January 3rd 2023. You can read LastPass' full statement here.

CorpInfoTech can help your organization with being proactive rather than reactive - start with your humans. Check out CorpInfoTech’s simple Password Security blog that can be passed on to your employees. Password Security blog here.

Read more about LastPass Security Incident at CorpInfoTech’s blog: LastPass' December 2022 Security Incident

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.