During the November 2022 LastPass Breach the following information was stolen: basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, the IP addresses from which users were accessing LastPass, and an encrypted copy of some historical backups of customer vaults.
Since LastPass does not keep vault passwords, though a copy of the encrypted vaults themselves were stolen, the data within them is not accessible unless users are re-using master passwords or not following the password complexity guidelines (12 characters minimum including special characters).
As long as users have been properly managing their master passwords, the threat to the information inside any pilfered vault is minimal.
The most prominent concern arising from the breach is that LastPass did not consider the URL field to be critical so the field was never encrypted. This means that the URL information associated with each vault entry can be easily deciphered as it was just converted into hexadecimal. With both payment information and URL data both being exposed this information could potentially be used for spear phishing campaigns, a type of phishing attack where a malicious actor poses as a trusted sender in order to trick the receiver into revealing confidential information.
All LastPass users should change their master password for LastPass
While this will not have an impact on the historical vaults that were stolen, it’s always a good practice to change passwords for password management systems regularly!
All LastPass users with admin rights should update their passwords on ALL websites and platforms they manage
This ensures the most vulnerable accounts that could do a significant amount of damage if compromised are protected.
Everyone should enable Multi-Factor Authentication wherever possible
This should be done on every website possible, but particularly on LastPass.
Everyone should refresh their phishing knowledge
Remember: Never click any links or attachments in suspicious emails. If you receive a suspicious message from an organization and worry the message could be legitimate, go to your web browser and open a new tab. Then go to the organization's website from your own saved favorite, or via a web search. Or call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or that you find on the organization's official website. If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it.
If you are a Palante Tech client and have questions or concerns about the LastPass breach and what this means for your organization, please reach out! We are dedicated to ensuring you and your organization are kept informed of all critical issues arising in the tech world.