Lastpass Breach: What to Do About It
How to Protect Yourself & Your Wealth from the LastPass Hack
You may have already heard about the LastPass breach, victimizing one of the leading password management programs, not once, but twice in the past few months. LastPass recently updated information about the two breaches in a letter to users on the LastPass website.
The First LastPass Breach Leads to the Second
In the first LastPass breach, dating back to August of last year, an unidentified threat actor gained access through a compromised developer account and stole portions of source code and proprietary technical information. At that time, LastPass said the breach was limited to its development system, which doesn’t hold personal data, and considered the breach “contained”. I’ve yet to meet the breached organization that, at least early in the cybercrime PR cycle, has actually determined (let alone contained) the extent of the breach.
To compound their troubles, this past December an “unknown threat actor accessed a cloud-based storage environment leveraging the information obtained in August” and was able to use some of the information taken in August to target an employee with much deeper access. This is one more excellent example of how most cyber breaches come down to the human element of cybersecurity. The hackers accessed decryption keys, stole critical backups and accessed somewhere between 10 million and 30 million customer password vaults. Which means that if they manage to crack your master password, they have access to every financial, health, investment and online account stored in your LastPass. I hope for your sake that you and your employees master LastPass passwords are 20+ alpha-numeric-symbol-based strings of characters, which drastically reduces your risk.
Your Risks, Even if Your Master Password is Strong
- The cybercriminals may attempt to use brute force attacks, enhanced by artificial intelligence, to guess your master password and decrypt the copies of vault data they took.
- More likely, they will target customers with phishing attacks in an attempt to socially engineer your master password out of you.
- Finally, since your phone number was also compromised, be on alert for phone calls attempting to gain your master password. LastPass does not know your master password, nor do they (or anyone) need to in order to repair this situation.
Regardless of how strong your master password is, I consider every password in your vault to be compromised. Here are steps I would take to fully protect your online accounts in the wake of the LastPass hack.
Steps to Further Protect Your LastPass Vault & Logins
- I recommend that you immediately change all of the passwords for your critical accounts, including banking, investment, health, email, etc.
- It is significant that the URLs of your stored sites were not encrypted, meaning that hackers know where you have accounts. In addition to changing the critical passwords, it is also important to turn on two factor authentication on each account, whether or not it was stored in your password vault. This essentially makes your password unique every minute, making it nearly impossible to crack.
- Change your master password and make it longer and stronger. When considering a new master password, remember to never reuse the master password for your password manager in any other context, especially online.
- Make sure that the master password is impossible to guess. For a complex, easy to remember master password, base it on the chorus of your favorite song. For example, if you are a fan of the Eagles, you might choose “Welcome to the Hotel California, such a lovely place (such a lovely place), such a lovely face” which could equal WttHC,$@lp($@lp),s@lf, where you replace all S’s with $ signs and all A’s with @ signs. It’s 21 easy-to-remember characters of security and songwriting brilliance!
- And whether you’re part of the LastPass breach or not, you should create an account on the hacking alert website Have I Been Pwned? which will send you updates on any breaches affecting you as soon as possible. I use and trust this site to protect your privacy and security.
- Make sure you understand the risks of storing anything in the cloud. Your data in the cloud is only as secure as the cloud provider itself.
And most importantly, educate your organization and coworkers about the risks posed by the LastPass breach, and at a minimum, forward this article on to them. If a hacker leverages the LastPass breach to penetrate your organizational data, it will be the people, not the technology, that are held to account.
John Sileo, award-winning author, cybersecurity expert and keynote speaker, has appeared for the Pentagon, Amazon and on shows like 60 Minutes and Anderson Cooper. Contact us for more details on 303.777.3221 or using our contact form.