Things You Should Know About the LastPass Breach
In August 2022, LastPass experienced a data breach. In light of the developing situation, at Hungerford Technologies we understand you may have questions regarding the security of your passwords. For those who don’t know, here is a quick summary of what happened with the LastPass breach.
What Happened in LastPass Breach?
LastPass experienced a data breach and, at the time, informed its customers of unusual activity that might affect the security of their stored passwords and information.
After a monthslong investigation, LastPass concluded that a threat actor was able to access and copy a backup of encrypted customer vault data. Because the data is encrypted, LastPass determined it mathematically would take millions of years for generally available password-cracking technology to guess a password for customers who follow LastPass’ best practices. Those best practices include using a minimum of 12 characters, using a mix of character types, not reusing passwords, etc.
You can read more about the breach here.
This breach does not affect customers who have business accounts that are federated, meaning the key to unlock your vault is split in two and only half of it is stored with LastPass. Hackers with access to the LastPass half also would need to breach your company to get the whole key necessary to see your passwords.
This breach only affects personal accounts or business accounts that are not federated.
LastPass said it notified a small subset of business customers that are not federated to recommend they take certain actions.
Should I Change My Master Password?
Yes, but not necessary for those who have followed LastPass’ best practices.
If you have used your master password for other accounts, then you absolutely should change it immediately.
Changing your master password would ensure your vault remains safe from any future password guessing. However, LastPass stated it would be extremely difficult to brute-force guess master passwords for those customers who follow their best practices.
Fortunately, LastPass does not have access to your master password, and it is not stored or maintained by LastPass to protect its customers from incidents like this.
Should I Change All My Passwords?
Yes, but with some caveats.
It’s up to you to determine your risk tolerance. There is a chance the bad actor already cracked your vault and can see every one of your passwords. But it’s an old copy of your vault, so any passwords you change now would not be visible.
Consider prioritizing the accounts that contain financial or personal information — such as bank accounts, digital payment apps (Venmo, Zelle, PayPal), retail websites, health systems, etc. — when deciding what passwords to change.
With that being said, we understand some customers have more than 100 passwords and changing every single one would be a long and tiresome process.
Should I Delete My LastPass Account?
No, while it’s unfortunate this happened, there is no obvious indication that LastPass was doing anything objectively irresponsible with your data.
The IT security industry recommends an assume breach mentality, which assumes cyberattacks not only will happen, but information already could be compromised. This proactive approach allows security firms to identify and address potential threats to better protect you.
When companies fall victim to data breaches, they generally come back stronger because they address the gaps in their security coverage. Not only will they address the security issues they know of, but they also will attempt to address future security issues, so they are more prepared the next time an attack happens.
This is not a LastPass-specific problem. It likely was targeted for being one of the biggest and most well-known password managers available, but that doesn’t mean smaller password managers are safe. Switching to another password manager is a lot of work, and there is no way to know which one will suffer a breach next.
West Michigan IT Support From Hungerford
If you have any other questions regarding the LastPass breach or password managers in general, please contact us here or call our team directly at (616) 949-4020 with your concerns.