On December 22nd, 2022, LastPass released information acknowledging an extensive breach of customer data.

According to LastPass, most of this data is encrypted, such as usernames and passwords. However, URLs used in passwords vaults are not. The hacker would still need a master password to decrypt all the stolen data, however, that increases the likelihood they will identify the owners of unencrypted data they do have.

They can use the unencrypted data to launch targeted phishing attacks. Thus, many security firms have warned that hackers may try using leaked customer information to check the Dark Web for re-used passwords that may match master passwords.

To protect your credentials stored in LastPass, here are a few of the steps we advise that you take:

  •     Rotate any passwords and keys stored in LastPass
  •     Check for password re-use across your sites & services
  •     Enable MFA on everything
  •     Warn your users of an increased risk of phishing
  •     Pay careful attention to your accounts for breaches and suspicious activity

The story continues to unfold. We’ve received information indicating that some of the unencrypted data could be used for more than phishing.

This would also be a good time to do a 3rd-party assessment to find compromised passwords on the dark web. If you’re re-using passwords in your environment, there is a higher chance that your master password may get cracked.