3 min read

Avoiding Disaster: The LastPass Security Breach

Avoiding Disaster: The LastPass Security Breach

As of December 22, 2022, LastPass announced a recent cybersecurity incident and many RoundTable customers have asked what this means for them.

This incident serves as an important reminder - no matter the size or strength of your organization, social engineering can overcome any security measure. With hackers becoming increasingly sophisticated in their tactics, it is essential for nonprofits to understand how such incidents arise so that they can take preventive steps against similar occurrences in the future. 

In this blog post, we'll examine the details behind this incident and discuss key learnings from it that will help nonprofits protect their organizations from falling prey to malicious attacks.


The Details: What Happened and When

In August of 2022, LastPass experienced a security breach where some source code and technical information was stolen. Later in the year, this same bad actor used that stolen information to target a LastPass employee to steal their credentials to gain access to customer data.

This allowed the bad actor to copy information from a LastPass backup of customer vault data that contained both unencrypted data (such as website URLs) and encrypted data such as usernames and passwords.

Most important to note, this does not mean that if you use LastPass as a password manager that all of your passwords are suddenly all over the dark web. The password data that was stolen was still encrypted, and therefore still unusable in most cases. The only two options a bad actor has to use this stolen data to gain access to customer passwords and other encrypted data is to either use brute force or social engineering (phishing, baiting, etc.)


What This Means for LastPass Users

First, don’t panic. This is not the time to abandon the use of password managers altogether. Password managers still help users create long, random and unique passwords for each account. But like all cybersecurity measures, more layers make it more difficult to compromise your information.

The keys to your password kingdom lie in the strength of your master password and multi-factor authentication (MFA). The best thing you can do right now is to review your vault’s master password. Make sure it is long, complex, and not used for any other account. A great master password example could be !w@terMyPlants0n$undays. If it does not meet these standards, change it.

This recent breach highlights yet another reason multi-factor authentication is so important. If a potentially breached password is the only key needed to gain access to an account, MFA is the deadbolt and chain preventing the door from swinging open.

If you have not enabled MFA on your LastPass (and all of your major accounts) yet, do so immediately.

We also recommend changing passwords on your most critical accounts, not just your LastPass master password. As part of the LastPass breach, account URLs and notes that were unencrypted were also stolen, and this is cause to believe that accounts that were stored in LastPass are at risk of being targeted. 

If a bad actor happened to have gained access to your password vault, which accounts would be the most damaging if exposed?

Begin with your email, financial systems, cloud applications, social media, and work your way down in priority. And again, make sure multi-factor authentication is in place on these critical accounts, applications or websites. Without those codes, push notifications, or biometric scans, it becomes increasingly more difficult for these attackers to gain access to your sensitive data.


What You Can Do to Protect Your Organization

The very first thing you need to do is change your LastPass master password. As always follow these best practices when it comes to setting a password, especially one as important as your master password.

Once you have ensured that password best practices are being followed, then MFA should be enforced.

Password best practices:

  • Every password you use should have a 12 character minimum - we like to use pass-phrases (for example - I walk my d0g 2 times a d@y) to make it easier to remember
  • Don’t ever reuse passwords, each and every password you use should be unique

If you are a LastPass Administrator for your organization:

  • Disallow master password reuse for anyone in your organization - your master password should be completely unique

  • Require employees to change their master passwords if it matches another site’s login credentials

  • Require multi-factor authentication for all employees 

  • Prohibit the saving of your master password 

  • MFA should be enabled and required for all LastPass accounts

  • PIN code should be required for the mobile device app

  • Prohibit the ability to disable MFA via email

This incident serves as a good reminder that even the strongest of security systems can be bypassed through social engineering. The initial LastPass breach did not lose any customer data, it did allow the bad actor to use the information gained to target a LastPass employee. It doesn’t matter how good a password is if your employee hands it over to them.

One of the best ways to guard against social engineering attacks is to provide frequent and consistent cybersecurity training, to keep employees on guard and cautious.

RoundTable’s 7th Annual Best Free One-Hour Cybersecurity Awareness Training Ever is this month, so take advantage of this opportunity to get your entire organization up to date on the latest cybersecurity training.

Sign up for our Best Free One-Hour  Cybersecurity Awareness Training Ever!

Wrapping Up

The recent LastPass breach is a reminder of the importance of strong password protection and multi-factor authentication. It’s essential that users create long, random and unique passwords for each account they use, as well as enable two-factor authentication whenever possible. 

For organizations using LastPass, it’s also important to enforce master password reuse policies, require employees to change their master passwords if it matches another site’s login credentials, prohibit storing your master password on mobile devices, and more. By following these best practices for creating secure passwords and implementing additional layers of security such as MFA you can help protect yourself from any consequences of this breach in the future.

Incidence Response Notification: log4j

3 min read

Incidence Response Notification: log4j

Update from 12/21 The team at RoundTable has continued to scan and enumerate (e.g. discover) any presence of the log4j vulnerability across our...

Read More
Cybersecurity Concerns Related to Russia-Ukraine Conflict

Cybersecurity Concerns Related to Russia-Ukraine Conflict

As the Russia-Ukraine conflict continues, many people and organizations have expressed concerns about the potential for cyber-warfare and its...

Read More
Update on Cybersecurity Concerns Related to Russia-Ukraine Conflict

Update on Cybersecurity Concerns Related to Russia-Ukraine Conflict

Approximately two weeks ago we provided guidance for organizations concerned about cyber threats stemming from the Russia-Ukraine conflict.

Read More