SPOT Cybersecurity Tip: LastPass Breach – What to do if you’re a LastPass User

Cybersecurity Tip from The Fulcrum Group
Click here to subscribe to our SPOT Cybersecurity Tips LinkedIn Newsletter.

LastPass is giving Password Managers a bad name. Here’s the quick summary of what happened.

  • Hackers have stolen Lastpass customer vaults (the encrypted file where you store your passwords). If hackers can figure out your master password (for example, if you used the same password as your master password on other websites that were compromised on the Dark Web), then hackers will have all of your passwords.
  • The breach occurred in August 2022, but Lastpass is just coming clean about this breach in the last few days.
  • Your Lastpass customer vault also contains unencrypted data, such as website URLs. This could also represent a major issue if the URLs are for private, non-public facing websites.

This last bit is especially troubling because the hackers got the URLs that are in each vault, meaning they can go on HaveIBeenPwned and see if there are any leaked passwords there and then try those passwords to guess the master password.

What should I do if I’m a Lastpass User?

  • Change your Master Password. Make sure you use a password that is complex, at least 12 characters long, and not used on any other website.
  • Check your Lastpass security settings.
  • Be on the lookout for social engineering and phishing attempts targeted at Lastpass users. Emails, texts, and phone calls are likely to target Lastpass users.
  • Create a free account on Have I been Pwned? to research whether any of your credentials have been compromised previously.
  • If you find that your master password has been compromised (because you used the same password on a different website), you should immediately begin the tedious process of changing EVERY password on EVERY website that you saved in your LastPass customer vault.
  • It’s probably a good idea to find a new Password Manager. Here at The Fulcrum Group, we’re big fans of Keeper, and recommend Keeper Enterprise for business customers.

Want to learn more? Read this news article from Ars Technica and read the official blog from Lastpass.