Just before Christmas, when most people were busy spending time with family, and weren’t paying too much attention to cybersecurity news, the makers of LastPass revealed that hackers had accessed customers’ password vaults.
Yikes! That sounds bad. Wasn’t there a LastPass hack earlier in the year? Well, there was the original announcement by LastPass back in August where it said that a hacker had gained access to a developer’s account and stolen some of its source code from a development environment.
At that time, LastPass said that it had “seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
So, was that really true? It’s possible that LastPass didn’t see any evidence at that time that customer password vaults had been accessed. “Seen no evidence” isn’t the same as “nothing happened”.
And sure enough, right before the holidays, LastPass announced that hackers were able to access both unencrypted data AND encrypted customer password vaults, possibly as early as August or September of 2022.
Here’s where it gets worse. The stolen unencrypted data includes:
- company names
- end user names
- billing addresses
- telephone numbers
- email addresses
- IP addresses which customers used to access LastPass
- website URLs from your password vault
So cybercriminals know that you use LastPass, they know how to contact you, AND they know which websites you use. If you’re a LastPass user, be prepared for the barrage of targeted phishing emails pretending to be one of those websites you use.
In addition, those (sometimes embarrassing) websites you access might reveal private information about you that could be used to blackmail you.
Also, it’s possible that you stored password reset links in LastPass that might not have expired, or other sensitive tokens in your website URLs that could be used in an attack.
And that’s just the unencrypted data. The LastPass customer vaults (which are encrypted) store data that includes:
- website usernames and passwords
- secure notes
- form-filled data
Even though that data is encrypted, it could be accessed if they can figure out your Lastpass Master Password.
Bad news – even if you had Multi-Factor Authentication turned on, and changed your LastPass Master Password, that doesn’t matter, as the hackers have physical access to vault.
Even worse news – if you have chosen a less than stellar LastPass Master Password, or used that same password elsewhere that was involved in a breach, it’s possible that the hackers have already gained access to all of your passwords. It doesn’t help that LastPass stored some of its long-standing customer’s Master Passwords in a manner that makes them way too easy to crack.
If you are a LastPass user, you should assume that all of your passwords have been compromised, and you should change ALL OF THEM. Every password in your LastPass vault should be changed. And so should your LastPass Master Password. And it’s time to change password managers.
If you would like a recommendation for a password manager, reach out to us for a complimentary meeting to discuss your cybersecurity needs.