What to Do About the LastPass Breach

Overview of Vulnerability

LastPass, one of the world’s biggest password managers with at least 25 million users, has confirmed that it has been recently compromised. According to LastPass CEO Karim Toubba, an “unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” The breach took place approximately two weeks ago.

Incident responders have contained the breach. LastPass maintains that there is no evidence of further malicious activity. According to Toubba, “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” The primary concern is that the proprietary source code and technical information could be leveraged by attackers to exploit security holes later.

LastPass users may worry that a hacker could have access to their passwords or vaults. However, LastPass maintains that they have a “zero knowledge” architecture, and that master passwords are not stored. LastPass says no action is required by users regarding their password vaults.

LastPass has engaged a cybersecurity and forensics firm to investigate what happened. They have also implemented additional security measures to identify further evidence of unauthorized activity.

Sedara’s Recommendations

• Despite this breach, Sedara still recommends the use of password managers. Password managers are an effective way to reduce the number of duplicate passwords across systems.
• According to LastPass, customers do not need to take any action due to this breach.
• Customers may choose to take this opportunity to remind LastPass users of ways to select strong master passwords: using a combination of unrelated words instead of a single word, and including a mix of alphabetical, numerical, and symbol characters.
• By all accounts, this security incident did not result in a breach of passwords or user vaults, and password changes are not required. Out of an abundance of caution, LastPass administrators may choose to prompt users to change their passwords.

Should we switch to a LastPass competitor?

As embarrassing as this breach is for LastPass, it appears that no personal data was breached, and no password-related data was stolen. Incidents like this are common to many software providers, including ones with a cybersecurity focus. It is encouraging when these providers are forthcoming with their information about a security incident. Customers can read LastPass’s incident report in the link below and decide on that basis whether they want to continue using LastPass.

Organizations should always monitor their environment for unauthorized activity and indications of breach. Using a program-based approach and industry best practices to manage your security will help put your mind at ease and allow you to respond appropriately, when incidents are detected.

Supporting Documentation

LastPass – Notice of Recent Security Incident

Sophos – Do we still recommend password managers?

Get Future Compromise Alerts – Join Sedara Declassified

Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.