Today, we have passwords for everything, email, social media, bank accounts, work accounts, everything. That’s a lot of passwords to remember for one person, so putting them all on one place may seem like a good idea. There are loads of password managing companies. Each one boasts how they can keep all your passwords safe. What happens when they are hacked? Then what do you do?

This has become a reality for those who use LastPass to store their passwords. Back in August of this year, 2022, there was a breech in one of the LastPass storage environments. It was stated in a blog post in August that no customer data had been accessed. In more recent updates, it was announced that customer vaults have been accessed. The hacker obtained the information by stealing source code and technical information. They used that to target an employee to gain credentials and keys. This then allowed the attacker to gain access to customer backup vault data and copy it. This data contains everything from Company names to end-user names, billing addresses, email addresses, phone numbers and the IP address that customers use to access LastPass services.

So, what does that mean?

While the hacker has a copy of the information, they don’t have access to your master password, only you do. Your master passwords are not stored by LastPass. Encrypted information can only be unencrypted using the master password. This is their “Zero Knowledge architecture”. Since the hacker does not have master passwords, it will take longer to figure out the encryption key. However, they could still get in using software that will guess combinations until they get the right one. LastPass wrote that “it would take millions of years to guess your master password using generally-available password-cracking technology”. It is also important to be on the lookout for phishing emails that may ask for your password. LastPass will never ask you for your master password through email, text, or call. It will only ever ask when you are logging into your account.

Are my passwords safe?

LastPass wrote in their blog post that if you used the default settings for your password, then it would take the “million years” to crack it. If you did not make your password using the default settings, or fear your password may not be strong enough, it is recommended that you update the passwords you have stored. By not using the password defaults, it may take a significantly smaller number of attempts to guess your master password. If you are someone who uses the Federated Login Services, the attacker did not have access to your information. Your information was not stored in the backups that the hacker copied. It would still be a good idea to change all your passwords. However, if you are a business owner who does not use the Federated Login Service and your password does not use the default setting, you should change your stored passwords.

What has LastPass done?

After the attack, LastPass rebuilt the breeched environment. They also replaced and further hardened developer machines, processes, and authentication mechanisms. They added more alerts to help detect any more unauthorized activity as well as a second defense line. Employee credentials that may have been compromised have been rotated along with certificates. They are thoroughly analyzing any account that has been flagged for suspicious activity. On top of that, they started adding more safeguards and ensuring they know everything the attacker accessed and copied.

What can I do?

Change your passwords, both your master one and the stored ones. This will help ensure the security of your accounts. Even if your master password was made with the recommended settings, change ALL your passwords. It’s best not to leave it up to chance. If you want to keep using a password manager, consider picking a different one. LastPass did not notify customers that their data was at risk until months after the attack and right before a major holiday. There are other password managers available, some of which are listed in this reddit post about the LastPass attack. This post also lists some actions to take in light of this recent update.

For a more secure way to login to your accounts in the future, you can add two-factor authentication to your accounts. Two-factor authentication allows you to personally screen all login attempts to the accounts you have through a second step like an email, a text, a call or another app. When there is a login attempt to one of your accounts, you will get a notification from one of the listed contact methods, and that will allow you to approve the login or deny it. This helps to ensure you are the only one logging in, and it allows you to see when someone is attempting to access your accounts without your knowledge. This is the option we recommend as it is more secure than a password manager.

If you want to learn more about two-factor authentication, check out this post we published in 2021. If you have any other questions about this login method or need help setting it up, give us a call and we’ll be glad to help!