What You Should Know About the LastPass Breach
As you may have recently heard, LastPass (a popular password management software used by millions and recommended by KiteTech) was the recent target of a data breach involving customer data. This news release contains more information about what happened.
Virtually all businesses these days have some digital footprint, so any of them, especially those who deal directly with sensitive personal data, could potentially be targeted for data compromise. That said, KiteTech takes very seriously the trust our customers put in us and the importance of your personal data, and we want to make sure you are fully informed about what happened and what you should do about it.
A threat actor was able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. The master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.
Out of an abundance of caution, LastPass is still requiring all users to reset their master passwords.
LastPass has provided the following instructions for resetting your master password:
“To reset your master password, please visit https://lastpass.com/ and click on “I forgot my password”. You will be guided through the process of resetting your master password, which will require you to verify your account using either your email address or a recovery one-time password.”
What should you do about it?
- The first thing we recommend is that you immediately change your Master Password in LastPass. While the Master Passwords were not compromised, all LastPass encryption is derived from the Master Password. Changing the Master Password will “re-key” the Password Vault with new encryption.
- Equally important, make sure that Multi-Factor Authentication (MFA) is enabled on your LastPass account. We recommend that you enable MFA on all of your accounts anyway, but if you do not have MFA enabled on your LastPass account you are at extreme risk for your passwords being compromised.
- We also recommend you change the passwords of each account you have stored in LastPass. Again, it appears that passwords were not fully compromised in unencrypted form, but it is prudent to be abundantly cautious and change your passwords (after you have changed your Master Password). LastPass is advising that the likelihood of the threat actor decrypting this data is slim, but we do think it is in your best interest. We understand this can be a time-consuming task. We would recommend prioritizing any credentials that protect financial data (banks, insurance, etc). For accounts that do not protect sensitive data, you may choose to change those as you access them during the normal course of use.
- Lastly, be on the lookout for phishing attempts related to this compromise. With LastPass not storing the Master Password, the only source of that password is you. It is important to remember that LastPass will never call, email, text, or send you a link requesting your Master Password.
While data breaches are always a worrisome subject in the realm of cyber security, the steps listed above will help you remain secure. By using a strong, unique master password and utilizing multi-factor authentication, you are doing your part in staying protected.
As always, if you have any questions or further concerns, KiteTech is here to help. If you’re already a current client, feel free to reach out to your account manager for further discussion. If you’re not currently working with Kite Technology and would like to learn more about how our Managed IT and Security Services can help you operate more effectively and secure your business, please contact us to schedule a conversation. We’re here to help!