Recently, LastPass confirmed that cybercriminals gained access to the password vaults of its users. While LastPass has not released the full data on what exactly has been taken, the data stolen includes both the encrypted passwords and unencrypted data, such as web addresses, that could leave users vulnerable to further attacks. We strongly recommend you take action immediately, as waiting to see if you have been affected by a breach can mean you have already become a victim to further attacks. Please reach out to Technical Resource Solutions if you require guidance on this issue.
A "locked" copy of your password vault has been stolen. The password vaults of users are encrypted by LastPass, protected behind a "Master Password" that only the LastPass account holder has access to. To use a metaphor, the criminals did not immediately find the combination, but were able to make away with the safe for later cracking. With permanent access to a copy of all user password databases, LastPass warned its customers that the attackers can make "brute force" attempts to discern users' master passwords, gaining them full access to user accounts and any of the protected data within.
Some LastPass customers have chosen to stay with LastPass as their password management service, while others are migrating away from the service. Regardless of whether you choose to stay or leave, the first course of action should be to change your passwords in a specific order to avoid re-exposing them We recommend doing so in this order:
Change the vault password on your LastPass account The password should meet the following requirements:
Change all passwords stored within your LastPass vault.
Only update your passwords once your master password has been changed. Remember: the attackers have a full copy of your password database. Any passwords that remain unchanged are still in their hands.
Sign up with your new password service provider. Please reach out to Technical Resource Solutions for recommendations or questions about what is available on the market.
Remember when signing up for the new password service, to NOT save any new passwords into LastPass. Any secret questions / answers, or any sort of emergency recovery keys should have a physical copy somewhere safe. Do NOT save any details of this account on your computer or any cloud services.
New passwords should be unique, not used anywhere else, and should be long and complicated to prevent brute force attacks. Creating short, easily guessed passwords negates a significant part of the benefit of a password manager, as an attacker can potentially guess the password outright or quickly brute force it. We highly suggest always using the password generator offered by password manager tools instead of trying to come up with passwords yourself. Online password generators are also NOT recommended, as they could potentially be storing all generated passwords for nefarious purposes.
Technical Resource Solutions recommends you take action immediately. The longer your passwords are left vulnerable on a compromised system, the longer an attacker has to gain access to your personal, private information and do further harm. The process of resetting passwords one at a time can be time consuming, so the quicker you respond, the more threat mitigation you can do. The TechnicalRS team can help you to make a decision about your next course of action and can start you on the path to re-securing your accounts. Give us a call today to learn more.