Responding to the LastPass Data Breach

Recently, LastPass confirmed that cybercriminals gained access to the password vaults of its users. While LastPass has not released the full data on what exactly has been taken, the data stolen includes both the encrypted passwords and unencrypted data, such as web addresses, that could leave users vulnerable to further attacks. We strongly recommend you take action immediately, as waiting to see if you have been affected by a breach can mean you have already become a victim to further attacks. Please reach out to Technical Resource Solutions if you require guidance on this issue.  

Some LastPass customers have chosen to stay with LastPass as their password management service, while others are migrating away from the service. Regardless of whether you choose to stay or leave, the first course of action should be to change your passwords in a specific order to avoid re-exposing them We recommend doing so in this order:

In all cases:

Change the vault password on your LastPass account The password should meet the following requirements:

• The new master password should be completely different from your existing master password – iterating on the existing password (such as by adding a 1! to the end of the password) can be easily guessed by the attacker.
• Your master password should exceed the length and complexity requirements set by the password manager service. Make your password something easy to remember, but difficult to guess and harder to brute force. Long passwords made from several dictionary words with special characters and numbers built in can easily be too long to be broken by a brute-force. A personal favorite quote or a verse from a song, complete with punctuation, are usually complex enough to meet these requirements.
• Enable two-factor authentication on your password management service. 2FA will help to protect you against intrusion even if your password is guessed by an unauthorized user.
  

If you are staying with LastPass:

Change all passwords stored within your LastPass vault.

Only update your passwords once your master password has been changed. Remember: the attackers have a full copy of your password database. Any passwords that remain unchanged are still in their hands.

If you are moving from LastPass:

Sign up with your new password service provider. Please reach out to Technical Resource Solutions for recommendations or questions about what is available on the market.

Remember when signing up for the new password service, to NOT save any new passwords into LastPass. Any secret questions / answers, or any sort of emergency recovery keys should have a physical copy somewhere safe. Do NOT save any details of this account on your computer or any cloud services.

New passwords should be unique, not used anywhere else, and should be long and complicated to prevent brute force attacks. Creating short, easily guessed passwords negates a significant part of the benefit of a password manager, as an attacker can potentially guess the password outright or quickly brute force it. We highly suggest always using the password generator offered by password manager tools instead of trying to come up with passwords yourself. Online password generators are also NOT recommended, as they could potentially be storing all generated passwords for nefarious purposes.

How soon should I act?

Technical Resource Solutions recommends you take action immediately. The longer your passwords are left vulnerable on a compromised system, the longer an attacker has to gain access to your personal, private information and do further harm. The process of resetting passwords one at a time can be time consuming, so the quicker you respond, the more threat mitigation you can do. The TechnicalRS team can help you to make a decision about your next course of action and can start you on the path to re-securing your accounts. Give us a call today to learn more.