Recently, LastPass Password Manager experienced a security incident affecting LastPass accounts. In order to address any concerns from our clients and fully deliver on our promise to be transparent, we want to provide an update on this breach for clients who use LastPass in their environments, and anyone who may use LastPass personally.
About the Incident:
During this incident, bad actors were able to download some users’ encrypted password vaults. LastPass has stated that if you adhere to their master password guidelines, “it would take millions of years to guess your master password using generally-available password-cracking technology.” However, if your LastPass master password doesn’t meet their guidelines or if you have reused the password from another site, you should consider minimizing risk by changing passwords of stored websites.
As an additional layer, as part of our standard deployment of LastPass, we typically connect LastPass user logins to your Microsoft 365 accounts for single sign-on purposes. Due to the different way that LastPass password vaults are stored for these single sign-on accounts, they state that you do not need to take additional actions to protect yourselves.
How LastPass Users Should Respond:
Although the risk is low that any of our client password vaults will be accessed, we are still recommending that all LastPass users (business or personal) do the following:
- Change passwords to all critical systems – Although passwords stored in LastPass are protected by encryption, when it comes to accounts that are dire to your business operations, we believe that you can never be too safe. In an abundance of caution, we recommend that any critical account passwords be updated immediately. For those using personal accounts, we recommend changing passwords to all accounts stored in LastPass.
- Be extremely vigilant in looking out for phishing attempts – While encrypted passwords have been protected, it is believed that the perpetrators may have gained access to names of websites stored in the affected vaults. With this information, bad actors could craft extremely targeted and convincing spear-phishing attacks on affected accounts.
More information can be found in LastPass’ Notice of Recent Security Incident. The investigation into this incident is ongoing.
As incidents like these occur, we’re constantly evaluating our tool set to ensure that we’re delivering the best possible and most secure solutions for our clients. We have been and will continue to closely monitor the situation and provide updates as necessary.
Our clients’ peace of mind is our top priority. If you have any questions or concerns, please reach out to your Client Account Manager.