LastPass Was Hacked. What’s the latest? What should we do?

A few days ago LastPass released their most recent update on their cyberattack from August 2022.

What happened?

IF your data was involved in the compromise:

1. The cyber attackers WILL be able to see your name, email address, company name, phone number, websites visited when using LastPass (ex: email, bank, social media, etc.), and the IP addresses used to access LastPass. This information was UNENCRYPTED and, therefore, easily viewable.

2. The attackers also obtained ENCRYPTED LastPass master usernames, passwords, and old password vaults. The key to decrypt this information is your LastPass master password.  The LastPass master password is the password used to open your LastPass vault and view your passwords protected by LastPass. Therefore, if attackers guess your master password (or trick you into giving up the password through phishing or other social engineering), they can access your current password vault OR an old version of your vault and see ALL your passwords.

What does this mean?

1. It is critical to have a strong LastPass master password.

2. You may experience an increase in phishing emails, texts, and phone calls to trick you into providing your LastPass master password.

What should you do next?

If you are a LastPass customer:

1.  Change your LastPass master password. Make sure it is 16+ characters, has UPPER case, lower case, special characters, and numbers. See our Facebook page for ideas on how to creat strong passwords that you can easily remember.

2. Change important passwords like bank, retirement, primary email, social media, and any other important accounts.

3. Ensure Multi-factor authentication (MFA) is enabled for your LastPass account AND all critical accounts saved in LastPass (banking, social media, primary email, etc). If you’ve had a HomeFront Home Cyber evaluation, LastPass MFA should be enabled.

4. Ensure LastPass passwordless authentication is enabled. If you’ve had a HomeFront Home Cyber evaluation this has been enabled.

Should LastPass users change to another password manager?

It depends on preferences and risk appetite. Some well-known members of the cybersecurity community have publicly announced they are changing password managers, but others are continuing to use LastPass and taking actions similar to the recommendations noted above.

If you’re considering a transition from LastPass, keep in mind:

1. ALL cloud password management solutions (LastPass, OnePassword, Keychain, etc.) are targeted and have potential to be compromised.

2. Often companies that have been hacked respond quickly with substantial improvements to cybersecurity. Companies that haven’t been hacked sometimes lack the same sense of urgency.

3. The most secure option is to use a non-cloud-based password manager like KeePass. Unfortunately, the added security comes at the cost of fewer features such as: no secure sharing or passwords with friends, no family sharing, unable to access passwords from anywhere, manual software updates required, etc.

Is HomeFront Cybersecurity continuing to use LastPass?

HomeFront is still using LastPass, but we are also discussing the possibility of using a different solution. We will keep our clients updated regarding our final decision.

Still have questions?

Please message us on Facebook or send an email to info@homefrontcs.com and we will respond as soon as possible.