top of page

LastPass Admits to Extensive Data Breach


For the last few months, we have carefully monitored the August 26th breach at LastPass, a leading password-management software company based in the US.

According to LastPass, most of this data, such as usernames and passwords, is encrypted. However, URLs used in password vaults are not. The hacker would still need a master password to decrypt all the stolen data, however, that increases the likelihood they will breach owners of unencrypted data they do have.

They can use the unencrypted data to launch targeted phishing attacks. Thus, many security firms have warned that hackers may try using leaked customer information to check the Dark Web for re-used passwords that may match master passwords.

To protect your credentials stored in LastPass, here are a few of the steps we advise that you take:

  • Rotate any passwords and keys stored in LastPass

  • Check for password re-use across your sites & services

  • Enable MFA on everything

  • Warn your users of an increased risk of phishing

  • Pay careful attention to your accounts for breaches and suspicious activity

This story seems that it will continue to unfold. We’ve received more information indicating that some of the unencrypted data could be used for more than phishing.

This would also be a good time to do a 3rd-party assessment to find compromised passwords on the dark web. If you’re re-using passwords in your environment, there is a higher chance that your master password may get cracked.

If you are not already a client of ours, it is a good time to schedule a security assessment.

16 views0 comments


Commenting has been turned off.
bottom of page