For the last few months, we have carefully monitored the August 26th breach at LastPass, a leading password-management software company based in the US.
According to LastPass, most of this data, such as usernames and passwords, is encrypted. However, URLs used in password vaults are not. The hacker would still need a master password to decrypt all the stolen data, however, that increases the likelihood they will breach owners of unencrypted data they do have.
They can use the unencrypted data to launch targeted phishing attacks. Thus, many security firms have warned that hackers may try using leaked customer information to check the Dark Web for re-used passwords that may match master passwords.
To protect your credentials stored in LastPass, here are a few of the steps we advise that you take:
Rotate any passwords and keys stored in LastPass
Check for password re-use across your sites & services
Enable MFA on everything
Warn your users of an increased risk of phishing
Pay careful attention to your accounts for breaches and suspicious activity
This story seems that it will continue to unfold. We’ve received more information indicating that some of the unencrypted data could be used for more than phishing.
This would also be a good time to do a 3rd-party assessment to find compromised passwords on the dark web. If you’re re-using passwords in your environment, there is a higher chance that your master password may get cracked.
If you are not already a client of ours, it is a good time to schedule a security assessment.