What you need to know about the LastPass breach.
In August 2022, the password management company LastPass suffered a data breach in which attackers accessed a development server and obtained private source code and “proprietary technical information.” LastPass reassured customers that no user data was accessed in the initial attack. However, in November 2022, it was revealed that the hackers had used information stolen in the August attack to exploit a third-party cloud service used by LastPass and gain access to customer information. It is unclear which customers were affected or whether the stolen data included encrypted password vaults.
On December 22, 2022, LastPass announced that the hackers had obtained a copy of customer data backups. While most of the data, including usernames and passwords, is encrypted, URLs stored in password vaults are not. This means that a hacker would still need access to a vault owner’s master password to decrypt the stolen data. However, the unencrypted data could be used for targeted phishing attacks or to search the dark web for reused passwords that might match master passwords.
In light of the ongoing situation, LastPass (and we concur) advises its users to rotate passwords and keys stored in their service, check for password reuse, enable multi-factor authentication, warn users of an increased risk of phishing, and carefully monitor accounts for suspicious activity. It is also recommended that users do a third-party assessment to check for compromised passwords on the dark web and avoid reusing passwords. Users are reminded that LastPass will never ask for sensitive information via text, phone, or email, and will not send links to verify personal information.