In an update to the August 2022 LastPass breach, LastPass is now reporting that there has been a further, and much more concerning, breach of their environment.
What’s the latest?
In this latest update, LastPass is now saying that information obtained by the hacker from the August breach was then used in a subsequent attack to access and download customer data from their cloud backup environment. This data included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. Most concerning was that the attacker was able to obtain customer vault data, which could then be decrypted offline, exposing all of the customer’s passwords. While they did not specify if ALL customer vaults were downloaded, that was the implication.
If the LastPass user had created a strong master password and was not using it elsewhere, the vault data should be secure. However, if the attacker had been able to obtain that password or clues to what it might be from other sources, then the vault data is much more vulnerable. This, combined with the unencrypted data exposed as described above, could lead to a variety of social engineering attacks against LastPass users.
What should you do?
While I had previously held the position that since all of the popular password managers were under constant attack, there was nothing overly concerning about the August attack that should cause users to change their minds. With this latest revelation, I am changing that opinion.
Not only does this latest successful attack indicate other serious weaknesses in LastPass security controls, the length of time that it has taken to LastPass to detect this attack and notify customers is also cause for alarm, especially for LastPass business users.
While I still strongly recommend the use of a well-made and secure password manager, I no longer consider LastPass part of this group. If you are currently using LastPass for business or personal use, now would be a good time to reevaluate your options. If you have a relatively weak master password, you should also consider changing all the passwords in your LastPass vault, an activity that has the potential to take days, depending on how many you were storing.