LastPass recently posted in their blog the findings of the breach that started this summer (2022). You can find their blog post here.
What this means in Layman’s terms
Some of the data that holds your User ID and Passwords is now in the hands of threat actors. Conceivably with enough time and computational power this could be cracked, and your data would be in the clear.
There are a few things missing from the report, they are:
- Which customers were affected by this breach?
- From what date is the data affected (e.g., data from 2022 and older, data from 2021 and older, etc.)
Should I be concerned
Even though the data is in the threat actors' hand, and let’s assume that it is your data that is in the threat actor’s hands, it is still encrypted by the very best encryption methods available today. According to LastPass, “it would take millions of years to guess your master password using generally-available password-cracking technology
When we recommended LastPass as our Password Management, we did knowing full well that even in the event of a data breach, or a subpoena by the government, your data would still be encrypted, and this could only be easily decrypted by your master password. This architecture is called Zero Knowledge architecture and you can find more about this here.
Our Zero-Knowledge Security Model | LastPassOur Zero-Knowledge Security Model | LastPass
Multi-factor authentication. Add extra security to company date by leveraging LastPass MFA’s biometric and contextual intelligence, without adding more complexity.. Protect every access point. With coverage over cloud, mobile, and legacy apps through single sign-on and password management, LastPass Business secures every access point.. All-in-one identity solution www.lastpass.com
What should I do know?
We are following LastPass’ recommendations to have no further action taken. However, if you want to take your security to the next level and be as secure as you can be we will make the following recommendations. Keep in mind that this is not required.
- hange your master password. This will re-key your entire vault with a new Private Key. We recommend this action because if by any chance your Master Password is deciphered the threat actors will not be able to use it to gain access to your current Vault. Keep in mind that this does not affect the already stolen data (if they decipher your Master Password, they will have access to the stolen data, which is not your current vault but a backup in time of what once was your vault).
- Go to your high value web sites and change the password in those web sites. For example, your main e-mail, Banks, Credit Cards. This does not have to be done all at once, we recommend that you take a priority based approach and start by changing the password of your most highly valued web sites first, followed by the lower valued web sites later. We recommend this action because in the event that your Master Password is deciphered the threat actors will have access to your entire Vault. We mitigate this by changing the passwords of your most highly valued assets so even if the Master Password is deciphered the passwords to your highly valued assets will not work