EO Advisor

LastPass Hacked

Critical News and Next Steps

April 13, 2023

It’s easy to “trust” our browser to remember our passwords but that’s a security risk.

It’s much safer to install a Password Manager that encrypts all of your passwords. Last August, EO Advisor published We Trust Our Browsers. That article contains important information about password protection.

The two password managers we mentioned in that article were LastPass and BitWarden. Unfortunately, LastPass had a “security incident” (essentially what people commonly refer to as a “hack” although there are certainly shades of grey under that term).

What Happened to LastPass

LastPass ultimately suffered two incidents:

The first incident involved a hacker compromising a software engineer’s corporate laptop. The hacker gained access to a cloud-based development environment where they stole source code, technical information, and some internal system secrets. Again, no customer data or vault data was taken during this incident. LastPass believed that the problem was contained and eradicated but the bad actor had actually stolen enough data to quietly wait for an employee to make a mistake and present the hacker with an “opportunity”. Then comes the second, more serious incident.
A senior DevOps engineer at LastPass was using their home computer for corporate work. According to LastPass; “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

As a result, the hacker, (also called a “threat actor”, in the cybersecurity community) gained access to encrypted customer data. For more tech-savvy readers, this will take you to LastPass’s latest update.

So far, there are no incidences we know of where customers have been harmed due to this situation. While unlikely, the bad actor could be using techniques that will eventually crack the encryption code. This could take weeks or even months to do, but it might happen eventually.

What You Need To Do:

The most secure thing to do is switch to a new password manager (and then sit back and wait for this kind of thing to happen that company as well…). However, there is no “perfect” approach. The practical goal is to stay ahead of the pack, so that your data is prohibitively difficult for a criminal to access, thus leading the criminal to pursue more easily obtainable prey. For a more practical approach, change your master password, use best practices for all passwords, then turn on multi-factor authentication for all accounts.
1. If you have an individual or family account with LastPass, click here for essential instructions.
2. If you have a business account with LastPass, hopefully, you’ve already taken action but if not, click here now.
If you’re a LastPass user who wants to switch to a new provider, a couple of choices to consider include 1Password or Bitwarden.
1. For tech-savvy users, Bitwarden is an excellent free product and open source. However, a certain level of computer competence will go a long way if you want to efficiently extract all of your passwords out of LastPass and import them into Bitwarden.
  1. For those who want this option, the instructions for migrating your passwords can be found here. For people who don’t mind paying a subscription fee of $36 per year, 1Password has an easier user interface than does Bitwarden.
1Password has a web page dedicated to helping new customers who want to switch from another service.

No matter the approach, this is yet another red alert regarding the importance of setting up 2-factor authentication and using unique, complex passwords.

The lesson for every business is to reinforce strict corporate policies that no employee, no matter how senior, should access sensitive company data using their personal devices. .

Like this article? Read more news about Cybersecurity, Featured.