The LastPass Breach: What It Means for Privacy and Cybersecurity

At the end of 2022, LastPass announced that an unauthorized party was able to gain access to LastPass’ third-party cloud-based storage service that they use to store archived backups of their production data in August of 2022. 

Some source code and technical information were stolen from their development environment and used to target an employee, gaining credentials and keys that were used to access and decrypt some storage volumes within the cloud-based storage service. The information stored included customer account information and related data like company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses.

If your company uses LastPass, here is what you need to know.

What This Means for Your Company’s Privacy and Security

LastPass released a statement that fully encrypted sensitive fields remained secure during the data breach. This means that sensitive fields like website usernames and passwords, secure notes, and form-filled data remained protected. The only way they can be accessed is with a unique encryption key derived from each user’s master password. This password is never known, stored, or maintained by LastPass.

The attacker may attempt to use brute force to guess your master password and decrypt the copies of vault data, but because of the hashing and encryption methods LastPass uses, it should be very difficult to attempt this for customers that follow best practices for creating passwords. Users should change their master password for an added layer of protection. This will not have any effect on the already-downloaded vaults that are protected with the previous master password, but would help protect against future attacks. Out of an abundance of caution, many experts are recommending changing all site passwords that were stored in the vault. Start with passwords for your most sensitive accounts, such as those for financial institutions and healthcare related sites. As always, enabling two-factor authentication (2FA) whenever possible is highly recommended.

They may also try to target any users with phishing attacks or credential stuffing. To protect your company, it’s important to let your staff know about phishing scams and that LastPass would not call, email, or text them asking to click a link to verify personal information.

How to Protect Your Company from Phishing Attacks

To prepare your business for any phishing attacks from impersonators of your company or LastPass, email filters are a great way to prevent these emails from getting to your targeted recipient. The filters block malicious emails by quarantining the messages and giving them to an administrator to review to determine if it’s phishing or a false positives.

Since it can be difficult for users to identify malicious emails, cybersecurity should not be left to human interception as it increases risks. It should be a combined effort of employee training, email cybersecurity, and access controls to limit the damage.

How to Implement Cybersecurity Protection at Your Business

To protect your business against data breaches, phishing scams, and other security vulnerabilities, installing a proven cybersecurity solution and system is important. PacGenesis partners with cybersecurity professionals and providers to enable your business to protect your employees, data, and resources. We are passionate about helping businesses stay secure, which is why we meet with you to learn what you’re looking for before pairing you with one of our industry-leading partners. Contact us today to get started.
To learn more about PacGenesis, follow @PacGenesis on Facebook, Twitter, and LinkedIn or visit us at pacgenesis.com.

512-766-8715