On December 22nd, the Password Management company LastPass reported a serious security breach. For years, LastPass has been an award-winning, password management solution, known for its industry leading password security and identity management.
Businesses and individuals use LastPass to store logins and passwords to many systems, as well as sensitive information, like banking and credit card info.
How serious was the security breach? They lost almost everything. The passwords and sensitive data of all 100,000 businesses and 33+ million users are presumed to be stolen. Since the idea of LastPass is to store all the passwords you can’t remember, each of those 33+ million users lost dozens to hundreds of logins each – meaning the bad guys likely stole hundreds of millions of logins, passwords, and more.
This was a sophisticated and multi-phased attack that preyed on both technical and personnel weaknesses at the company.
The good news, and there is a slight bit good news, is that the data stolen remains encrypted. The bad guys have to break the master passwords of each of the 33+ million information vaults before they can read the data in them. The master passwords themselves are protected with up to 100,100 iterations of encryption.
This means breaking into even a single vault protected by a good password could take months to years and cost the equivalent of thousands of dollars for breaking each master password.
Further, with that kind of trouble and expense ahead of them, it is likely the bad guys are first going to work on determining who owns what password vault so they can prioritize high value targets. Most of us are likely to be behind a long list of banks, financial institutions, celebrities, and politicians.
However, ultimately, all 33+ million users have to assume their password vaults will be broken into.
Yes. We’ve already received inquiries on what to do from customers, networking businesses, and business partners who use LastPass. At Chroma Marketing, we use LastPass.
It is likely that some piece of your business or personal information is in more than one LastPass data vault.
As in most things, don’t panic. Take the time to figure out what passwords are critical to your business or personal security and change them up! You should do this anyway if, like a lot of people, you have used the same passwords for years, or your passwords are very weak.
You should not use the same passwords on different accounts – especially important accounts like banks or credit cards.
Watch out for phishing attacks aimed at yourself or your employees. Phishing is a form of social engineering where attackers deceive people into revealing sensitive information.
For example, if someone claiming to be from LastPass called to “check on your password,” that would be pretty obvious phishing. If someone commented on a picture of your dog on Facebook and ask the name of the cute pooch, that could be a less obvious phishing attack, hoping your pet’s name forms part of your most critical passwords.
Just be careful out there, like you always should be.
What customer data was stored in Chroma Marketing’s Last Pass vault?
In most cases, the passwords we stored were administrative in nature – meaning we are already changing out the old passwords and replacing them. No customer action is necessary regarding our internal admin logins.
In some cases, our LastPass vault stored customer specific passwords, i.e. to a PayPal account, a Facebook login, or a GoDaddy account.
Our team will be identifying and contacting affected customers individually, in priority order, with priorities determined by the most sensitive data. That means PayPal and Ad Campaigns first, then e-news, social media, analytics, etc.
Keep in mind that the bad guys do not, as far as anyone can detect, have clear access to any of their stolen data – yet. Even when they do, there are over 33 million vaults, each of which takes significant effort to crack open.
That gives us all the grace of time to act in a logical and organized fashion to change out all of our information and keep it safe. Even so, we plan to move quickly.
No. While LastPass has been a highly recommended, industry leading service, this incident signals to us that it is time for a change.
Yes. As we learn more, we will append information to this page.
Some commentators are saying this incident is one of the last nails in the coffin of Passwords. What comes next, starting in 2023?
Passkeys are currently the front runner as a replacement standard for traditional passwords.. Passkeys have received support from Google, Apple, Microsoft and the Fast Identity Online Alliance. They’re going to be everywhere and soon.
Passkeys work with either biometric authentication, such as a fingerprint or facial recognition, or a PIN or swipe pattern. There are two parts to a passkey, a private key that never leaves the device on which it was generated, and a public key that is stored with the website as part of the user’s account.
We’ll talk about passkeys more in future blogs.
Contact Us or give us a call at 412-610-3001.