Learn about the LastPass data breach and get answers to key questions surrounding the continued use of password managers.
Learn about the LastPass data breach and get answers to key questions surrounding the continued use of password managers.
Peter Marsh
5 minutes
Cybersecurity
Jun 6, 2023
“Use a complex password, change it frequently, and don’t repeat it from site to site. Oh, and use a password manager.”
You’ve heard these recommendations from articles, security professionals, and probably your own IT team.
However, in the wake of the recent string of data breaches that hit Okta, Norton Lifelock, LastPass, and others in late 2022, many users—from casual users to technology pros—are questioning where they should go from here.
This article will cover what you need to know about the LastPass data breach and answer some of the most common questions about password security going forward.
In late December, LastPass released a worrying update to an ongoing security investigation it was conducting, sparked by an incident two weeks earlier. More than 25 million users had their data exposed, including the password manager’s most sensitive assets—its encrypted password vaults.
In short, a hacker was able to access a sensitive cloud storage environment using information gleaned from a previous breach of LastPass in summer 2022, which included “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
Although this metadata is “in the clear”—meaning not encrypted or obfuscated—the passwords are still protected by a strong level of encryption called 256-bit AES (advanced encryption standard), which is based on the user’s master password.
So what does all that mean? In short, if you use LastPass for personal or professional accounts, some of your information could be part of this data breach. However, your passwords are still secure unless 1) they are cracked (which can take years) or 2) your master password is compromised.
Understandably, this explanation can lead to even more questions than answers.
The short answer is yes.
The long answer is also yes, but ensure that you have strong password hygiene, including some of the recommendations below. Leveraged effectively, password managers offer a simple, secure, and effective way to generate, store, and use complex passwords. With a password manager, you only need to remember one password instead of dozens.
First, even if you believe your master password is secure and complex, it doesn’t hurt to change it now (if you haven’t already since December 2022).
Second, change the third-party passwords you kept stored in LastPass. This is especially important for bank accounts, health records, or internal business applications and services.
You’ve probably heard of having “good password hygiene,” but what does that mean? Here are a few key elements of having and maintaining strong passwords:
Unfortunately, even if you take the above steps, there is still the possibility that the LastPass data breach can affect you in the months to come.
Most prominently, cybercriminals will likely attempt to use phishing or other forms of social engineering—such as faking emails sent from LastPass or your internal IT team—trying to get you to reveal your master password.
Even if you don’t have LastPass (or any password manager), use this data breach as a reminder of the importance of maintaining strong passwords.
In addition to this guidance above, follow the recommendations from your security or IT team and conduct additional research as needed.
Password management is one of many ways to help protect your company's data. However, a strong security posture involves multiple lines of defense.
You'll want added protection for specific transactions, especially large value ones like wire payments. CertifID provides transaction level protection against wire fraud. Let us know if you'd like to learn more about the solution.
Head of Security, Compliance & IT
Peter heads the Security, Compliance, and IT operations for CertifID. His 25 years of experience in Security and IT, working for a diverse group of companies, has allowed him to create strategic plans that fit the specific needs of CertifID and build trust with our customers.