LastPass was breached in August 2022 and the vaults where passwords are kept were stolen. On November 30th, LastPass informed all customers of a related security incident that will allow the hackers to try to brute force hack their way into these vaults and try to gain access to the passwords that are within the vault.
What we learned about this breach over the past month:
- The URL’s and notes within the Lastpass vault were not encrypted
- The passwords ARE encrypted
- LastPass Enterprise accounts that have SSO-enabled and did not have a master password for the vaults are potentially in a safer spot than those that are using Lastpass Teams or LastPass Personal accounts.
If you are using LastPass with a master password, our recommendation is to change all the passwords for the websites that were kept within the vault. Yes, we understand that this could be a monumental undertaking.
Due to the changing nature of the communication that has come from LastPass on this breach and the fact that the vaults were stolen, Nucleus does not recommend using LastPass at this time.
Should we use a Password Manager?
This is a debate that has been going on for a very long time and comes down to your risk tolerance. In our opinion, the absolute worst thing you can do is re-use the same password for multiple services. We’ve seen it firsthand where a password used on LinkedIn was stolen as part of a breach at LinkedIn and that same password was used to log into corporate accounts and access email. Re-using passwords is an absolute no-no and must be discouraged as much as possible.
That leaves us with two options since we cannot remember an infinite number of 12+ character passwords, we can either write them down or use a password manager.
If you have any questions or concerns about this breach, password management or your security in general, please reach out to us.
Additional Resources: