LastPass Breach Included Encrypted and Unencrypted User Data

Publish Date


Cyber Alert

  • Cybersecurity

Clients Should Consider Updating their Master Password

On December 22nd, LastPass, one of the world’s largest password management companies, issued an update on its ongoing investigation into an August security incident. The update confirms that the attacker was able to access and make copies of encrypted and unencrypted customer vault data that was housed in a cloud-based development environment.

Data that the attacker accessed and copied includes:

  • Basic customer information like client name, email addresses, websites with LastPass stored passwords, and telephone numbers.
  • Fully encrypted sensitive fields like usernames, passwords, and secure notes.

LastPass stressed that the encrypted data that was accessed is secured with 256-AES encryption and could only be accessed with the user’s master password, which LastPass does not maintain.

Our recommendations

While the risk of an attacker accessing your master password through conventional password cracking software remains very low, LastPass users should consider taking the following steps:

  • Update Your LastPass Master Password – Users should immediately update their master password if part or all of your master password is used for any other site, or if the password fails to meet common recommendations of password length and complexity. While it would take significant time and resources to break through the encryption on your master password, it isn’t impossible. If your password is unique, you should change their password when convenient for added security and to ensure you aren’t affected by the breach.
  • Consider Changing Passwords for Sites Stored in LastPass – For an added layer of protection, users should also consider changing the passwords for sites stored in LastPass. Since hackers have access to email addresses and sites where that credential may be used, these sites become an attractive target. LastPass clients may also consider using the company’s automatic password updating service.
  • Be On Guard for Phishing Attacks – Unencrypted LastPass user emails, websites, and other information is now in the hands of hackers. While this information isn’t sensitive in isolation, it can now be used to create more sophisticated phishing attacks.
  • Firms That Use LastPass Should Notify Employees – Given the number of companies and individuals that use LastPass, firms should reach out to all employees to make sure they are aware of the breach, and that they update their passwords accordingly. This will help minimize the risk to employees and help protect any company resources that a hacker may be able to access through employee data stored in LastPass.

How we help

We can help your firm establish and test your cybersecurity program to ensure that it exceeds industry standards. Our team can:

  • Develop and review written policies and procedures that meet your firm’s regulatory requirements and the latest industry standards
  • Assess your policies and procedures to confirm they accurately reflect the cybersecurity procedures currently in practice at your firm
  • Test your systems to identify network vulnerabilities and provide remediation recommendations

For questions about this alert, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your ACA Aponix consultant, or contact us below.

Contact us