Dave Peters on LastPass breach & how to stay protected

If, like me, you use LastPass, you may have seen they’ve had a fairly serious security incident in August of this year.


The result of this was

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data”

Ultimately your passwords and usernames are safe, provided that a strong and unique master password was used to access your Last Pass “vault”

However, it appears that all the website links and your primary username/email address may have been linked, giving the threat actor information about YOU and the websites that you use.

In short

  • Credit Card data is safe
  • Passwords and usernames are safe
  • They didn’t encrypt ALL of the data, websites you use your password with are compromised.
  • You master username / email address is likely compromised.

The last part means that it’s highly likely threat actors will use this with phishing campaigns, some of which may even reference the LastPass breach as a reason you should click their links and change your password for “security reasons”.

Please be VERY vigilant about password reset alerts in the coming year, always check the actual URL and if in any doubt just browse directly to the website/service in question rather than clicking anything at all.

It is extremely easy for a threat actor to register “doppelganger” domains that looks very similar to the “real” domain, for example Santander.co.uk becomes samtander.co.uk / santamder.co.uk / santand3r.co.uk / etc.

Whilst it’s feasible that attackers may try cracking the encrypted passwords using powerful computers or GPUs this is less likely as it could prove expensive and very difficult with the level of encryption in use by LastPass, also if the passwords themselves are strong and not already compromised this will prove even more challenging to brute force, it is far more likely they will revert to cheap and simple phishing.

Always remember, MFA for EVERYTHING that you can. If services offer TOTP (Time based One Time Password) that allow you to scan a QR code that works with Google Authenticator, Authy and many other apps, use that rather than SMS if you can, however SMS is better than nothing.


Written by Dave Peters, Technical Director at ANSecurity