By now, you may have heard of the LastPass breach incident that occurred in 2022. The takeaways of that breach are as follows:

  • In late 2022, a threat actor was able to obtain backup copies of LastPass customer vault data.
  • This copy was encrypted and protected by the users’ master password.
  • The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.

What Do I Do Now?

If you are or were a LastPass customer, NGT is recommending the following steps:

  • Determine the strength of your LastPass master password using the following graph (courtesy of hivesystems.io): 

  • If your master password falls in the purple, red or orange categories, your password vault could potentially be brute forced. In this case, it is HIGHLY recommended to change each password in your LastPass vault. This way, even if that backup vault is eventually breached, none of the passwords will be usable.
  • Reset your LastPass master password to a strong, long and unique password, using the graph above as a guide. LastPass requires 12 characters by default, but NGT recommends 16 or greater with letters, numbers and symbols. While this may not protect you against the data the bad actor already has, it will ensure you are well protected against any future attacks. Remember, NEVER reuse your master password on other websites.
  • Enable MFA on your LastPass account. While MFA may not have protected you against this latest attack, it will provide additional security against targeted account attacks.
  • Consider moving to a different password manager solution. NGT isn’t discouraging the use of LastPass, and the company has been implementing additional controls to prevent this type of incident in the future. However, each individual and company should decide for themselves whether to consider a new password management solution based on risk and comfort level.

As always, NGT is here to help!
Contact ngthelp.com with questions.