With 25 million users, LastPass was recently hacked for a second time in 6 months. LastPass is one of the most popular password management solutions on the market. According to LastPass, “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” LastPass is however, ensuring the customer’s stored passwords are safe.
A password manager is a software that allows users to store, generate, and manage their passwords. A password manager assists in generating and retrieving passwords, storing passwords in an encrypted database and producing them on demand. There is an assumption that because users don’t have to remember their passwords, each password can be unique and more complex.
A password manager does not remove the necessity of utilizing MFA, but it reduces risk associated with memory-based and repetitive password habits.
The hack’s entry point was not revealed by LastPass, though it does appear the data was from an earlier incident in August. Based on this information, we believe this tells us that there remains an external access method that either has no multi-factor authentication (MFA), SMS based MFA, or at least one compromised MFA enabled account.
How to Protect Yourself and Your Company
If you are in a business setting, your IT partner “should” be applying best practices on all systems at a company level. This includes setting up a non-SMS based multi-factor authentication system for you.
If you are an individual user of LastPass, go through all your password protected services, and attempt to turn on MFA. Even SMS based MFA will reduce your risk, but of course non-SMS based MFA is your best option if available. This can be done through a series of MFA apps available to you.