NPC Security Alerts
Update: LastPass Reveals Personal Info and Encrypted Passwords Stolen in Recent Breach - NPC Security Alerts


Update: LastPass Reveals Personal Info and Encrypted Passwords Stolen in Recent Breach

December 29, 2022

Note: This NPC Security Alert updates our alert issued on December 19, 2022, regarding the LastPass Breach of August 2022

What is the issue?

On November 30, LastPass issued a notice that they had suffered a second data breach, following a breach in August. In November they knew that information gathered during the August breach enabled the threat actors to gain access to their systems, but it was unclear exactly what information had been used or what customer data had been compromised.

In an update published on December 22, 2022, LastPass advised they learned from their ongoing investigation that two types of data have been taken: unencrypted basic customer information like company names, end-user names, billing addresses; and encrypted customer “vault data” — client login and password stores.

This presents two problems for LastPass users. First, the unencrypted basic customer information can be employed to help the threat actors break the vaults and to better execute phishing attacks against the users. Second, because the vaults were copied out of the LastPass system, the threat actors now have unlimited time to attempt to break the vaults with the stolen descriptive information about the owner of a vault.

LastPass stated that since the vaults are encrypted with AES-256 encryption (a powerful encryption algorithm), if the user has followed best practices by creating a master password for their vault that is unique, complex, and long, they should be okay. But no matter how remote the possibility, the loss of the users’ vaults of logins and passwords from the LastPass system puts LastPass users’ secret login information at risk. While the vault data is unreadable without that user’s master password, which not even LastPass has stored in any location, the possibility of breaching the vaults is not zero.

What does it mean to LastPass users?

The threat actors could attempt to decrypt the data using complex algorithms that analyze the basic user data to create master password attempts, and will use other passwords stolen in other breaches, matching them to the user for attempts. Threat actors, especially nation-state threat actors, have access to enormous human, technical, and computing resources to possibly extract from this stolen data the very valuable specific client data and account logins that can mean millions in financial spoils if cracked.

It is also worth noting that since the vaults were exfiltrated (copied out of the system), changing or strengthening your master password now will only protect you moving forward in the LastPass system, and requires that any passwords you had stored in the system prior to that be changed. Some users store hundreds of logins in LastPass to important sites, so changing all those passwords is not trivial, but the reward to the threat actor for breaking the vault is correspondingly high.

As we explained in our previous alert, the danger with a cyber criminal having some personal information is that they can use it to appear credible or legitimate as they attempt to obtain even more. As a result of LastPass’s investigation, we now know what information was taken in the breach — names, addresses, phone numbers, and IP addresses — and you must be vigilant of anyone attempting to use that information to extract more from you, including and especially your master password.

What should you do?

  • LastPass users should immediately change their LastPass master password and the passwords for any systems or accounts stored in LastPass.
  • Double-check your LastPass account security settings and ensure that your master password follows at least their minimum recommendations, or ours below.
  • Enable two-factor authentication (the second step of login access such as a confirming text or email code) on LastPass and any other important accounts.
  • Be on the look-out for any phishing attempts or social engineering tactics.

Here are our minimum password recommendations:

  • 14+ characters
    • Use a passphrase instead of hard-to-remember random characters. A passphrase is a string of words or characters that are memorable to you, but make little sense to someone else, such as Horse! Campfire# Blue5
    • Favour length over complexity as the time to crack a password increases exponentially with each character added
  • Change your passwords regularly, every 90 - 120 days
  • Never text or email a password with the login name
  • Never use the same password twice, or in more than one place
  • Use a fingerprint reader that will enter long passwords for you
  • Enable the second login step, multi- or two- factor authentication (MFA, 2FA), for added security
  • Never confirm a password online through an unfamiliar link and never give it up over the phone or in a text

To learn more about strong passwords and account security, watch our free educational webinar, Enhancing Password Security and the Power of MFA.


Notice of Recent Security Incident (LastPass)

LastPass users: Your info and password vault data are now in hackers’ hands (Ars Technica)

Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it (The Verge)

Yes, It’s Time to Ditch LastPass (Wired)

NPC Security Alerts

Receive our NPC Security Alerts email to stay on top of the most important security threats to your devices, data, and your privacy. We do not use this list for any other purpose.

Sign up now