On December 22, LastPass issued a press release stating that backup copies of LastPass customer vaults were accessed and downloaded by a malicious actor.
These password-protected customer vaults are unique to every individual LastPass user, and contain all the usernames, passwords, notes, and sites that LastPass stores.
Considering this disclosure, we are focusing on the best practices that should be put into place if you are using LastPass or any other password manager.
Following the recommendations below, you will ensure that your passwords from the backup copies are no longer valid as well as make it more difficult for others to access your accounts by adding the security feature of multi-factor authentication.
To mitigate the areas of greatest risk, LastPass users need to:
Review every password stored in LastPass – does the site where the password is used require MFA? If MFA is not required for the site, change the password. While periodically changing all passwords is a good idea, prioritize sites that do not require MFA and change them now.
Change your vault password – remember that a good password will have 16+ characters. Vaults with weak passwords are most vulnerable to being hacked (changing the vault password now will not protect the stolen vault).
Ensure that you never reuse passwords – every password needs to be unique.
Set up LastPass to require MFA and DO NOT store your LastPass MFA key in LastPass.
If you are using another password manager, we recommend following the best practices above with your password manager account.
There are dozens of quality password management tools on the market, and NO PRODUCT IS IMMUNE TO SECURITY THREATS.
Even in light of this recent incident, using a password manager is still strongly recommended.
Using the product correctly, with periodic password changes, never reusing passwords, and adding MFA is more important than the specific product used for password management.
We know that most LastPass users were on the free version and today may be a good time to consider purchasing a password manager product.