Last Pass Hack 2022

As you might very well be aware, there has been a security incident reported by LastPass.

Alternative video link is HERE.

From all the information available to us we believe there is no immediate danger to any of our MSS+ clients that have been onboarded by ADAM using LastPass.

As long as the following conditions remain true for your operations there is no significant risk:

  1. You are still using a strong master password as what you were trained to use and have not compromised it by improperly storing it anywhere else but your hard copies.
  2. You are still using your Yubikey as a second factor to secure your account from being accessed by a new device.
  3. You are behind the protection of an adam:ONE® Zero Trust connectivity policy.

About 12 months ago we started using 1Password as the main password manager of choice for any new MSS+ clients. When you do your MSS+ renewal we will assist you in migrating from LastPass to 1Password - which is a superior product due to its encryption protocols and how it handles your data.

Here are links to additional articles about the incident that you might find useful.

Key excerpts from the LastPass Blog:

Consequence

  1. The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.

  2. The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information.

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.