Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

LastPass Finally Admits That Password Vaults Were Stolen

January 5, 2023

Catching up from the holidays, Naked Security reported on December 23 that LastPass finally acknowledged that password vaults were stolen in its breach last year.

The article is a bit long, but if you have been using LastPass, you need to read it carefully to make sure that you have protected yourself as much as possible – and that you understand what happened after the August 2022 network intrusion.

LastPass made a series of announcements after that time, not all of them wholly accurate. They can be found in the Naked Security posting. A second attack was disclosed in November 2022.

Close to Christmas, LastPass admitted that “the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

As Naked Security noted, “Loosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.”

The admission continued, acknowledging that “the threat actor was also able to copy a backup of customer vault data.” So . . . the criminals stole the password vaults after all.

The vaults included unencrypted data, including the URLS for the websites that go with each encrypted username and password.

There’s more, but I refer you to the full article for all the details. It is certainly a good idea to change your passwords (to stronger passwords where appropriate) and the master password for the vault itself.

As you might imagine, many people are turning to other password managers.

For our part, we are troubled by how LastPass handled the breach and by its failure to secure the password vaults. We no longer list LastPass on our list of recommended password managers.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

LastPass Finally Admits That Password Vaults Were Stolen

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer