A few weeks back, the popular password manager LastPass announced that they had experienced a major security breach. (And shortly before we published this article, the cybersecurity service LifeLock suffered a similar breach.)
Whether you’re using LastPass for personal purposes, for business purposes, or both – it’s important to be aware of what’s happened and what to do next.
For a detailed breakdown of exactly what happened, you can check out a release published by LastPass CEO Karim Toubba. The bottom line is that an unknown silent bad actor gained access to a huge amount of LastPass customer information – including usernames, company names, email addresses, mailing addresses, and more. They also apparently accessed LastPass customer passwords as well, although the password data is encrypted according to Toubba’s release. That’s good news if it’s accurate, but it doesn’t mean that the hacker can’t eventually decipher it, so it’s still a serious risk.
What should you do about all of this?
If you’re a LastPass user and you don’t have Multi-Factor Authentication in place, at the very least you should change all of your site-level passwords immediately. I recognize that this is an inconvenience, but the prudent thing to do is to assume that hackers have access to your passwords. The inconvenience of changing them now is far, far better than waiting for your accounts to be hacked. If your team uses LastPass, I strongly recommend having them do the same.
Most importantly – and this is something you have probably heard me say many times before – you should immediately enable Multi-Factor Authentication (MFA) wherever possible. I’ve written about MFA frequently, including a blog entry just a couple of months ago, and if you’d like an overview of why MFA is so important and how to get started, click here to read it. But here’s what you really need to know today: MFA makes it much harder for the bad guys to get access to your login-protected accounts because it requires you to verify your login attempts through a second device, like your mobile phone. So even if an attacker is successful in capturing your login information, they won’t be able to access your accounts unless they’ve also managed to get access to your mobile phone, which is much more difficult to do.
Enabling Multi-Factor Authentication drastically reduces your vulnerability to cyber-attacks, even if your login details and password have been compromised. If you’re working with a competent IT provider, you should already have MFA in place throughout your organization. If not, that’s a huge red flag.
If you haven’t gotten serious about implementing MFA in your organization, I hope that the LastPass breach will serve as a wakeup call. Please don’t hesitate to contact me if you have any questions or if there’s anything my team can do to support.
Please reach out to us via email at email@example.com or 704-464-3075 extension 3.
Dedicated to IT security and productivity,
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.