If you are one of the 85,000 businesses or 30 million users who rely on Lastpass to help you manage your password, you might have been a wee bit concerned about the recent news headlines about the security breach.

Should you be panicking? Is your data vulnerable? The quick answer is – not if your vault was set up well. But let’s chat through the best practice Lastpass set-up and who might be at risk.

A few FAQs

What information did the threat actors access?

  • They breached the source code and entered the Enterprise Resource Planning (ERP system). Think about this like accessing Lastpass’s intellectual property but not the customer data
  • They copied a backup of customer vault data

Does this mean they can see all my usernames and passwords?

  • The plain English answer: Because your usernames and passwords in Lastpass are fully encrypted, they can only be accessed using your master password, which is never known by LastPass and not stored in LastPass.

    The technical detail, as shared by Lastpass:
    “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.”

Could they hack my LastPass password and get into my account?

  • If you have a federated vault or a personal vault with a good password and multi-factor authentication (MFA), then your Lastpass vault should be fine. If your Lastpass password is on par with gems like “password”, “12345”, “qwerty”, “11111”, or “abc123”, which commonly appear in weakest password lists, then it is possible.

Here is quick visual guide to help you when it comes to choosing a solid password for your account:

What is a federated vault?

  • Lastpass offers a cloud-based federated login. This feature links your password manager to your Identity Provider (IDP), which allows you to log into Lastpass simultaneously as you log into your company system.

    You can read more about how this works here.

Why is that a good thing?

  • Because Lastpass’s Federated Login uses zero-knowledge infrastructure, neither LastPass nor your IDP has the information it needs to access your LastPass vault. Using a Federated Login means integrating one IDP (for example, your Google Workspace or Microsoft Office account) with another IDP, that being LastPass. The result is that it is harder for hackers to access your information but easier for you to do so.

The Colton approach

At Colton, we use a federated login that integrates your O365 account with your Lastpass. That’s why if we have set up your accounts, you don’t get prompted for a password and Duo code each time you log into Lastpass; you already have an authority cookie from logging into O365.

Key Takeaway

Ensure you have good passwords or encryption keys – it makes a difference if a threat actor tries to get their hands on your data.

Relevant links if you want to read more