(844) 915-5155
(844) 915-5155

LastPass Hacked in November 2022: How to Protect Your Organization from ramifications

LastPass Hacked in November 2022: How to Protect Your Organization from ramifications
Published Dec 01, 2022

On November 30th, 2022, LastPass was hacked for a second time in 6 months. LastPass, with 25 million users, is one of the most popular password management solutions in the market. This article will discuss what happened, and how you can protect your organization from potential ramification of the LastPass hacks.

LastPass hacked again using information from August 2022 hack

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” Though LastPass is ensuring the customer’s stored passwords are safe it is unclear at this point what was compromised.

The entry point for the hack was not disclosed, though based on the information data was from August incident was used the only assumption we can make is that there remained or remains an external access method that either has no multi-factor authentication (MFA), SMS based MFA, or at least one compromised MFA enabled account.

What is Password Management


A password manager is a software that allows users to store, generate, and manage their passwords for local applications and online services. A password manager assists in generating and retrieving passwords, storing such passwords in an encrypted database, or calculating them on demand. The assumption is because users no longer have to remember the passwords, that each password can be unique and more complex.

A password manager does not remove the necessity of utilizing MFA, but it theoretically reduces the risk associated with memory-based password management.

How to protect your organization from the LastPass hack

Regardless of whether you use LastPass, another password management solution or no solution, it continues to be best practice to utilize non-SMS based MFA on all systems.

If you are you in a business setting, your IT department or IT firm “should” be applying best practices and requiring non-SMS based MFA on all systems at a company level. Hopefully your IT department or IT firm is ISO 27001 certified, and proactively addressing risks, of which lack of MFA is just one.

If you are an individual user of LastPass, go through all your password protected services, and attempt to turn on MFA. Even SMS based MFA will reduce your risk, but of course non-SMS based MFA is your best option if available.

Though the LastPass hack is unfortunate, having such a public company be visibly hacked, serves as a lesson that the rest of us can apply and prevent being hacked ourselves.

You may also like

Jul 18, 2022

Why XL.net Exists

Dear Small businesses, the people within them and XLnetters, I have struggled since early 2009, b...

Oct 19, 2020

We were published on Forbes.com!!

Thank you to the wonderful editors and proofreaders at Forbes.com for launching our article Four Tec...

May 21, 2020

Chicago IT Support and Outsourcing Selection Guide

Your business has decided it's time to change your Information IT support / Information Technology d...

Jan 18, 2023

The Complete Cyber Insurance Coverage Checklist

In 2021, small and mid-sized business owners attacked by cybercriminals spent an average of over $25...

Jan 17, 2023

How to Choose a Managed Services Provider for Your Business

A managed services provider (MSP) is a partner that provides for all of your IT needs, from security...

Jan 10, 2023

5 Important Benefits of Cyber Security Training You Should Know About

As a business owner, you know how valuable your data and information is and how it needs to be prote...