LastPass Hacked in November 2022: How to Protect Your Organization from ramifications

Share This

On November 30th, 2022, LastPass was hacked for a second time in 6 months. LastPass, with 25 million users, is one of the most popular password management solutions in the market. This article will discuss what happened, and how you can protect your organization from potential ramification of the LastPass hacks.

LastPass hacked again using information from August 2022 hack

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” Though LastPass is ensuring the customer’s stored passwords are safe it is unclear at this point what was compromised.

The entry point for the hack was not disclosed, though based on the information data was from August incident was used the only assumption we can make is that there remained or remains an external access method that either has no multi-factor authentication (MFA), SMS based MFA, or at least one compromised MFA enabled account.

What is Password Management

mfa

A password manager is a software that allows users to store, generate, and manage their passwords for local applications and online services. A password manager assists in generating and retrieving passwords, storing such passwords in an encrypted database, or calculating them on demand. The assumption is because users no longer have to remember the passwords, that each password can be unique and more complex.

A password manager does not remove the necessity of utilizing MFA, but it theoretically reduces the risk associated with memory-based password management.

How to protect your organization from the LastPass hack

Regardless of whether you use LastPass, another password management solution or no solution, it continues to be best practice to utilize non-SMS based MFA on all systems.

If you are you in a business setting, your IT department or IT firm “should” be applying best practices and requiring non-SMS based MFA on all systems at a company level. Hopefully your IT department or IT firm is ISO 27001 certified, and proactively addressing risks, of which lack of MFA is just one.

If you are an individual user of LastPass, go through all your password protected services, and attempt to turn on MFA. Even SMS based MFA will reduce your risk, but of course non-SMS based MFA is your best option if available.

Though the LastPass hack is unfortunate, having such a public company be visibly hacked, serves as a lesson that the rest of us can apply and prevent being hacked ourselves.

Check Out Some of Our Latest Blog Articles

it, it management, network

  Businesses often face a critical challenge in scaling their workforce...

it, it management, network

  As modern IT systems grow in complexity, many businesses, particularly...

spam

Spam emails are relentless and can be dangerous if you click the...

it, it management, network

  Every business faces technology challenges, from system failures to software glitches....

it, it management, network

  Balancing the intricacies of business operations is no small feat, especially...

it, it management, network

  Finding the right IT company in Chicago for your business can...

office 365

To reset your password, go to the password reset portal Once there,...