The primary risk introduced by this breach is the combination of the unencrypted metadata with customer account information. With those two pieces of information, malicious actors can put together a profile of websites the exposed customers have accounts on, combine that with open source intelligence (OSINT) from social media, and perform activities such as spearphishing, vishing, or other social engineering techniques against employees. Additional social engineering awareness training may be effective over the next couple months to help mitigate risk to companies that use LastPass.

The secondary risk is brute-force cracking of the master password. Because of the nature of LastPass’s encryption process, access to vaults only requires the master password. This means that the strength of the vault’s security is only as strong as the master password. If it is not strong, a hash cracking program may be able to quickly crack the password and give an attacker access to the vault. Even if the password is strong, companies should rotate their master passwords anyways.

Regardless of the mitigations adopted, the answer to this breach is not to abandon password managers, as they are by far the best solution available to the weakness inherent in passwords for authentication. LastPass, while they have been in the news recently for security breaches, have already taken steps to tighten up their security, and will likely continue to do so in response to the follow-up breach. Considering this, migrating away from LastPass should be heavily weighed against the operational cost of changing workflows for users, as the additional security from using another password manager may not improve security much. If the master password being the single point of failure for vaults is a concern, password management solutions such as 1Password utilize a master password and secret key combination for encryption, which not only requires both for vault access but also forces additional strength.

Notice of Recent Security Incident