On August 25th, 2022, LastPass announced their discovery of “unusual activity within portions of the LastPass development environment." On December 22, 2022, LastPass updated their statement based on further investigation, and announced that source code, credentials, and encryption keys had been compromised, resulting in the attacker(s) copying encrypted customer data. This document provides an overview of steps you can take to protect your organization and your third-party network as well as a summary of our investigation and mitigation efforts.
LastPass is a password management tool, and provides solutions for personal and professional use. Users create passwords that are protected by a primary password, which is the used to create an encryption key that protects access to the passwords made in the user’s account. This primary password is used to access the “vault” that contains passwords used for other services and accounts, which prevents others from accessing vault-protected passwords.
Security and Impact
LastPass customers may have potentially been impacted by the breach if:
- Your organization is not using LastPass Federated Login Services, OR
- Your primary password was not sufficiently long or complex, OR
- Your primary password is used for another account that had previously been compromised.
If any of these criteria apply, your vault and/or your primary password may have been copied and/or compromised.
Step 1: Determine if you are at risk.
- If you are using LastPass (and are not utilizing LastPass Federated Login Services), you should immediately change your primary password.
- Confirm whether any of your critical vendors are at risk from this incident, and document what they have done to mitigate their risk (if applicable).
- To assess whether your Third Parties are vulnerable, customers can access the “LastPass Breach Questionnaire” in the Whistic platform under our Questionnaire Standards Library by clicking here.
- If you’d like to download the questionnaire as a spreadsheet, click here.
Step 2: Promptly implement mitigating actions.
- Make sure your team is aware of the breach and whether it is applicable to your organization..
- If impacted, immediately change all primary passwords to sufficiently long and complex passwords/passphrases (12+ characters, including numbers and symbols).
- Rotate the passwords for all accounts that are managed in affected LastPass vaults.
Does this affect Whistic?
Whistic does not use LastPass. This breach does not impact our organization.