What happened?
On December 22, 2022, LastPass’ CEO published a blog post stating that LastPass had been breached sometime in the past few months. Attackers were able to access LastPass customers’ encrypted passwords, as well as some unencrypted data. The unencrypted data includes:
- Company names
- End-user names
- Billing addresses
- Email addresses
- Telephone numbers
- Website URLs
All LastPass customers’ passwords are encrypted with a master password, so the attacker can not access them unless they can also find out the master password.
What are the main risks for LastPass users?
If the attacker is able to get a specific LastPass customer’s master password, they will have access to all their saved LastPass passwords.
Customers at the highest risk are:
- Those who have easy-to-guess master passwords
- Those who re-use their master passwords across multiple platforms. This increases the probability the attacker could get their hands on it.
Please note that changing your LastPass master password now will not better secure the encrypted passwords the attacker has. The copy of encrypted password data the attacker has is encrypted with the master passwords at the time of the attack. Therefore, LastPass users should change all account passwords that were stored using LastPass.
The LastPass breach also puts LastPass users at higher risk of social engineering and phishing attacks - people impersonating either LastPass or Fireblocks to get the master password from the user.
IMPORTANT
Fireblocks personnel will never ask you for your password or passphrase.
What should you do if you used LastPass?
If you, or anyone in your organization, stored their Fireblocks credentials or passphrase on LastPass - change them immediately.
If you have a backup of your private key on Coincover, and your original passphrase is stored on LastPass - you need to change your passphrase, then back up the key again to protect it.
Fireblocks-related high-risk credentials are:
- Fireblocks console credentials
- Fireblocks console 2FA recovery phrase
- Fireblocks recovery passphrase (Owner, Admin, or Signer)
To change your recovery passphrase, read this section of Key recovery using your recovery passphrase.