LastPass, the cloud storage system for passwords, suffered a breach in late 2022 that has caused ripples in the security world. Some elements of user data were taken, although many were encrypted. The company has downplayed the potential effect. Security advisers have not. LastPass seems to have taken the right path in terms of prompt disclosure and investigation, which should be a no-brainer at this point. It also had internal policies that may help limit its exposure (and any losses to users), although that remains to be seen.
Why It Matters
Standard security advice to any company includes using multiple layers of protection to safeguard company assets and any information belonging to third parties such as consumers or customers. This breach pinpoints why having multiple strategies is important: if someone gets in, but can only take encrypted data, your losses (and your liabilities) may be reduced. There are other ways to "double up" on protection, and resources such as NIST and the FBI provide extensive recommendations about how to improve your security posture. Take the opportunity to use the new year as a reset on your privacy and security practices: update everything, patch everything, review your privacy policy against your actual data practices, and give refresher training about phishing and other topics to employees. Your data will thank you.
First, it's important to understand what happened: The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.