There are two overarching messages we want LastPass users, and the web community at large, to take away from the story:
- Proactiveness and preparation are key in mitigating risks of attacks, and
- Protect your email account like your online life depends on it, because it pretty much does these days.
- Change the password for your email account(s), now. We have seen alarming statistics on the number of leaked passwords out there, including leaked email username and password combinations. A password generator like the one built into LastPass allows you to create unique, long, strong passwords for each of your online accounts. The LastPass security challenge can also help you identify any weak and duplicate passwords still lurking in your vault. One account's password compromised = all accounts compromised that use that password, or that give access to the password reset functions for other accounts.
- Protect your email account(s) with multifactor authentication if possible. Google has increased efforts to encourage all Gmail users to set up multifactor authentication. If your email service offers the option, enable it as soon as possible. You'll ensure that just knowing the password for your email account will not be enough to let someone in.
- Replace answers to "security questions" with obscure, non-personal responses. Truthfully answering security questions can put you at risk for social engineering. Use a password generator or create bogus answers that you can then store in a note in LastPass - if you do ever need to reference it, you'll have access to the bogus answer, but you'll ensure that your personal information can't be used against you.
- Set up multifactor authentication for your LastPass account, now. By adding multifactor authentication to your LastPass account, you're requiring another piece of secure data to be entered after you submit your master password, but before you can gain access to your stored data. So even if your master password is somehow captured, by a keylogger or even by someone you thought you could trust, you'll keep them locked out because they won't have that second piece of login data.
- Create a "security email address" for your LastPass account. Although protecting your primary email address(es) should be a high priority, you can set up an obscure email address to be used in the case of account recovery, multifactor authentication resets, and other critical changes to your LastPass account.
- Run the Security Challenge, and get proactive about your security fitness level. Located in the Tools menu of the LastPass addon, the Security Check allows you to keep an eye on weak and duplicate passwords, and reminds you of ways to improve your overall online security (such as #4 above). Take full advantage of LastPass security options, like autologoff on browser idle and restricting IP address to certain countries.
We highly recommend all LastPass users follow the above steps, and as soon as possible. We also call on your help in spreading the word about secure password management to family, friends, and coworkers who would benefit from the ability to achieve higher security standards while making their online life easier. If you want to recommend LastPass, you can do so here: https://lastpass.com/friendemail.php and receive Premium as a thank you!
The LastPass Team