LastPass Breach
You may have/may not have been aware that Lastpass have had a major security breach. The extent of the breach has been slowly getting worse as they release more details. The full details of the breach can be found on the LastPass incident blog.
How is Realisable affected? What details have been leaked?
Realisable Software use LastPass to store personal, work related and customer access details. This means we at Realisable are at risk and in turn some of you will be affected by this.
As of now, it appears that some, if not all, customer password vaults have been obtained. To best knowledge LastPass have not confirmed the extent; let’s assume the worst.
This means point in time copies of the password vaults will have been taken by the attackers and for all intents will be available on the dark web for perpetuity.
The vaults themselves are encrypted so this does not mean the attackers have access to the passwords and details stored within the vault’s but just the encrypted vault files.
Realisable use hardware based two factor authentication for access to Lastpass. This however only protects (front-door) access to the Lastpass Password Vault’s; it is not used as a factor in the vault’s encryption.
Realisable store all sensitive data in Lastpass’s secure fields but some usernames, IP addresses, service names and URLs are stored in clear text (per LastPass’ proprietary storage format over which we have no control over).
Realisable’s Response
We have naturally taken this incident seriously and in response Realisable have undertaken a review of our LastPass master passwords and found the weakest was over 10 characters.
Even with the fastest hardware the time to break this would take several years and would incur substantial power costs.
This is not to say we or yourselves are safe, but it does mean a breach from a brute force attempt is presently unlikely.
However we have taken the following steps:
- A mass change of own passwords and internal system’s passwords – a majority of which is complete.
- Increasing password complexity and tightening of security policies where permitted.
- For customer’s we deal directly and those we have direct access, we have begun to change passwords and keys where possible.
Our Storage of Access Details
We will also be reaching out to those customers we deal directly to inform them of the breach and suggest a course of action and/or working with them to change details.
You may contact us to request what details we store through our support lines.
Please allow some time for us to respond.
Changing Passwords and Security Access
Please note, if you decide to change access and passwords, ultimately you will be responsible for the change – system outages may occur with mis-configuration.
We will endeavour to assist, but we are not responsible for resolving security issues.
Please find below several links to security related articles in our help:
Are you using LastPass? Perhaps it’s time for you to review your own security?