[Heads Up] Giant LastPass Breach Can Supercharge Spear Phishing Attacks

Roger-Grimes-HD_CutoutBy Roger A. Grimes. KnowBe4 recommends that everyone use a password manager to create and use strong passwords as a part of their password policy https://info.knowbe4.com/wp-password-policy-should-be

LastPass, one of the world’s most popular password managers, recently had bad data breach as revealed here: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/.

LastPass divulged that although user’s plaintext passwords were not accessed, what the hackers did get included the following information:

  • website URLs for the user’s stored passwords
  • end-user names
  • billing addresses
  • email addresses
  • telephone numbers
  • company names
  • IP addresses from which customers were accessing the LastPass service

The hackers also got LastPass user’s encrypted passwords for each stored logon. The encryption protection is strong AS LONG AS the master password users used for LastPass was strong. If you’re interested in a more detailed discussion, go here: https://www.linkedin.com/pulse/just-how-bad-recent-lastpass-compromise-roger-grimes.

In summary, if your LastPass password was at least 12-characters long (the current LastPass default), contained some complexity, wasn’t an easy-to-guess password, and was not used on any other site or service, then you’re probably OK. If not, you need to immediately change all your passwords, both the LastPass master password and all the passwords you stored in LastPass.

Spear Phishing Bonanza

However, the plaintext information that was stolen (listed above) is incredibly useful to any hacker doing social engineering and phishing. It allows an attacker to specifically target (i.e., spear phish) a potential victim using information not known to the general public and other hackers. For example, with a list of the web sites that someone logs onto, a phisher can craft specific phishing emails that pretend to be from that web site. It could include the user’s name, telephone number, and mailing address. Each added detail adds to the veil of false legitimacy to a social engineering email. Each included detail increases the percentage of people who will become victims.

Knowing people’s phone numbers and what websites they belong to opens up an avenue for a fake tech support call. Mailing addresses can allow elaborate scams through postal mail. Here’s a brazen example of such a scam: https://www.nasdaq.com/articles/inside-the-scam%3A-victims-of-ledger-hack-are-receiving-fake-hardware-wallets-2021-06-17 . The sky is the limit on the types of spear phishing scams that can be created and delivered using the information that was stolen in the LastPass breach.

Kudos to LastPass for making sure the most critical user information, the user’s passwords, were stored in an encrypted state. But this breach, like all the others before it, are calling into question about what type of user information should or shouldn’t be considered “critical information” and always stored in an encrypted state. If the information can be used to identify or contact you, it should probably be encrypted by default.

Here is a demonstration VIDEO on Vimeo (the blue button is legit) made by Kevin Mitnick how an attack like this might go down, use the password: rockandrollwillneverdie


LastPass users were relieved to learn that their stored passwords were not directly compromised, but what information was taken by the hackers is likely to have spear phishing repercussions for years to come.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews