Giftbit's Response to the LastPass Security Breach
March 3, 2023
On December 22, 2022 LastPass disclosed a security incident involving a threat actor hacking an employee’s home computer. On March 1st, 2023 LastPass released an update sharing more information on the circumstances surrounding the incident including that the actor was able to access elements of LastPass customer data.
How did Giftbit assess the threats?
When the Giftbit security team received the notice in December we:
- Activated an incident response team to evaluate the risk
- Consulted with an external security partner to validate the risk and response
- Monitored security community discussions and recommendations for best practices
Giftbit deemed the threat level in December as low-risk given additional protections and processes already in place to protect our systems and data. When the March LastPass notice was released, the team again thoroughly reviewed and assessed the new information, evaluated mitigations already taken, and decided to take further action.
Why did Giftbit deem the December threat low-risk?
At Giftbit we have high security compliance standards to ensure protection of our clients and our business. Our standard practices include:
- Using MFA where available on all critical accounts
- A strong password policy resulting in strong encryption of password data
- Continuing education and team testing around phishing and security
- Further internal mitigating factors to protect against credential compromise
How we responded to the threats
Giftbit took immediate action in December:
- Educated the team on the situation, response and what to watch for
- Reset all master passwords in LastPass
Giftbit took further action in March:
- Decided to migrate to another password manager platform that we evaluated as safer
- Completed due diligence and a full password audit (sensitive and critical accounts first)
- All passwords and MFA reset
- Continue to monitor password and MFA health
Why are we sharing this information?
As threat actors continue to become more and more sophisticated, so must our layers of protection. We take security very seriously at Giftbit, and we want our clients and partners to know that they can count on us for the highest possible level of security monitoring and compliance.