Reframing Password Management: What We Learned from the LastPass Breach
Published 02/02/2023
Originally published by BARR Advisory.
In August of 2022, LastPass, the cloud-based password saver, was breached as bad actors stole information that would eventually lead them to access a copy of the data vaults of tens of thousands of customers. When the firm was hacked for a second time in November, the hackers were able to steal customer data, causing another wave of alarm with LastPass’s user base.
If you use LastPass or any type of password manager, you’re probably asking yourself a few questions. Should I stop using LastPass altogether? Does this mean the end of password managers as we know them? Moving forward, how do I safely secure my data in the cloud?
BARR Advisory's Senior Consultant, Attest Services, Sarah Varnell, discusses her thoughts on the LastPass breaches and how we can reframe our thinking for secure password management.
Let’s take a look at her insight below.
It’s important to note that no password manager can completely eliminate the risk of a data breach. That said, it’s still considered safer to use a password manager, as these tools enable users to choose strong, unique passwords for each of their accounts without resorting to old habits like reusing passwords that are easy to remember with common permutations or writing them all down on paper.
Following the latest breach, we will likely see a flood of users leaving LastPass to utilize an equivalent tool—myself included. However, the most glaring issue to safe password management is not that LastPass was breached, but the way they responded to the incident.
At the time of the first breach, LastPass believed the incident only involved internal systems for software development, leading them to determine that customer data was not at risk. Yet, whatever the hacker stole, including portions of a company source code and some proprietary LastPass technical information, likely paved the way for the follow-up intrusion in November.
LastPass did work with a cybersecurity firm to conduct an investigation, which ended in September. But it seems this investigation was somewhat limited, as they failed to uncover an important factor—the potential that the hacker would use the information gleaned to breach the company again.
The full scope of what data was stolen is unclear, but LastPass has stated that customers’ passwords should remain safe, since the company doesn’t store any information on the ”‘master password,” which is the password customers use to access their encrypted password vaults over the platform. However, a lawsuit filed against LastPass alleges, “Not only has this statement not been verified through discovery, but it is also a shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact on Plaintiff and Class members.”
The response from LastPass also seems to suggest that if your master password is changed and secured, your vault data is secure, but this is not the case. Changing that primary password with LastPass now will not protect any vault data that’s already been stolen. Additionally, this does not address all of the Personally Identifiable Information (PII)—names, contact information, billing information, details about sites visited, etc.—that could easily be used in phishing attacks against end users. LastPass also did not adopt the practice of some other password managers of encrypting or masking saved website URL’s, which can contain user account tokens, API keys and credential data.
The CEO from LastPass stated, “It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
Given the benefits of these tools, the majority of security practitioners and consultants will continue to support the use of password managers, but even longtime defenders of LastPass are now switching to alternatives. If users do decide to stay with LastPass, they should change their vault password immediately, turn on two-factor authentication for every account that offers it, and update all passwords stored in their vault.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024