LastPass is a widely used password manager relied on by 100,000 businesses and 33 million individuals to secure their passwords. While password managers offer convenience, they also come with security risks and it's crucial to carefully consider the benefits and risks before adopting them in an organization. Poor password policies, lack of control, or even a single user error can result in disastrous consequences. However, in some cases, the very thing people fear most can occur – the password manager itself can be compromised.
The recent LastPass data breach is a cause for huge concern for organizations and individuals who have utilized this password manager. On December 22nd, LastPass revealed that a security incident that they had previously reported on November 30th was actually a massive data breach. The attackers are believed to have used information obtained from an August attack on the company to carry out another attack in November.
Unfortunately, it's not the first time this has happened; on June 15, 2015, LastPass announced that its network had been breached, compromising data such as email addresses, password reminders, and password hashes.
The most recent breach allowed an unauthorized party to access sensitive user account information, including personal information such as usernames, email addresses, phone numbers, names, billing addresses, and IP addresses. Additionally, the breach exposed stored website URLs, which could be used to launch phishing attacks, and stole vault data, including usernames, passwords, secure notes, and form-filled fields. Although this data remains encrypted, if an attacker cracks the master password, they would be able to access all the information stored in the vault. Changing the master password now would not solve the issue, as hackers have a copy of the vault.
Mike Walters, VP of Vulnerability and Threat Research at Action1.
For businesses that require employees to use LastPass as part of their official password policy, the risk is obvious. If an attacker cracks or steals an employee's LastPass master password, they will have unrestricted access to the company's most sensitive data.
Overall, this breach highlights several related issues that, when combined, can cause devastating consequences:
- A lack of password best practices: Many end users do not maintain good password hygiene, including password reuse and weak passwords. Unfortunately, 53% of people reuse passwords for both corporate and personal accounts, which means that even if different password managers are used for work and personal purposes, a breach can cause major damage
- Uncontrolled use of password managers: While not all companies use LastPass, many employees install browser extensions themselves and use password managers for both work and personal credentials. In this case, system administrators cannot enforce password best practices or manage password manager software. In fact, some data shows that 97% of the cloud apps used in the enterprise are cloud shadow IT.
This puts both personal and corporate-managed users at risk, as the breach demonstrates the vulnerability of even well-established password managers.
What can we do now?
To mitigate the risk posed by the LastPass breach, all users are advised to reset their passwords site-by-site, as simply changing the master password now would not solve the issue. They should also follow best practices for passwords and enable multi-factor authentication (MFA) where possible.
For sysadmins, the following recommendations should be considered:
- Monitor your managed devices for installed plugins, as not all users follow cybersecurity news and may be unaware of the problem.
- Pay particular attention to identifying LastPass installations installed as browser extensions, since they are not detected by most remote monitoring and management (RMM) and endpoint management systems by default. However, it is possible to automate LastPass extensions discovery through scripting, which saves time and effort.
- Adopt a risk-based approach to determine whether LastPass is the best password manager for the organization, or if a different solution is more suitable.
- Implement a password manager that is centrally managed and controlled by the IT team, to enforce strong password policies and prevent password reuse.
- Urge users to turn on multi-factor authentication (MFA) for all of their accounts, including those managed by LastPass, to add an extra layer of security. Ideally, use hardware token-based MFA if the service supports it, or at least app-based MFA, such as Google Authenticator. Avoid SMS-based MFA, as it is less secure and vulnerable to cell phone number hijacking.
- Conduct regular cybersecurity training and awareness campaigns for employees on the importance of using strong passwords and the dangers of reused passwords. If you’ve identified users relying on LastPass outside of the IT control, work with them directly, and articulate the dangers of this practice.
- Emphasize user education on recognizing social engineering attacks. Users need to be aware of the sophisticated methods used by threat actors to steal their master password. Attackers may pose as LastPass, regulatory bodies, or other organizations and deceive users into revealing their credentials. Users should also be mindful that phishing has evolved beyond simple emails and can involve multiple communication channels, including phone calls, SMS, messaging apps, and others
- Collaborate with users to develop good password policies, regularly review and update them to align with current security best practices.
Conclusion
The LastPass data breach is significant in several ways. First, it serves as a valuable reminder for all of us to rethink password security practices. Second, it shows that even if an attacker initially gains access to a non-sensitive aspect of a company's infrastructure, they can still exploit security vulnerabilities and obtain sensitive customer data that resides in a different but interconnected environment over time. This reminds organizations on the importance of thoroughly examining security weaknesses if a successful attack occurs, in order to prevent future hacks, including taking prompt action to investigate any security incidents and identifying and remediating any security vulnerabilities.
