In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.

A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for other accounts. Password managers even remind you to renew your passwords periodically. For years, security experts have recommended the use of password managers.

Now, in the wake of the LastPass breach, it might be worth revisiting this advice.

LastPass Security Breach Events

In late August of 2022, LastPass announced that hackers had gained entry to parts of the company’s development environment through a compromised developer account. This breach gave the attacker access to parts of the LastPass source code and proprietary technical information. After this first breach, the company reassured its customers that they had contained the situation. Apparently, there was no sign that the attack had compromised customer data or the encrypted password vaults.

In September 2022, LastPass announced that it underwent a thorough investigation and forensic review of the breach with the help of incident response firm Mandiant. LastPass stated they discovered no additional indications of activity from the attacker. Also, the unauthorized access was restricted to its development system, which is physically separated from its production environment.

The situation took a turn for the worse at the end of November when LastPass CEO, Karim Toubba, disclosed that an unauthorized individual had obtained access to a third-party cloud storage device, compromising certain aspects of its customer information. Apparently, there was still no sign that customer data or passwords had been compromised. But just before Christmas, LastPass informed its users that hackers had indeed gained access to both encrypted customer information, including username, password and notes, as well as unencrypted data, such as the URLs of customers’ online accounts.

How They Hacked Deeper Into LastPass

LastPass stated that the source code and technical information originally stolen in August were used to target another employee. This allowed the intruders to obtain credentials and keys. This gave them access and the ability to decrypt storage volumes within the company’s cloud-based storage service. As a result, the intruders were able to exfiltrate customer vault data.

The breach puts LastPass customers’ login credentials at high risk. Only a user’s master password potentially protects their credentials, which LastPass does not store. But if attackers compromise the master password, they will be able to successfully decrypt login credentials for all accounts stored in the password manager.

LastPass Response and Recommendations

In response to the breach, according to the December statement, LastPass has:

  • Eradicated any further potential access to the company’s development environment by decommissioning the environment and rebuilding a new environment from scratch
  • Replaced and further hardened developer machines, processes and authentication mechanisms
  • Added additional logging and alerting capabilities to help detect any further unauthorized activity
  • Actively rotated all relevant credentials and certificates that may have been affected and supplemented existing endpoint security
  • Performed an exhaustive analysis of every account to detect signs of any suspicious activity within the company’s cloud storage service.

LastPass communicated to all its users that:

  • Since 2018, the company has required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute-force password guessing.
  • To further increase master password security, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess a master password.
  • Customers should never reuse their master password. If a master password is reused and that password is compromised, a threat actor could use compromised credentials that are already available on the Internet to attempt account access (this is referred to as a “credential stuffing” attack).

Other strong password practices, as per Microsoft, include:

  • Using a combination of uppercase letters, lowercase letters, numbers and symbols
  • Avoiding the use of a word that can be found in a dictionary or the name of a person, character, product or organization
  • Choosing a password significantly different from your previous passwords
  • Making it easy to remember but difficult for others to guess. Consider using a memorable phrase like “6MonkeysRLooking^”.

The Ongoing Password Manager Debate

Given the LastPass breaches, should companies abandon password managers? These days, nobody can say they are impervious to attack. Any company might get hacked at any time. However, some feel LastPass could have handled the incident in a more effective way.

Unfortunately, there is no 100% secure password management solution. For example, a device-based manager stores and manages passwords locally on the device. This would avoid the risk of a LastPass-like breach. But if your device is lost, corrupted or becomes inaccessible, you lose all your passwords as well. And the rapid rise of infostealer malware places any device-based password storage at risk.

Overall, experts still consider password managers to be good practice. They not only provide password security but also ease of use. With features like password change reminders, password generation tools and device syncing, password managers still have many advantages. And even passwordless solutions aren’t without their risks.

Cybersecurity experts generally consider cloud-based password managers to be safe and secure, as they typically use AES-256 encryption, which is very difficult to crack. It’s important to choose a password manager that operates on a zero-knowledge principle, meaning the manager should not have access to your data. Also, it’s best to avoid accessing your password manager on public networks, as your data may be vulnerable to capture.

Don’t Count On Passwords Alone

As no password solution is bulletproof, it’s important to implement other security strategies, such as multifactor authentication and least-privilege principles. Least privilege means a user that requests access to a resource receives only the minimum necessary rights. And privilege should be in effect for the shortest duration necessary. An advanced least-privilege security environment may have prevented the LastPass intruders from moving laterally. All shields up!

More from News

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).  Top Five Cyber Crime TypesIn the past five years, the…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read