In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.
A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for other accounts. Password managers even remind you to renew your passwords periodically. For years, security experts have recommended the use of password managers.
Now, in the wake of the LastPass breach, it might be worth revisiting this advice.
LastPass security breach events
In late August of 2022, LastPass announced that hackers had gained entry to parts of the company’s development environment through a compromised developer account. This breach gave the attacker access to parts of the LastPass source code and proprietary technical information. After this first breach, the company reassured its customers that they had contained the situation. Apparently, there was no sign that the attack had compromised customer data or the encrypted password vaults.
In September 2022, LastPass announced that it underwent a thorough investigation and forensic review of the breach with the help of incident response firm Mandiant. LastPass stated they discovered no additional indications of activity from the attacker. Also, the unauthorized access was restricted to its development system, which is physically separated from its production environment.
The situation took a turn for the worse at the end of November when LastPass CEO, Karim Toubba, disclosed that an unauthorized individual had obtained access to a third-party cloud storage device, compromising certain aspects of its customer information. Apparently, there was still no sign that customer data or passwords had been compromised. But just before Christmas, LastPass informed its users that hackers had indeed gained access to both encrypted customer information, including username, password and notes, as well as unencrypted data, such as the URLs of customers’ online accounts.
How they hacked deeper into LastPass
LastPass stated that the source code and technical information originally stolen in August were used to target another employee. This allowed the intruders to obtain credentials and keys. This gave them access and the ability to decrypt storage volumes within the company’s cloud-based storage service. As a result, the intruders were able to exfiltrate customer vault data.
The breach puts LastPass customers’ login credentials at high risk. Only a user’s master password potentially protects their credentials, which LastPass does not store. But if attackers compromise the master password, they will be able to successfully decrypt login credentials for all accounts stored in the password manager.
LastPass response and recommendations
In response to the breach, according to the December statement, LastPass has:
- Eradicated any further potential access to the company’s development environment by decommissioning the environment and rebuilding a new environment from scratch
- Replaced and further hardened developer machines, processes and authentication mechanisms
- Added additional logging and alerting capabilities to help detect any further unauthorized activity
- Actively rotated all relevant credentials and certificates that may have been affected and supplemented existing endpoint security
- Performed an exhaustive analysis of every account to detect signs of any suspicious activity within the company’s cloud storage service.
LastPass communicated to all its users that:
- Since 2018, the company has required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute-force password guessing.
- To further increase master password security, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess a master password.
- Customers should never reuse their master password. If a master password is reused and that password is compromised, a threat actor could use compromised credentials that are already available on the Internet to attempt account access (this is referred to as a “credential stuffing” attack).
Other strong password practices, as per Microsoft, include:
- Using a combination of uppercase letters, lowercase letters, numbers and symbols
- Avoiding the use of a word that can be found in a dictionary or the name of a person, character, product or organization
- Choosing a password significantly different from your previous passwords
- Making it easy to remember but difficult for others to guess. Consider using a memorable phrase like “6MonkeysRLooking^”.
The ongoing password manager debate
Given the LastPass breaches, should companies abandon password managers? These days, nobody can say they are impervious to attack. Any company might get hacked at any time. However, some feel LastPass could have handled the incident in a more effective way.
Unfortunately, there is no 100% secure password management solution. For example, a device-based manager stores and manages passwords locally on the device. This would avoid the risk of a LastPass-like breach. But if your device is lost, corrupted or becomes inaccessible, you lose all your passwords as well. And the rapid rise of infostealer malware places any device-based password storage at risk.
Overall, experts still consider password managers to be good practice. They not only provide password security but also ease of use. With features like password change reminders, password generation tools and device syncing, password managers still have many advantages. And even passwordless solutions aren’t without their risks.
Cybersecurity experts generally consider cloud-based password managers to be safe and secure, as they typically use AES-256 encryption, which is very difficult to crack. It’s important to choose a password manager that operates on a zero-knowledge principle, meaning the manager should not have access to your data. Also, it’s best to avoid accessing your password manager on public networks, as your data may be vulnerable to capture.
Don’t count on passwords alone
As no password solution is bulletproof, it’s important to implement other security strategies, such as multifactor authentication and least-privilege principles. Least privilege means a user that requests access to a resource receives only the minimum necessary rights. And privilege should be in effect for the shortest duration necessary. An advanced least-privilege security environment may have prevented the LastPass intruders from moving laterally. All shields up!