Password manager LastPass announced a data breach incident yesterday where suspicious activity was identified on its network, and user data has been compromised. LastPass stated that the hackers stole data that included master passwords and other login details, potentially exposing data that has been stored with passwords. More specifically, the announcement refers to “user email addresses, password reminders, server per user salts and authentication hashes.”

It’s not the first time, and certainly not the last time, that cyberattacks have targeted password managers. Last year we wrote about a different type of attack that targeted password managers using a variant of the Citadel Trojan, which targets end-user systems. Since those password managers are installed locally, some have suggested that cloud-based password managers and single sign-on (SSO) solutions might provide an alternative. However, this breach shows that attackers will try to compromise any password manager solution regardless of its architecture, and with a cloud-based password manager, the attackers gain an asymmetric advantage: Instead of one machine yielding credentials for one user, they only have to target a single site to compromise the credentials of thousands, if not millions, of users.

In these days of endless breaches, requiring the use of complex passwords is imperative. Yet for many users, managing different passwords and remembering them is a hassle. In order to minimize the number of passwords to remember, some will reuse the same password. This is a dangerous practice because, if stolen, that single password can provide access to all systems and sites with no separation between personal apps such as Pinterest and corporate systems. Cybercriminals know this, which is why even seemingly innocuous credentials are so valuable to them. There is no shortage of examples of websites that were breached and user credentials stolen: eBay had 150 million passwords stolen; millions of passwords were stolen from LinkedIn; and Yahoo, Adobe and many others join the litany.

As a consequence, it is important to require employees to use different passwords for accessing corporate resources and their personal apps. This can easily be achieved with credential protection platforms that can automatically alert on, and optionally prevent, password reuse by employees.

As for LastPass users, the company says that it is confident that the encryption measures it uses “are sufficient to protect the vast majority of users.” In any case, we recommend that at minimum users change their master passwords. To be on the safe side, it is probably best to change all the passwords contained by LastPass, as well.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…