The multiple breaches of password management giant LastPass in 2022 has created significant discussion – and alarm – among the cybersecurity community, not to mention affected LastPass customers. In addition to putting the response and actions of LastPass under the spotlight, the incident has raised questions over the safety of storing multiple login credentials on password managers generally.
Password managers are programs that enable users to store their ever growing list of online credentials in a safe location, removing the need for this information to be recorded in insecure ways, such as sending them via emails and writing on post-it notes.
These solutions are often strongly advised by security experts as a part of best security practices, as they enable users to easily use strong and unique passwords for each online account they possess. Additionally, these programs alert users if they are duplicating a password across different accounts and notify them if their password has appeared in a known data breach.
However, if users’ password manager vaults are compromised, it potentially puts every one of their online accounts at risk of compromise. It is an issue that needs to be placed in the spotlight following the well-publicized LastPass incident.
A Timeline of LastPass Breaches
The latest LastPass saga began in late August 2022, when the firm published a post revealing that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” This compromised account enabled the attacker to take portions of source code and some proprietary LastPass technical information.
However, the company reassured customers that it had “achieved a state of containment” and that there was no evidence that customer data or encrypted password vaults were accessed in the breach.
The next update came in September 2022, when LastPass announced it had completed an investigation and forensic review of the breach in conjunction with incident response company Mandiant. At this point, LastPass said it had found no further evidence of activity from the threat actor, and the unauthorized access was limited to its development system, which is “physically separated” from its production environment.
Unfortunately, things were about to get far uglier.
The issue escalated at the end of November when LastPass CEO Karim Touba released a notice revealing that an unauthorized party had gained access to a third-party cloud storage device, compromising “certain elements” of its customer information. This new breach was enabled by the information gained by the attacker during the original August incident.
He noted that there was no sign that customer data or passwords had been compromised.
The alarm bells were well and truly ringing a couple of days before Christmas when the firm informed users that attackers had accessed both encrypted customer data – username, password and notes – and unencrypted data, such as the website URLs of customers online accounts.
LastPass explained that the source code and technical information taken in August were used to target another employee. This in turn enabled the hackers to get hold of credentials and keys that allowed them to access and decrypt storage volumes within the company’s cloud-based storage service. They then copied a backup of customer vault data, allowing them to hold this information offline.
This has put LastPass customers’ credentials at substantial risk, protected only by their master password, which thankfully is not stored by the company. If breached, the attackers will have successfully decrypted the login credentials for every account stored in the password manager by the user.
Darren Guccione, CEO and co-Founder at Keeper Security, told Infosecurity: “LastPass has had security issues in the past, but this latest breach, which was more fully disclosed by LastPass on December 22, 2022, is far more pervasive in nature because it included sensitive user information and password vault data.”
"This latest breach, which was more fully disclosed by LastPass on December 22, 2022, is far more pervasive in nature because it included sensitive user information and password vault data”
While those who use a strong and unique password for this will be relatively safe from brute force attacks, customers with weak passwords reused across multiple accounts are in severe danger.
Immediate Steps for LastPass Customers
First and foremost, it is vital that LastPass customers are helped in protecting this vital information. The most crucial step is, if necessary, to strengthen their master password, ensuring it is unique, long and complex.
Melissa Bischoping, director, endpoint security research at Tanium noted: “While the master password may be unknown to attackers, it is possible to crack those passwords, especially if your master password appears in common dictionaries or follows common patterns, such as Winter2023!!, common character substitutions like Myd0gsnam3isr0v3r, or re-used passwords previously included in other breaches.”
Guccione recommended the use of letters, numbers and symbols, that still spells out a memorable phrase. “For example, a phrase such as ‘GoingH0mE2CookDinner665$’ is a strong master password that cyber-criminals won’t have access to in dark web repositories or dictionaries, and will be impervious to a brute force attack,” he outlined.
LastPass has also understandably urged its users to also change the passwords for the websites it has stored as an extra security precaution.
Finally, customers should be on the lookout for targeted phishing attempts in the coming months, with the attackers accessing their unencrypted contact information and websites they use.
Assessing the LastPass Response
Moving back to the incident itself, and the response of LastPass has unsurprisingly been heavily scrutinized, given its earlier assurances that customer data was safe.
Harman Singh, director at Cyphere, said: “This entire episode, with information revealed in instalments with a gap of months, forces you to think if there is more to come in another two months. How do we know if LastPass is sitting on more info to be revealed in due course? Would customers take their word given how its handled?”
He argued that the failure to communicate the risk to customer vaults or data earlier on was either a result of having gaps in their investigation, or a conscious decision to choose a “relaxed path instead of handling this as a crisis.”
Singh added: “We all very well know that it’s not about a company demonstrating 100% clean record on cybersecurity controls and breach situations, it's more about how crises and breach incidents are handled. LastPass are clearly miles from it!”
Nevertheless, it is important to emphasize that there is no indication that LastPass deliberately mislead customers. it is likely they were as transparent as possible at each stage of the incident to date. After all, the threat to customer data arose separately from the original August breach, with the attackers using information gained from compromising the developer account to compromise another employee and access customer data.
John Bambenek, principal threat hunter at Netenrich, observed: “Their response seems reasonable as long as all the details are being presented correctly.”
Continued Use of Password Managers
The use of password managers to securely stores login credentials has long been advised by security experts. But will, and should, the recent LastPass incident change our attitude to password managers more generally?
The breach is a reminder that any digital service carries the risk of data breaches, no matter the strength of security measures it has in place. However, security experts that Infosecurity spoke to were keen to emphasize that password managers remain a crucial means of protecting users and organizations against cyber-attacks.
Singh noted: “Without doubt LastPass users have already moved away and others are considering their options now. This doesn't mean stopping the use of password managers given the security benefits.”
Guccione shared a similar sentiment: “These customers, who rely on their security provider to protect their most sensitive accounts and information, are understandably shaken. However, this incident should not prevent individuals or companies from using a secure password manager, as recommended by leading industry experts and government cybersecurity agencies. It is essential that the public understand that over 80% of data breaches are due to weak or stolen passwords, credentials and secrets.”
Rather than giving up on password managers altogether, Guccione argued that users should carefully vet the options in the market, choosing the one that has the strongest security architecture and technology infrastructure in place, particularly those that are based on zero trust and zero knowledge principles.
“Users can no longer assume every password manager on the market will provide the same level of protection. When searching for a secure option, users should prioritize security certifications such as SOC 2, ISO 27001 and FedRAMP,” he advised.
Singh also believes that customers should be cautious about services like LastPass that sync information on the cloud, and instead use programs that store information offline if possible. “Personally, I use standalone password manager (open-source) on my system. This doesn't mean it can't be hacked, it reduces over-reliance on vendors for cloud sync and also reduces the attack surface,” he commented.
The need for more due diligence when selecting a password manager was highlighted in the replies to a tweet by Infosecurity Magazine’s Editor Beth Maundrill on January 5 2023.
If you're considering an alternative to LastPass, what password managers are you looking at and what criteria is most important to you in terms of service and capability? #journorequests
— Beth Maundrill (@GunshipGirl) January 5, 2023
These responses highlighted ease of use and good customer service as important criteria in addition to security.
The user mRr3b00t (@UK_Daniel_Card) said: “people should probably do way more due diligence than simply use "trust"
“we did that with LastPass and it's gone horribly wrong. 1 Clarity of data flow understanding 2 Understanding of risk 3 Ease of use and adoption 4 Centralised Mgmt 5 extra feat. 6 lastly cost”
Sean Wright (@SeanWrightSec) replied: “Customer service is really important, especially with something as sensitive as a password manager. This is a good indication that the company has your best interest to heart. Also staying relevant and modern is important as well.”
Conclusion
The recent LastPass breaches have created substantial alarm, given the enormous potential consequences of multiple customer credentials being accessed by attackers. Customers must take immediate action to keep this information safe – in particular, ensuring their master password is as difficult to break as possible.
Looking at this issue more broadly, security experts Infosecurity spoke too were keen to emphasize the significant security benefits of using password managers to store login credentials in light of the incident. One positive that can hopefully come out of the incident is that customers are more vigilant about the password manger programs they use in future, which in turn should incentivize stronger cybersecurity practices among these providers.