Popular password management service LastPass has been a frequent target for security breaches. This attack leveraged information gleaned from August 2022’s breach. LastPass prides itself on the principle of making life easier for its user base. After two major hacks, many are unsure if the service is worth using.
In a recent blog post, LastPass disclosed that an unauthorized actor gained access to the cloud service used for production backups. During the previous breach in August, unauthorized users did not disclose any customer data.
However, the attackers obtained personal information during the most recent attack. LastPass claims that the affected data is encrypted using the AES standard, but it is of concern because the attackers also gained access to billing addresses, IPs, and other personal data.
How Does This Affect LastPass Users?
LastPass confirmed that among the data compromised, passwords and other personal identifying portions of data were present. This doesn’t pose a grave concern if you have good password practices. If you are prone to reusing passwords, this might be something to worry about. The company states the data disclosed is encrypted and useless to hackers.
Major concerns arise from LastPass storing numerous credentials like credit card numbers, passwords, and sensitive notes and documents. As a company that touts itself as a secure means of consolidating and storing credentials, it is unthinkable to have such a major breach occur.
Current LastPass customers should take the time to change their master passwords. They might also consider moving their data to an alternative service.
LastPass has had a stellar free plan for years. This most recent disclosure has left the details of many personal lives in the hands of bad actors. 25.6 million customers use LastPass. If even a fraction of those users is active, they are at risk.
Do I Need a Password Manager?
If you’re like anyone else on the planet, you have dozens to hundreds of passwords across multiple services. Good password practices can make keeping track of all these passwords a bit of a chore.
When you consider ideal password practices dictate the usage of passwords greater than 12 characters in size and containing zero common phrases, it’s a bit hard to develop a system for remembering things.
Password managers are useful utilities, and make managing the myriad of credentials easy. A password manager is only as good as the support network behind it, however.
LastPass has plenty of competitors, some of whom are even vocally decrying the response to this most recent breaching incident. The sad truth is that any password manager with an online component is a target for attacks.
If you do consider a password manager, KeePassXC is a local one. It keeps all your vital information stored in a vault on your desktop or laptop. It lacks mobile functionality, but the software is free to use with no monthly plans associated. Online alternatives like 1Password, BitWarden, and others are great as well. They are no strangers to attacks, but you want password management with transparent communication in the event of an incident.
Looking at the LastPass Breach
August 2022 saw a bad actor compromise a third-party cloud service where LastPass stored production data. The hacker was able to perform the attack over a four-day period. They noticed the incident and implemented remediation at this point. During this process, LastPass notified users and law enforcement officials of the breach and subsequently removed the development environment.
December 2022 saw a more catastrophic incident, with full disclosure of user vaults, billing information, personal information, and IP addresses. Credential stuffing, or the use of stolen usernames and passwords, provides the method of attack. This method uses automated tools to input stolen usernames and password pairs until there is a successful entry.
This is an iterative attack, with the previous August attack providing the means for the December attack. Customer vaults and passwords alike are in the hands of hackers, and they have this data stored offline.
LastPass assures users that encrypted personal data is impossible to crack, but anyone with the drive and means can crack something, given enough time. It also begs the question of why LastPass’s previous production environment was insecure. Hackers leveraged the previous environment to compromise countless user accounts in only four months.
LastPass’s Vital Assets
LastPass has a good amount of sensitive data for those utilizing their services. As professional secret keepers, they store things like banking information, credit card numbers, and passwords to a variety of accounts. The payment information is easy enough to change and control before it becomes an issue.
LastPass is not unique in what it stores. Most password managers will have some degree of personally sensitive identifying information present. It is part of their stated goals, but it also leaves an enticing target for any malicious parties seeking to profit from that data.
What You Can Do To Protect Your Passwords
Protecting your passwords is a continual process, rather than a break-and-fix scenario. Passwords need to change periodically, and most enterprise and business environments require regular changes. You can store passwords in a third-party password manager, but you need to change and update them.
When your personal credentials are compromised, everything needs to change as soon as possible. This means passwords, master passwords, any potential banking card information, and so forth. Your data is sensitive, so treat it like you would any valuables in your home.
As long as there is some way to profit and exploit others, your personal data will be at risk. But taking preventative and proactive steps like continual changes goes a long way in deterring exploitation.
Some Notes About Cybersecurity and You
Cybersecurity is a continual process. What this means is there isn’t a hard solution to any problem, but instead fixes in the now. Future problems will constantly arise, that is just the nature of how hackers and security staff operate. It is a constantly evolving field, and each attack requires more sophisticated solutions to patch up in the interim.
LastPass’s security staff hasn’t necessarily faltered. They have remained communicative and transparent about how this attack has transpired. Additional steps could have been taken to prevent the attack.
It needs to encrypt production storage and use whitelisting to prevent unauthorized users from even seeing the service. Instead, what has been seen is a failure in stages. Your security, or any enterprise for that matter, is only as strong as the weakest element you employ.
A third-party cloud vendor compromised LastPass and, as a result, the service that LastPass customers trusted has compromised them. The full impact of this attack is not yet known, but active subscribers should take immediate action to secure their accounts.
There are a dozen solutions for things in hindsight. But, for now, the only thing to do is look forward and take steps to protect yourself immediately.
The image featured at the top of this post is ©Tada Images/Shutterstock.com.