Just like most cybersecurity experts, we at BCA IT recommend the use of a password manager as one of the most important cybersecurity best practices. By providing an encrypted vault for passwords, a password manager helps users keep track of their login credentials without having to remember them, and it also makes it easier for users to generate passwords that are completely unique and sufficiently strong to withstand brute-force attacks.
While password managers greatly reduce the risk associated with weak, reused, or poorly stored and shared passwords, they also create extremely attractive targets for hackers by putting all the golden eggs into one basket. That's not a problem when the basket itself is secure, but it can be a disaster when it's poorly protected.
This cybersecurity disaster scenario has recently become a reality for the users of LastPass, one of the most popular password managers in the world, after LastPass CEO Karim Toubba announced on December 22, 2022 that customer vaults had been stolen. In this article, we provide a brief timeline of the LastPass breach and explain what it means for your business.
Timeline of the LastPass Breach
To understand how LastPass hackers managed to penetrate the company's defenses and steal the most sensitive data in its possession, we need to go back to August 25, 2022, which is when LastPass first detected unusual activity within portions of its development environment.
The company revealed that the incident was caused by a single compromised developer account and that some portions of source code and proprietary technical information were stolen. LastPass also reassured its users that the incident didn't involve any access to customer data or encrypted password vaults.
On September 15, 2022, LastPass CEO issued another statement to reassure users that the situation was under control. "We have completed the investigation and forensics process in partnership with Mandiant. Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022," he wrote. "There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults."
The situation took a sudden and unexpected turn for the worse on November 30, 2022, which is when LastPass disclosed that it had detected unusual activity within a third-party cloud storage service. Using information obtained in the original August 2022 incident, an unauthorized party was able to gain access to certain elements of our customers’ information, but LastPass didn't provide any details.
The answer was revealed on December 22, 2022, and it was far, far worse than what most experts had imagined. Besides basic customer account information and related metadata, such as company names, end-user names, billing addresses, email addresses, and telephone numbers, the LastPass hacker was able to steal a backup copy of customer vault data from the third-party cloud storage service.
According to LastPass, the vault data in question includes both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data. In other words, the hacker has everything.
What This Means for Businesses
The good news is that there is no need to panic because LastPass encrypts all sensitive fields (including usernames and passwords) using 256-bit AES encryption.
To decrypt them, the correct encryption key derived from each user’s master password must be provided. With the default master password settings and password length requirements, it would take the attacker millions of years to brute force the encryption using currently available password-cracking technology.
Even more protected are the vaults belonging to business customers (including those with LastPass business accounts set up with the help of us at BCA IT) who are taking advantage of LastPass Federated Login Services to log in, for example, through Microsoft’s Azure SSO (Single Sign-On). In such cases, all vault data is encrypted with a hidden master password that is actually a combination of at least two separately stored keys.
While there's no need to panic, there's also no denying that having password manager vault data stolen is a huge cybersecurity problem for businesses because it's now only a matter of time before it will be decrypted.
The first vaults to be breached will likely be those protected by passwords included in breached password databases. Vaults with weak master password settings are also at increased risk. The remaining accounts may go unbreached for a long time, or there may be some groundbreaking technological advancement that will make it possible to decrypt them much sooner (quantum computing is a good candidate).
To protect themselves, all LastPass users should change each and every password that can be found in their LastPass vaults.
As unpleasant and time-consuming as this step can be, it's the only way to ensure the stolen data won't ever be successfully used by cybercriminals—not even in millions of years. Those who don't log in via LastPass Federated Login Services should also change their LastPass master password since the password associated with the compromised vault can no longer be considered secure.
The recent LastPass breach will serve as a cautionary tale for password manager users for years to come: Password managers can greatly reduce the risk of password-based attacks, but they also create a single point of failure that, if compromised, can give attackers access to a treasure trove of login credentials.
At BCA IT, we're deeply aware of the dangers associated with the use of password managers, and we go to great lengths to help our clients implement them in the most secure way possible. Get in touch with us for additional post-breach guidance.