
LastPass Password Management Service Breached Again
December 19, 2022
What is the issue?
LastPass, the online password management tool, recently announced that it had suffered another data breach — its second in three months. According to a statement released by LastPass CEO Karim Toubba, the threat actor was able to gain access to certain elements of their customers’ information stored in a third-party cloud service shared by LastPass and its parent company, GoTo (which released a similar statement).
In the most recent breach, the threat actors were able to gain unauthorized access to customer information using knowledge obtained in the initial breach in August. What information was used to facilitate this latest breach and what was accessed remains unclear. At the time of the August breach, LastPass stated that the employee account that enabled it did not have access to any customer data or customer password vaults, but that the breach did reveal proprietary source code and other technical information.
With 33 million users that are mostly business users, LastPass is a potential treasure trove of login credential information to users’ email accounts, payroll systems, revenue streams, proprietary data, personal information on employees or customers, and more. As a “Fort Knox” of login credentials that it manages for its users, LastPass offers a lucrative incentive for cyber criminals to persistently attempt to bypass their security.
What does it mean for you?
This incident is of concern to you if you or any of your staff are a LastPass user.
Since elements of LastPass’s source code have been compromised, that information could potentially be used by threat actors to refine various forms of phishing attacks on LastPass users or enable new attacks directly on the cloud service to get at more user data.
As of this writing, LastPass says user passwords remain safely encrypted and that they are working to understand the scope of the incident and will keep users informed. They are also working to identify what specific information has been accessed. Given the critical nature of their service in providing access protection to their user’s various devices and services, the fact that we do not know what (or how much) was revealed should be a concern for LastPass users and should carefully monitor this situation going forward.
What should you do?
At NPC, we have not yet recommended a cloud-based password manager like LastPass to our clients, instead providing them encrypted device-based password management. If you are a LastPass user, NPC client or not, consider changing your LastPass master password, ensure you have enabled LastPass’s multi-factor authentication, and update all of your LastPass trusted devices and remove any devices that are inactive. We also recommend that you change the password and enable multi-factor authentication on all important services and devices you use LastPass to access.
Finally, watch for updates on the breach as LastPass provides more information. You must be vigilant, however, in ensuring that notifications you receive, if you are a LastPass user, are legitimate. This is a prime opportunity for these threat actors and others to phish information from you, pretending to be LastPass providing you an update. As always with email and unfamiliar webpages:
- Do not click what you do not know:
- Links or attachments in unexpected emails
- Website links you are unfamiliar with
- Unsolicited text messages
- Observe email addresses and content carefully, especially any that request information
- Be careful responding to account recovery or requests to change/increase the security of your accounts
Enable Multi-factor Authentication
This incident is also an opportunity to remind our subscribers of the power of Multi-factor Authentication (MFA). MFA adds a second layer of security to account access by requiring confirmation of the user through additional means; entering a code sent to your phone, or a separate email for example. You can find more information about password security and MFA here.
By enabling this feature on all your accounts, you can ensure that no one can log into one of your accounts or services with just the basic login and password information stolen from a password management service or lost in some other way. It will dramatically increase your account security whether or not your passwords are compromised.
Learn More About Protecting Your Identity Online
In a recent educational webinar, our cybersecurity experts at NPC discussed the risks of revealing personal information online, how best to protect your personal and business accounts, how to spot an attempt to steal your information online, and what to do if your identity has been stolen. You can watch the recording of this one-hour educational webinar here.
Sources:
Notice of Recent Security Incident (LastPass)
Lastpass says hackers accessed customer data in new breach (BleepingComputer)
LastPass admits to customer data breach caused by previous breach (Naked Security by Sophos)
LastPass admits new hack, some customer data exposed (Channel Daily News)