Last Pass Data Breach

If you haven't already seen the recent news about yet another data breach to password manager LastPass, here is a quick recap of the events that have transpired over the last six months:

  1. 25 August 2022: LastPass CEO (Toubba) announced, "an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and some proprietary LastPass technical information." Toubba also stated that a leading cybersecurity and forensics firm (Mandiant) was sourced to investigate. In his statement he claimed that "enhanced security measures were implemented, and the breach had been contained."

  2. 15 September 2022: Toubba updated the above blog post notifying customers that the investigation had concluded and doubling down on the incident being contained with threat actors only have access during a 4-day period in August. Toubba went on to state, "There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults."

  3. 30 November 2022: Toubba posted another update to the blog, it turns out the threat actors did get access to customer data. Toubba alerted customers that the company has, "determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information."

  4. 22 December 2022: Toubba took to posting another update on the LastPass blog detailing what elements of customers' information had been accessed. The CEO detailed those encrypted copies of customers' password vaults had been downloaded along with Personally Identifiable Information (PII), including names, addresses, email addresses, phone numbers, and URLs of websites stored in plain text. Toubba also noted that in order for the threat actors to obtain sensitive information (usernames, passwords, secure notes, attachments, and form-fill fields) that it would take a million years to crack the encrypted vaults.

In light of the above limited updates from LastPass and their vague and evasive notifications of the incident, I've conferred with my colleagues and provided the below conclusions.

The cybersecurity industry is skeptical of the claims by LastPass's CEO reducing the amount of time to crack the stolen password vaults from a million years to a matter of months. Once the vault encryption is cracked, the attackers will have everything they need to access all of your accounts, including the website, username, password, email address, billing and shipping address, any recovery keys or secure notes about each record, etc. There is no doubt the severity of this breach is significant, but what can you to do get ahead of the attackers? These are our recommendations of what you should do to protect yourself and business:

  1. Change all passwords stored in your LastPass account immediately. Focus on email accounts, banking, taxes, credit cards, insurance, healthcare, retirement, secure document storage, and business critical first.

  2. Change password managers. We recommend a Zero Trust solution that uses blockchain and stronger encryption algorithms. We use Password Boss internally and recommend it to all our clients. (Ask your CRM for more details or about moving out of LastPass).

  3. Change your password manager's master password. Whether you decide to give LastPass another chance or you change providers, do not reuse passwords. Use a combination of random letters and numbers, a minimum of 16 characters, no relation to personal details, or better yet use a passphrase!

  4. While you're in the process of going to each website and changing your passwords, go ahead and setup MFA while you're there. If you don't have MFA enabled for your organization, we can help with that too!

  5. Sign up for dark web monitoring. Get notified if your data shows up for sale on the dark web. Our Security Operations Team will investigate the leaked data to determine if your login details have been sold to save you from having to guess which account on what website.

About the Author

Beau Dickie, Chief Security Officer, Vector Choice

Beau leverages his 20 years in security, operations, law enforcement, and incident response to protect organizations while enabling their critical business functions. Beau's extensive knowledge of physical security, cybercrime investigations, and vulnerability assessments lead to him being asked to serve as a subject matter expert in both courts of law and board rooms across the Southeast. Vector Choice is leveraging Beau's demonstrated success in understanding cyber security risks to offer our clients enterprise level security solutions scaled for SMB budgets and staff. Beau has spent the last 7 years developing and managing security strategies for MSPs, aligning these strategies with business continuity and compliance frameworks. When Beau is not working to audit and secure client environments, he is participating in capture the flag and bug bounty events or spending time with his wonderful wife and child.