LastPass Breaches Cast Doubt on Password Manager Safety – Security Intelligence

admin on March 25, 2023 Leave a Comment

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.

A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for other accounts. Password managers even remind you to renew your passwords periodically. For years, security experts have recommended the use of password managers.

Now, in the wake of the LastPass breach, it might be worth revisiting this advice.

In late August of 2022, LastPass announced that hackers had gained entry to parts of the companys development environment through a compromised developer account. This breach gave the attacker access to parts of the LastPass source code and proprietary technical information. After this first breach, the company reassured its customers that they had contained the situation. Apparently, there was no sign that the attack had compromised customer data or the encrypted password vaults.

In September 2022, LastPass announced that it underwent a thorough investigation and forensic review of the breach with the help of incident response firm Mandiant. LastPass stated they discovered no additional indications of activity from the attacker. Also, the unauthorized access was restricted to its development system, which is physically separated from its production environment.

The situation took a turn for the worse at the end of November when LastPass CEO, Karim Toubba, disclosed that an unauthorized individual had obtained access to a third-party cloud storage device, compromising certain aspects of its customer information. Apparently, there was still no sign that customer data or passwords had been compromised. But just before Christmas, LastPass informed its users that hackers had indeed gained access to both encrypted customer information, including username, password and notes, as well as unencrypted data, such as the URLs of customers online accounts.

LastPass stated that the source code and technical information originally stolen in August were used to target another employee. This allowed the intruders to obtain credentials and keys. This gave them access and the ability to decrypt storage volumes within the companys cloud-based storage service. As a result, the intruders were able to exfiltrate customer vault data.

The breach puts LastPass customers login credentials at high risk. Only a users master password potentially protects their credentials, which LastPass does not store. But if attackers compromise the master password, they will be able to successfully decrypt login credentials for all accounts stored in the password manager.

In response to the breach, according to the December statement, LastPass has:

LastPass communicated to all its users that:

Other strong password practices, as per Microsoft, include:

Given the LastPass breaches, should companies abandon password managers? These days, nobody can say they are impervious to attack. Any company might get hacked at any time. However, some feel LastPass could have handled the incident in a more effective way.

Unfortunately, there is no 100% secure password management solution. For example, a device-based manager stores and manages passwords locally on the device. This would avoid the risk of a LastPass-like breach. But if your device is lost, corrupted or becomes inaccessible, you lose all your passwords as well. And the rapid rise of infostealer malware places any device-based password storage at risk.

Overall, experts still consider password managers to be good practice. They not only provide password security but also ease of use. With features like password change reminders, password generation tools and device syncing, password managers still have many advantages. And even passwordless solutions arent without their risks.

Cybersecurity experts generally consider cloud-based password managers to be safe and secure, as they typically use AES-256 encryption, which is very difficult to crack. Its important to choose a password manager that operates on a zero-knowledge principle, meaning the manager should not have access to your data. Also, its best to avoid accessing your password manager on public networks, as your data may be vulnerable to capture.

As no password solution is bulletproof, its important to implement other security strategies, such as multifactor authentication and least-privilege principles. Least privilege means a user that requests access to a resource receives only the minimum necessary rights. And privilege should be in effect for the shortest duration necessary. An advanced least-privilege security environment may have prevented the LastPass intruders from moving laterally. All shields up!

Freelance Technology Writer

Jonathan Reed is a freelance technology writer. For the last decade, he has written about a wide range of topics including cybersecurity, Industry 4.0, AI/ML...

Continue Reading

The rest is here:
LastPass Breaches Cast Doubt on Password Manager Safety - Security Intelligence

Related Posts
Posted in Cloud Storage

Comments are closed.