One of the world’s leading password managers with 25 million users, LastPass, has confirmed that it has been hacked. While it’s good news that customer data was not compromised in this latest incident, the fact that the intruder accessed source code and ‘proprietary technical information’ is worrying.
iUnderstandably, the news of LastPass falling victim to a cyberattack may cause some distress; particularly, when cybersecurity experts advise time and again to utilise such password manager tools to create complex and unique passwords across accounts.
However, it is important to remember that nothing is ever 100% secure and free of risk. Rather, people need to adopt a holistic approach to cybersecurity. That means also implementing multi-factor authentication, updating software regularly, undergoing security awareness training and even taking up cyber insurance to transfer the little bit of risk that we can’t always account for.
There is no one-off fix, but a combination of steps that internet users must proactively incorporate into their everyday online habits.
As password managers have grown in popularity and use, they have become more attractive targets to criminals. LastPass did well to spot the intrusion into their dev environment, where most organisations probably would have missed it and it is commendable that they communicated the incident clearly to its customers. Maintaining clear communication and setting expectations is of key importance because it is what trust is built on, and password manager providers, like many security products, are built on trust. If people lose confidence in the security of the product, or the organisation’s lack of transparency, that in itself can be more damaging than any actual breach.
Password managers make it really easy to use unique strong passwords across multiple accounts, which is a key first step to staying secure online. However, if the master password is compromised, or the password vault somehow exploited, then the impact can be very high. Fortunately, it does not appear that user data or password vaults have been compromised in this case, however source code was confirmed stolen and attackers will be looking hard for potential weaknesses to exploit. LastPass users should stay vigilant, follow the news and watch for any unusual activity or login notifications across their accounts. It is really important to configure all of the available MFA settings provided by LastPass, including the use of an authenticator app to secure logins (SMS has been shown to be vulnerable to SIM swap attacks). For most users, additional MFA confirmations will be done via a mobile device – it is vital that this is secured too.
Bad actors will want source code for the same reason bank robbers will want floor plans to a bank. Being able to understand how the particular software works can potentially help the malicious actor identify its weak points and ways of gaining entry. This doesn’t, however, mean that access to the bank’s floor plan, or even being able to compromise one of the bank employees, necessarily means that any money will be stolen. Being a customer of LastPass, I received and email from them hours before the story became public. The email, I thought, was well worded, provided enough information, without disclosing too much. Overall, I would give LastPass good marks in their initial response, of course time will tell as more details emerge over the next couple of days. I should note that, unfortunately, LastPass had some practice. This is not their first public challenge. With that, based on available information, no customer data was impacted, nor any passwords breached. LastPass, like other password managers, is an important tool for every person navigating today’s hyper connected world with dozens of accounts that should each have a unique and complex password, especially where no Multi Factor Authentication (MFA) is available. Sadly, many still use plaintext files or even physical notes to write down passwords. Our recommendation is to keep using password managers like LastPass, turn on MFA where possible, and stay vigilant for any unusual password reset requests, or unexpected requests to approve logins.
First of all, it is great to see that LastPass are making this incident publicly known, are being transparent with their users, and dealing with the problem head on. LastPass have clearly stated that the breach will not impact customers and they have adopted additional security measures. Disclosure of incidents should be applauded as they serve to educate the wider market to the potential risks and threats that could impact anyone, at any time.
This is why this incident should serve as a warning to all organisations as to the potentially devastating impact a single weak link in the armour could have. Businesses must operationalise their cybersecurity procedures, so that security resilience can be continually improved. If we take away just one learning from this incident it is that security processes and events within organisations need to be in a continuous state of ‘assess, detect, respond and automate’ in order to deal with these situations effectively.