If you are a LastPass client, then you may have received a rather unnerving email regarding a potential breach to some parts of their development environment. LastPass has been a reputable password manager that allows users to save their passwords in a secure vault and use a master password to gain access to their online accounts.
According to LastPass, an unauthorized party managed to infiltrate some portions of their development environment by taking advantage of one compromised developer account. They were able to access some parts of the source code and LastPass intellectual property (IP) consisting of some ‘technical information’.
The company has however affirmed that there is no evidence pointing to customer data such as encrypted password vaults being accessed. In addition, their operations remained unaffected.
The company has since launched an investigation into the root cause of the cyber-attack. They have also put in place mitigation measures as well as tasked a third-party cybersecurity and forensics firm to help them find answers. They however did not specify what the ‘additional enhanced security measures’ implemented were.
Most commendably, LastPass also lived up to its legal requirements of the duty to notify by informing all the LastPass users of the breach and their commitment to keeping user data safe.
Are your Credentials Safe?
LastPass has assured its users that their credentials are safe owing to the security by design measures adopted by the company. The company uses a zero-knowledge architecture that ensures that even they don’t know the users’ passwords. As a result, the company says there is no need for action by the users. I guess we just have to take their word for it.
Implications of the LastPass Hack
The use of password managers has been on the rise in the recent past. Reports show that the average user may have to remember up to 191 different passwords for their online accounts. Interestingly, best cyber hygiene practice emphasizes having long secure passwords made up of different characters, making the feat of remembering the myriad of them even harder.
The promise of password managers has been to ease this burden on the users. Some have also brought additional features such as generating strong passwords for users that they will never have to remember. Others issue alerts of potential phishing sites. The caveat with such tools, however, is that now all your eggs (passwords) are in one secure basket (vault/database).
Password managers have worked really well, for the most part, propelling companies like LastPass to prominence over the other mainstream ones offered by browsers like Google’s Chrome or Microsoft’s Edge.
This new breach raises the question of whether password managers can be trusted to store user passwords if they themselves are an easy target to advanced threat actors lurking in cyberspace.
While LastPass is an award-winning password manager, it hasn’t enjoyed a clean bill of health. It was hacked back in 2015 and the threat actors made away with user emails but not the passwords. In this hack, they had to advise the users to change their password following the incident. That isn’t the case in the latest hack, perhaps hinting that they partially learned from their mistakes 7 years ago.
While such breaches are scary, they shouldn’t be a reason to lose faith in password managers. Total absolution from risk is virtually unattainable. As we have learned it is often just a matter of when not if a company will be attacked.
The onus is then upon us to stay more vigilant to reduce the attack surface as much as possible. In the case of LastPass, it seems the single point of failure was a user, which warrants more employee training, awareness, and capacity building. Perhaps this might reduce the chances of another breach occurring.