The data breach at LastPass serves as a good reminder that organizations and individual users alike need to be more cautious about whom they entrust their sensitive data to. Since the data breach occurred a few days ago, LastPass has been ensuring their customers that their “security and processes worked as designed, and customer data was, and is, protected.” Although LastPass is confident about the safety of your information, there are a number of observations that we, as a cybersecurity company that has witnessed too many data breaches, have.
- LastPass (and similar managers) will always be a hot target for cybercriminal due to the nature of its business. Do not be surprised if it gets breached again in the future.
- Two-factor authentication using a mobile device or tools such as the Goggle Authenticator should be the default setting for heightened security for all new users with an option to opt out – similar to how many banks do it.
- The question remains: When were the LastPass systems breached? The attackers could have had access to the data for a long time. According to a Ponemon Institute report, the average time to discovering a malicious cyberattack was 170 days. If the breach occurred a long time, it’s entirely possible that the hackers have gained access to user vaults already.
- LastPass needs to be audited by an external organization to perform security testing and cyber-related operational assessment of the systems and technologies used to prevent data breaches. Security monitoring has to be performed continually because the programming code is constantly modified and new code added.
- It hasn’t been mentioned if the attackers obtained system-level access and installed malware or backdoors to secure persistence.
What should individuals know?
- Because the hackers have stolen the email addresses of LastPass users, it is highly likely that a wave of realistically-looking phishing campaigns will emerge, tricking users to disclose private information, such as passwords. Be vigilant!
- With millions of user passwords being exposed in the recent past, it’s easy for the hackers to go on the Dark Web and simply try the exposed passwords on the user’s email address for LastPass. There will surely be a small (but significant) overlap. Change your password immediately!
- You need to set up a multifactor authentication (if you haven’t already) by going to LastPass Vault > Account Settings > Multifactor Options.
What should organizations know?
- LastPass Enterprise users have the ability to enforce multifactor authentication for users within your organization. To do this, follow the instructions for creating policies and applying the enterprise policy that suits your organization.
- Depending on the capabilities of your organization, it might be a good idea to create a policy to filter emails containing “LastPass” and manually review them. Since the attackers have made off with the email addresses and password hints, there will very likely be phishing campaigns attempting to trick users into giving up their passwords.
- Apply pressure on the companies whose technology your organization employs to provide you with information about how they ensure that your data is safe and whether they continually review their software by a third-party organization.