Managing Your Password Manager: Lessons Learned from LastPass and Security Best Practices

95 (2)

What is LastPass?

LastPass is a password manager application that provides a secure vault to store your sensitive information and makes it easy to access your information when you need it. It can support automatically logging you into your online accounts, filling out forms with your saved information, and generating strong, unique passwords for each of your accounts. LastPass encrypts all of your information locally on your device and syncs it across all your registered devices, so you can access your information from anywhere.

In addition to managing your passwords, LastPass also includes features such as:

  • Multi-Factor Authentication: Adds an extra layer of security to your LastPass account by requiring a second factor, such as a fingerprint or a security code, to access your information.
  • Shared Folders: Allows you to share passwords with friends, family, or colleagues who also have LastPass accounts.
  • Emergency Access: Enables you to designate trusted individuals who can access your LastPass account in case of an emergency.
  • Dark Web Monitoring: Regularly scans the dark web to see if any of your email addresses and passwords have been compromised.

In general, password managers can simplify your digital life, increase your online security, and reduce the risk of having your passwords stolen or compromised.

What happened at LastPass?

In December of 2022, LastPass notified its customers that in August 2022, an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of its production data. While no customer data was accessed directly during the August 2022 incident, some source code and technical information was stolen from its development environment and used to target an internal employee, obtaining credentials and keys, which were used to access and decrypt storage volumes within the cloud-based storage service. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container and successfully decrypt it, giving a threat actor a chance to attempt to use brute force to guess each affected customer’s master password and decrypt the copies of vault data they took. LastPass’ customers may also face increased phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with LastPass vaults.

My company uses LastPass. What should we do now?

Fortunately, there are immediate actions you can take to enhance your security over accounts you have been managing with LastPass.

  • Change all passwords: Encourage all employees to change their passwords for all accounts that were stored in LastPass, especially for accounts with sensitive information. This will help to prevent unauthorized access to these accounts. Ensure that the new passwords are strong and unique.
  • Enable two-factor authentication: Consider enabling two-factor authentication for all accounts that support it. Two-factor authentication adds an extra layer of security to accounts by requiring a second factor, such as a code sent to a mobile device, to be entered in addition to a password. This makes it much more difficult for an attacker to access an account, even if they have the password.
  • Monitor for suspicious activity: Keep an eye on accounts for any suspicious activity, such as unauthorized logins or changes to password or recovery information. If you notice anything out of the norm, take immediate action to secure the affected accounts and investigate the source of the activity.

Once you have addressed these, consider the following additional actions:

  • Review security policies: Review your company’s security policies and ensure that they are up-to-date and effective. Consider implementing additional security measures, such as encryption and network security, to further protect sensitive information.
  • Consider alternative solutions: Consider switching to a different password management solution that meets your company’s security needs. Look for a solution that has strong security features, such as encryption, two-factor authentication, and a strong track record of protecting customer data. Make sure to thoroughly research and compare different solutions before making a decision. Due diligence is key here.
  • Consistently apply effective vendor management practices: Always evaluate vendors as part of onboarding, and then periodically re-evaluate the vendor’s ability to manage and mitigate IT risk; remediate vulnerabilities; and protect its and its clients’ information and systems from cyber threats. This can be achieved by inspecting the vendor’s cyber security program and practices, reviewing documentation, and conducting questionnaires and personnel interviews. Companies can conduct third-party risk assessments using internal staff, engaging a trusted partner, or choosing a hybrid model where they hire a trusted vendor but utilize in-house staff to interact with the third-party vendor.
  • Assess your preparedness: Given the possibility of increased phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with LastPass vaults, it would be prudent to evaluate your company’s readiness to respond to a ransomware attack. A ransomware readiness assessment can help identify gaps in the controls, processes, or procedures that make a company vulnerable to a ransomware attack or would hinder their response.

Conclusion

In today’s world, most companies trust third-party vendors with their data, or even may trust their vendor with the keys to their kingdom, namely all their passwords! It’s important to act quickly and proactively in response to a security breach to minimize the risk of further exposure and maintain the trust of your customers and employees.

For more information, please contact Pawel Wilczynski, or your BNN advisor.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.