As detailed in our previous articles about the LastPass breach - What to do if you're a LastPass User, LastPass - It's worse than we thought, and LastPass says hackers stole customer backups, the LastPass breach has had a devastating effect on both the company and its customers.
To recap the latest news, LastPass revealed in December 2022 that the August breach was worse than the company originally thought, resulting in encrypted copies of some users' password vaults being stolen, in addition to unencrypted personal information. A second breach later in August allowed hackers to exfiltrate sensitive data from the company's cloud storage. Attackers gained these incredible levels of access by targeting a specific LastPass employee who had high levels of system privileges.
“This was accomplished by targeting [a] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass wrote in an account of the situation. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
To target the LastPass employee, attackers exploited a Plex Media Server software vulnerability that had already been long-patched at the time. The company issued a fix for the bug in May 2020, “roughly 75 versions ago,” Plex said.
There are a few lessons to be learned for business owners from the LastPass breach.
- Don't allow employees to use personal computers to access corporate networks - This might seem like an obvious statement. Unfortunately, it is common for employees to remotely access their corporate networks using a personal computer. Since the company doesn't own or manage the computer, it is nearly impossible to ascertain the patch level, end point protection installed, or other unpatched software that may be installed (in this case, Plex).
- MFA is awesome, but users can fall victim to MFA Fatigue - The LastPass user authenticated for a login that he didn't make, mainly due to the Pavlovian response we have to MFA push requests we have on our smart phone. Make sure your users know to only confirm MFA requests when they are actually logging into a system or application.
- Targeted Hackers are likely to have success with the right amount of effort - LastPass is a huge target because of the data they store (passwords, or as I like to call them, the "keys to the kingdom"). It's no surprise that the hackers targeted LastPass, and not a major surprise that they went to the sophisticated effort of hacking and social engineering to make this attack happen. What data are you storing that is worth targeting?
- If you use a Password Manager, make it is setup correctly and securely - LastPass users who properly secured their LastPass account and vault have less to fear than those who didn't properly secure their account and vault. To protect your "keys to the kingdom", take these steps. 1) Use a strong Master Passphrase, and don't use this Master Passphrase anywhere else, 2) Setup MFA and/or Biometric Authentication on your PC and mobile devices, 3) Follow the best practices recommended by your Password Manager.
Interested in a Password Manager for your business? Reach out to schedule a complimentary Password Manager overview.
Leave a comment!