Menu

What Are Password Managers and What Are the Implications of LastPass’ Security Breach?

Click The Arrow For The Table Of Contents

What Is LastPass? 

LastPass, owned by GoTo (previously owned by LogMeIn) is perhaps the most popular password manager. There are, however, many different password managers available, such as Google Password Manager, Microsoft Authenticator, Dashline, Sticky Password, Password Boss, Keeper (good for cross-platform uses), 1Password, LogMeOnce and others. There are also password vaults in other programs and CRMs that act as password managers, such as Zoho Vault, and Digital Vault. Google’s Chrome browser has a password manager to help to stop people from using weak passwords by suggesting combinations of characters that may be more secure. Microsoft’s Authenticator app can manage passwords for both Edge and Chrome.

Password managers are software apps, typically installed as browser plug-ins, that securely store and manage passwords, credit card information, and other sensitive data. Some are free versions while others offer monthly subscription accounts. They allow users to generate strong and unique passwords for each account, automatically log in to websites, and fill out forms with a single click or keyboard shortcut. The data is encrypted and protected with a master password, providing an additional layer of security to the user’s online accounts.

What Happened To LastPass?

On January 23, GoTo, the parent company of LastPass, gave an update of a “security incident” that it first reported in November 2022. The original “security incident” though is understood to have taken place in August 2022. The update, following an investigation of the incident (a hack) stated that “a threat actor” had obtained “encrypted backups from a third-party cloud storage service” relating to its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products. GoTo also reported that it had evidence that the threat actor had also obtained an encryption key for a portion of the encrypted backups. An encryption key is a code used to encrypt and decrypt data, i.e. the data’s unreadable to anyone without the key. Hackers managed to steal encrypted backups from their parent company LogMeIn Inc., potentially putting user accounts at risk if they were able to decrypt the data. Following news that hackers have stolen encrypted backups from the parent company of popular password manager LastPass, we look at what password managers are, plus the implications of the attack for businesses.

Password managers are an invaluable tool for businesses needing to secure their data. They allow organisations to store thousands of passwords in a single, encrypted vault. This eliminates the need to remember multiple passwords, while still ensuring that all sensitive information is protected against unauthorised access.

What Is LastPass Doing About It?

LastPass says that in response to the August 2022 incident it has:

– Decommissioned the development environment and rebuilt a new one from scratch to eradicate any further potential access, and replaced and hardened developer machines, processes, and authentication mechanisms.

– Added more logging and alerting capabilities to help detect any further unauthorised activity, and implemented a new, fully dedicated set of LastPass development and production environments.

In response to the most recent incident LastPass says it has:

– Started rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security.

– Performed an analysis of every account with signs of any suspicious activity within the cloud storage service and added additional safeguards.

– Analysed all data within the environment to understand exactly what the threat actor accessed.

Implications of LastPass Breach for Businesses

The implications of this attack on businesses using password managers can be far-reaching. It’s not just passwords that are at risk; hackers could also gain access to confidential information such as customer data and financial records. Businesses using password managers need to ensure they have taken appropriate steps to protect their data, including implementing additional security measures like two-factor authentication and regularly monitoring for suspicious activity.

It’s also important for businesses to review the security protocols of any third-party providers they use and ensure that these meet their needs. LastPass has stated that all customers will be notified if their accounts were affected by the breach, but this should still serve as a reminder for businesses that it is essential to stay up-to-date on the latest industry developments in order to keep their data secure.

What Should Customers Do?

LastPass says that business customers who haven’t already been contacted needn’t take any recommended actions at this time.

However, LastPass has issued the general advice to customers to make use of its password default settings whereby it says, “it would take millions of years to guess your master password using generally-available password-cracking technology.”  Also, LastPass had advised customers against reusing their master password on other websites (password sharing).

What Does This Mean For Your Business?

LastPass is a popular, market leading password manager, used and trusted by many businesses. It is likely, therefore, to be a shock to many that there’s been (another) security incident whereby hackers have been able to steal customer data from a company that is supposed to be in the business of protecting very sensitive customer data. It’s so serious in fact that customers’ data encryption vaults have been taken, and this could mean that despite the communication from LastPass about the hack, that business customer confidence in the service and LastPass’s brand could be hugely damaged by this incident. Also, the theft of the other data could mean that business customers are now more at risk of being targeted by social engineering or phishing attacks, credential stuffing, or other brute force attacks. The data could also be sold to many other attackers, leading to increased risks going forward and the need to invest more time and money on taking extra security measures.

Conclusion

Password managers have become increasingly popular in recent years, as they can provide businesses with a convenient and secure way to store confidential information. However, the LastPass security breach serves as a reminder that no system is 100% secure and businesses must take steps to protect their data. This includes ensuring third-party providers meet their security requirements and regularly monitoring for any suspicious activity. By following these precautions, businesses can help ensure that their sensitive data remains safe from unauthorised access.