Kerwin's Blog

WCB #1-LastPass

WCB #1-LastPass

Kerwin's photo
Kerwin
·

4 min read

Summary

Hello and welcome to the first installment of my weekly cyber brief. For this series, I plan to discuss an interesting event that has occurred in the realm of Cybersecurity every week. This past week saw a whole host of interesting events from Microsoft being fined 64 million by France's privacy watchdog for the way it manages cookies(one example is not allowing users the ability to opt-out of cookies) on its search engine bing.com to a researcher publishing his findings on how the Google home speakers allowed hackers the ability to eavesdrop on conversations. For this week's discussion, I chose to examine the latest data breach that has occurred to LastPass.

What is LastPass?

Simply put, LastPass is a password manager used to facilitate quick and easy access for a user to log into a website or application of their choosing. It acts as a vault that houses information such as a username and auto-fills your credentials when accessing a website or application.

History of Breaches

Although LastPass is trusted in the password and identity management space, it has dealt with its fair share of breaches over the years. Some notable breaches include the 2015 breach, which involved email addresses and password reminders being compromised but not encrypted user vault data, and the recent August 2022 breach that saw hackers persist on the network of Lastpass for four days which allowed them to compromise source code and some proprietary technical information. This breach is still being investigated to determine the extent of the damage that was done by hackers. Four months after this breach, however, sees LastPass again in the hot seat regarding the protection of client data.

Why Latest breach is important?

To have a serious breach occur in a year is one thing but to have it happen again in four months leaves one pondering, did they not learn from a recent mistake? Back-to-back breaches not only hurt the company's pockets but may have left irreversible damage to customers' trust regarding the product. What is important to remember, however, is that LastPass does not have master keys to an individual's encrypted database. This means that regardless of an attack on LastPass, a user's vault is technically safe due to AES-256 encryption. Hackers did however still gain some important information

Summary of Attack

According to LastPass, an unknown threat actor accessed a cloud-based storage environment using information from the prior breach in August of 2022. The quality and quantity of information gathered from this prior breach is still yet to be determined and is currently being investigated. As a result, I have not been able to determine official Tactics Techniques or Procedures(TTPs) used by the unknown threat actor. Some TTPs that I believe were used consist of brute forcing and accessing credentials from password stores, specifically through third parties that have software vulnerabilities. The cloud storage service the threat actor was able to access is not connected to the production environment

Possible Implications

Since the extent of the damage done in the August 2022 breach is still undetermined, the implications of this successive breach can be far-reaching. What is certain, however, is reputational damage has been done to the company.

Possible Solutions

Lastpass, like in 2015, recommends users change their master password as quickly as possible. Another recommendation is to not reuse passwords. The password to a user's vault must be unique and not used for anything else. Other mitigations that can be used are refining the password policy for users, having more frequent software updates and configuring the software to re-lock the password manager in a shorter period.

Conclusion

This latest breach to the company, in my opinion, may ruin the company indefinitely based on customer trust being severely reduced. To have successive breaches where the full extent of damage of the previous breach is yet to be determined does not bode well for LastPass. A positive out of this messy situation, however, is users may still have their usernames and passwords protected thanks to AES-256 encryption only if they have not reused passwords also users should change the master password for their vault immediately.

For more information on the issue, you can visit: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Resources:

Bodoni, S. (2022, December 22). Microsoft (MSFT) fined $64 million by French data watchdog over Cookies. Bloomberg.com. Retrieved January 1, 2023, from https://www.bloomberg.com/news/articles/2022-12-22/microsoft-fined-64-million-by-french-data-watchdog-over-cookies

Toulas, B. (2022, December 30). Google home speakers allowed hackers to snoop on conversations. BleepingComputer. Retrieved January 1, 2023, from https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed-hackers-to-snoop-on-conversations/

LastPass hack raises questions on security. LastPass Hack Raises Questions on Security - Nachrichten zum Thema Sicherheit - Trend Micro DE. (n.d.). Retrieved January 1, 2023, from https://www.trendmicro.com/vinfo/de/security/news/cyber-attacks/lastpass-hack-raises-questions-on-security

Toubba, K. (2022, December 22). Notice of recent security incident. The LastPass Blog. Retrieved January 1, 2023, from https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Wadhwani, S. (2022, December 2). LastPass suffers second major data breach in four months. Spiceworks. Retrieved January 1, 2023, from https://www.spiceworks.com/it-security/data-security/news/lastpass-second-data-breach/

Credentials from password stores: Password managers. Credentials from Password Stores: Password Managers, Sub-technique T1555.005 - Enterprise | MITRE ATT&CK®. (n.d.). Retrieved January 1, 2023, from https://attack.mitre.org/techniques/T1555/005/

#cybersecuritySecurityBloggingdatabreachnews