LastPass breach: an historic – and likely ignored – cybersecurity lesson
THE PASSWORD MANAGEMENT PROMISE
Password management has always been a struggle between convenience and security, with end-users often using the same password across multiple systems and using passwords – such as names of pets or significant others – containing clues easily obtained from social media.
Some will even use the same passwords for years at a stretch, which can extend vulnerability long after their authentication information has been compromised in a breach.
Password management solutions like LastPass, 1Password, and Dashlane promise to address the weakest factor – the human one – in an organization’s cybersecurity strategy. They allow end-users to centrally set up each app, system, website, account, or service to be accessed within the platform itself, then log into them all through a single master username and password.
The password management app handles the heavy lifting by using strong, individual passwords for each service, then changing them at regularly set intervals. The latest commercial solutions work across multiple devices, services, and platforms, leveraging cloud-based back-end infrastructure to synchronize authentications no matter where the end-user happens to be, or how they’re trying to sign in.
Password management app vendors say their systems and platforms are robust and resilient enough to resist ever more creative attack vectors. And historically they have proven to be reliable additions to the organizational cybersecurity toolkit. But they are not perfect.
On August 25, 2022, LastPass sent a message to its customers advising them of a breach:
“We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults.”
By September 15, the company wrapped up its investigation – with the help of Mandiant, a U.S.-based cybersecurity specialist firm – and said the breach had been contained. CEO Karim Toubba wrote in a blog post that, “There is no evidence of any threat actor activity beyond the established timeline,” adding. “We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”
By December 22, the company confirmed customer data had indeed been compromised. Worse, it disclosed a second attack involving threat actors who had been active on the company systems after the initial investigation into the initial breach had been completed.
On January 23, 2023, LastPass parent company GoTo confirmed cybercriminals had accessed encrypted backups and keys from the common storage vault it had been sharing with LastPass.
On March 1, LastPass confirmed in an updated blog post that data taken during the initial attack had been used in the second incursion. It explained how the attacker had targeted a DevOps engineer who had access to the decryption keys necessary to access the LastPass cloud storage service.
The cybercriminal compromised the engineer’s laptop by exploiting a known weakness in Plex Media Server, a third-party app the employee had installed for personal use. The Plex vulnerability had been addressed by a company-issued patch in May 2020 – which the company confirmed was “roughly 75 versions ago.”
The cybercriminal subsequently installed a keylogger, which allowed routine access to the corporate vault, shared folders, and the all-important decryption keys to the company’s cloud and database backups.
WHAT ORGANIZATIONS MUST DO
Increasing reliance on third-party solutions means organizations can be put at risk when vendors drop the ball. And while LastPass customers certainly can’t control the password management company’s behavior, they can definitely work to tighten their own internal controls to minimize the third-party risks. We recommend starting with the following:
1 – Update your BYOD policies
While this particular event was driven by a range of factors, what stands out here is the specific employee’s use of personal software on a personal computer that was used to access corporate resources. In a recent Action1 survey, 43% of IT professionals said the most risky behavior among remote workers involves use of corporate devices for personal activities.
A properly documented, deployed, and managed bring-your-own-device policy goes a long way toward enforcing accountability among end-users.
Note: this applies to all employees, from engineers responsible to the most sensitive databases and platforms all the way to near-anonymous knowledge workers in routine office environments. Contractors and other stakeholders? They’re in-scope, too.
2 – Tighten and extend patch management processes
The LastPass event was made possible by an employee using unsanctioned software that hadn’t been patched in years. Many organizations, if they have patch management processes at all, often limit them to corporate-provided hardware, software, networks, and systems. With the rise of BYOD, this can leave them dangerously exposed.
Review patch management processes by engaging with employees on all the ways they now access organizational infrastructure, and update procedures to include employee-owned or installed technologies, as well.
3 – Beware the 2FA/MFA trap
Not all 2 factor or multifactor authentication methods are created equally – and these attacks reinforce the limits of these additional layers of authentication. The most popular forms of 2FA/MFA use SMS, email, or authentication apps for authentication tokens – and in this case this layer was easily bypassed by an attacker who also managed to capture the employee-victim’s MFA token.
Hardware-based tokens are more secure in that they do not rely on network-based connectivity, and they generate unique passcodes that can be significantly more difficult to either duplicate or intercept. They may be more expensive and less convenient than the other methods, but they are particularly effective in securing highly sensitive resources.
4 – Build in security from the start
We’re long past the point where security is something that gets tacked on at the end of a project. Whether you’re coding from scratch or integrating disparate solutions from multiple vendors, always take a security-first approach. Examine where data is stored and how it is transported. Continuously ask hard questions at every step to determine whether or not the chosen path is making life easy for malicious actors.
In the case of this event, LastPass was storing critical data resources – including MFA seeds and the split knowledge component (K2) key – together. This made it easy for the attacker to gain access to highly sensitive assets.
5 – Don’t forget enforcement
It’s one thing to document and implement strong security practices – and quite another to enforce them. All the policy in the world won’t secure the organization and its stakeholders if it’s allowed to gather dust.
Incorporate compliance monitoring into ongoing operations and regularly update employee and stakeholder training to include type-specific security content.
THE BOTTOM LINE
LastPass wasn’t the first major vendor to be caught by lax internal security standards and inadequate end-user training – and it won’t be the last.
Organizations that think they can secure their endpoints by deploying password management apps to their end-users are seriously underestimating how tech and data risk is managed and mitigated. There is no such thing as a magic bullet solution.
Security-first culture, coupled with infrastructure and software design that builds secure authentication into the baseline architecture, is the only way organizations can protect themselves from the next historic breach. Password management solutions continue to play a role, but organizations must use them with their eyes open.
We’ve been designing security into our solutions since we opened our doors. Find us on LinkedIn if you’d like to learn more – and bookmark this blog, as we’ll have some exciting news in the weeks to come.