LastPass is a popular password manager that has suffered more than its fair share of data breaches. Information has now come to light regarding the latest LastPass data breach which was reported here by our own John Durso in December: LastPass Hacker Gets Vault Data
Apparently, a work-from-home employee’s PC was compromised via a vulnerability in a third-party media player, which was exploited to deploy a keylogger. Once the keylogger was deployed it was just a matter of time until the employee logged in using their official credentials and, bingo… the hacker had all he/she needed to access the employee’s corporate vault. The following is an excerpt from the LastPass report:
The threat actor targeted a senior DevOps engineer’s remote PC by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data ~ <source>
As I have repeated many times over, in order to be successfully delivered most malware requires some sort of inadvertent action on the part of the user, and in corporate environments involving multiple networked computers operated by multiple users, that risk is elevated no end. Even though the LastPass vault was not breached directly, it’s remarkable to think that remote employees are not better educated so as to avoid these types of third-party breaches. In fact, it’s inconceivable that what is essentially a work PC, including highly sensitive material, is not maintained completely separately from the employee’s own personal requirements.
LastPass has stated that it’s now in the process of hardening the DevOps engineer’s home network security. While that is certainly a step in the right direction, surely these types of employees who are working from home with sensitive information should be ordered to maintain two completely separate PCs – one for work requirements ONLY, and another for personal use.
What LastPass Users Need To Do
If you’re a LastPass user and have already taken remedial action as per LastPass’s bulletin, you’re all good. However, if you’re just finding out about this now, you need to follow John Durso’s advice from his earlier article:
- Change the LastPass master password
- Turn on LastPass multi-factor authentication if it is not turned on
- Change all critical website passwords (email, financial institutions, credit cards, etc.)
Stay safe out there.
—
Hi Jim,
New subscriber to your website and weekly newsletter. I’m a current user of Lastpass and found your update on their most recent data breach to be very helpful. Based on the fact that they’ve had multiple breaches and that the latest one is due to very poor security measures on their part, do you recommend changing to a different password management company? If so, which one would you recommend. Thanks!!
Hi Chris… and welcome.
Yes, would definitely recommend Bitwarden as an excellent alternative. Both myself and colleague John Durso use Bitwarden. John is particularly privacy/security conscious so if he is using Bitwarden you can pretty much bet it is as safe and secure as it can possibly be.
Suggest you take a look at John’s earlier article (and his recommendations at the bottom): https://davescomputertips.com/lastpass-hacker-gets-vault-data/
John has informed that since he published his article, Bitwarden has:
Followed OWASP (Open Worldwide Application Security Project) recommendation and increased the KDF PBKDF2 iterations to 600,000 (as the default)
Introduced a KDF option of Argon2id which he thinks is superior to PBKDF2
Released the results of two of their latest 3rd party audits on Security & Network Security https://bitwarden.com/blog/third-party-security-audit/. They were found to be upholding high standards.
I cannot believe an incompetent, clueless, bumbling fool of an employee, who works for a company whose hallmark is extreme security, screwing up using, of all things, Media Player! I hope the company has terminated this clown who should know better than anyone how important security is for the company and that you do not use company machines for frivolous activities.
Hey Harry,
Agreed. It’s a ridiculous situation.