LastPass Breached Again?

10802052669?profile=RESIZE_400xAt its core, LastPass is a password manager.  A password manager is a software service that allows users to store encrypted passwords so they can be accessed easily when they are needed.  LastPass is indeed very popular, but it is only one of many widely known password managers, each with their own features, advantages, and disadvantages.  Other commonly known password managers include BitWarden, Dashlane, 1Password.

The apparent necessity for password managers has been prompted by the fact that people have an overwhelming number of passwords and online accounts.  Thus, these tools give users a way to have all their passwords and account information available at any time, but without the need to remember everything.  This is an important aspect of password managers that we’ll cover shorty.  In any case, a password manager's functionality can vary depending on whether the manager is based in the cloud or on a local machine.  Ultimately the point of them is that a user can store all their account passwords in an easily accessible place.  This password store will typically be referred to as a “vault” and will be encrypted for the user’s protection.  In the case of LastPass, vaults they use 256-bit AES encryption on user vaults.

On August 25th, 2022, LastPass confirmed that they had detected unusual activity in their development environment.  This unusual activity was traced back to a single developer account which had been compromised.  In terms of what "unusual activity" means, LastPass also confirmed that this breach resulted in source code and proprietary technical information being stolen.  Thankfully, no evidence has been found yet to indicate user data was compromised.  In addition, LastPass, along with other password managers, operate with a "zero knowledge" architecture.  A zero-knowledge architecture is such that everything is encrypted before being stored by the service.  This means that even password managers themselves do not have access to plaintext user info, including master passwords.  With that, it follows that any breach occurring on user data would only yield encrypted data.

One interesting aspect of this topic is the fact that LastPass seems to attract more security incidents than most of the other password managers.  This is likely a problem born from its success and notoriety, but even so, we can find LastPass related security incidents in 2011, 2015, 2016, 2017, 2019, and 2021.  When examining these incidents, we can discover a variety of issues taking place aside from compromised developer accounts, such as anomalies in incoming network traffic, or vulnerabilities in browser extensions.

Keeping the LastPass breaches in mind, there are several things to consider about password managers.  First, we can think about why they are used.  We can get a good idea about that when we investigate the kinds of features they offer.  There are several features typically associated with password managers.  The most obvious feature will be the encrypted password store we mentioned a moment ago. 

A single place to put one’s passwords is an attractive prospect, especially these days when people can be expected to have 100+ accounts for various things.  One thing about this password vault idea that should be mentioned here is that often it will be the case that this vault is cloud-based.  This may not be ideal in some cases, so it is important to point out that password managers do not exclusively operate in the cloud.  For example, KeyPass is a popular choice for users not wanting their passwords stored on someone else’s servers.

In addition to password storage, password managers will typically include extra functionality.  With cloud-based services like LastPass, users can use browser extensions and apps to gain access to their vaults anywhere.  Password managers will also generally include password generation tools, which promote the use of more secure passwords rather than those that are easy to remember or guess.  As an additional boon to password hygiene, password managers may also include password health tools, which look for weak passwords, reused passwords, or perhaps even known compromised passwords.

It is also not uncommon for password managers warn users if passwords between accounts are identical or too similar.  As one might expect, some of these services offer features that aren't necessarily related to password management.  For example, some of these services may offer integrated VPNs or dark web monitoring in their paid plans.

In general, password managers are regarded as tools people should be using.  As mentioned previously, they come with many advantages.  Primarily, they give users a place to store their passwords and account information.  All this information can then be accessed with a single password, perhaps coupled with multifactor authentication should the user wish it.  The attractiveness of this feature grows as we acquire more and more online accounts.

On the other hand, there are a few reasons one might consider not using a password manager.  For example, users may not want to incur additional costs simply to manage their passwords.  Many password managers do have free and/or open-source versions, but this is still something to consider.  Then, we might think about the fact that setting up a password manager could be a laborious and time-consuming process.  In many cases, these services and import and export information to and from a variety of places, but it will be situation dependent. 

Lastly, it is also worth considering that should a breach give somebody full access to a vault, they will then have a single point from which to access all the user’s accounts.  Therefore, it is important to stress to users of password managers that their master passwords should be as secure and protected as possible, and it is also worth recommending implementing multifactor authentication.

With all of this said, there are alternatives to simply settling on the idea of a password manager, but they may not be as eloquent or user friendly.  For example, a person’s set of accounts might be more secure if they are taking advantage of multiple emails to manage accounts.  This is quite easy with many email providers, like Gmail, since symbols like periods or plus signs can be used to quietly alias an email.  In other words, the symbols are ignored by the email provider.  If we look at the two examples here, “fakeemail” and “fake.email”, we can see that emails sent to them both will end up in the same inbox, but they can be used to create two accounts in two different places.

In summary, password managers are pieces of software or online services that give users a place to store and organize their passwords for later use.  One of the more popular password managers, LastPass, recently reported a breach to their development environment.  A developer account was compromised, leading to a portion of source code and proprietary technical information being stolen.  There were no indications that user data or services were affected in any way.  Breach aside, this brings to mind some considerations regarding why password managers are used.  First and foremost, they give users a place to store their passwords and account information for easy access, but they often come with other useful features like password generation, which promotes the use of secure passwords, or password hygiene checking, which will ensure the same password is not being used for multiple accounts.

 

[1]: https://www.lastpass.com/security/zero-knowledge-security

[2]: https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/

[3]: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

[4]: https://www.lastpass.com/features/password-generator

[5]: https://keepass.info/

[6]: https://www.dashlane.com/plans

 

About Red Sky Alliance

10802051676?profile=RESIZE_400x

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending cyber-attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!