Our federal government has repeatedly pointed to data breaches as a serious matter of national security, given the wide-ranging impacts attacks can have on our shared infrastructure, private companies, and individual consumers. Despite increased attention on cybersecurity and dollars allocated to preventing data breaches, the number and intensity of these attacks continues to grow. As Joy LeePree Anderson writes in this article for Security Magazine, “Global cyberattacks increased 38% in 2022.” Even companies we trust to secure our data–like password managers–are not immune. To this point, LastPass suffered a series of breaches last year–leaving both the company’s proprietary information and customer data exposed. These recent cybersecurity breaches serve as a stark reminder that criminals not only target sensitive customer information but also seek to pilfer valuable intellectual property and trade secrets from the organizations they infiltrate. In this article, we explore the extent of these breaches, the company’s response, and the measures users can take to protect themselves as cyber threats continue to evolve. Read on to learn more.
What is LastPass and What Kind of Data Does it Collect?
Before we explore the extent of, response to, and ongoing impacts of this latest series of cybersecurity breaches at LastPass, let’s talk a bit about what the company does and the data it collects. LastPass is a cybersecurity company specializing in providing password management and secure login solutions.
Its primary product is a password manager that helps individuals and businesses securely store, organize, and manage their passwords and login credentials for various online accounts and services. LastPass allows users to create and store unique, complex passwords for each account.
Users must only remember a single strong master password to access their LastPass vault. LastPass automatically fills login credentials for websites and apps so users no longer need to manually enter their usernames or passwords.
How Does LastPass Protect Customer Data?
To protect customer accounts, LastPass supports multi-factor authentication (MFA) for an additional layer of security. This is valuable because even if a hacker gains access to your master password, they still cannot log in without the second factor.
LastPass uses a zero-knowledge model–meaning the company does not actually know customer passwords or store them on its servers. The fact that LastPass does not keep these master passwords is significant given the extent of recent breaches.
A Sixth-Month Cyber Breach Saga: What Happened to LastPass?
Over the course of six months in 2022, hackers accessed a variety of LastPass user data and proprietary LastPass technical information. They gained access to both encrypted and unencrypted data. Recent LastPass cybersecurity breaches are a reminder to companies that hackers not only steal personally identifiable information from customers but also intellectual property and trade secrets from the business itself.
As reporter Matt Kapko writes in this article for Cybersecurity Drive, the hacker who compromised LastPass’s cloud storage in August 2022 “stole source code, proprietary technical documentation and some of the company’s internal system secrets.” Hackers were initially able to gain access to the company’s cloud storage service by targeting the home computers of engineers associated with LastPass.
During the second incident of 2022, hackers stole customer data from LastPass. Secondary decryption keys needed by the hackers were also taken – meaning that they had further access to LastPass user data that would otherwise be protected by multifactor authentication protocols.
LastPass and its parent company GoTo quickly employed cybersecurity company Mandiant to investigate the source and extent of these breaches, but they were unable to stop attackers from continuing to exfiltrate data from their system. The first breach occurred in August, but customers were not notified that their data had been compromised until November 2022.
We delve deeper into the extent of these incidents and the company’s response below.
Questions You Might Have About the 2022-2023 Data Breaches at LastPass
As we note in this post on our blog, honesty is key if companies want to retain or recover consumer loyalty after a cybersecurity incident occurs. Companies who respond to breaches immediately and swiftly inform consumers about the extent of those breaches generally suffer less reputational damage than companies that try to hide these incidents.
In this section, we answer questions consumers might have about LastPass’s response to recent data breaches. Did LastPass inform consumers immediately after their customer vault data was compromised? Which measures has the company taken? Let’s get into it.
When Did LastPass Initially Learn of the Security Breach?
LastPass says that they first learned of a security breach on August 12, 2022. It noted that the breach originated from a compromised developer account, but claimed that encrypted password vaults were not accessed.
Later that month, LastPass’s CEO announced that the breach was resolved and no further leaks would occur. Unfortunately, the threat actor was able to continue transferring and copying data from LastPass’s network to an external location that they controlled well into October of last year. In December, the company later acknowledged that the hackers did gain access to customer vault backups stored by LastPass.
In January of this year, LastPass’s parent company admitted that their systems had also been infiltrated. After investigating the breaches, LastPass and their auditors concluded that all of these incidents were part of the same coordinated attack. To this day, neither LastPass nor cybersecurity company Mandiant has determined the identities or motives of these attackers.
When Did LastPass Notify Customers of the Breach?
While LastPass learned of the breaches in August 2022, they did not notify customers that their data had been compromised until November of that year. In December, the company admitted that hackers had accessed personally identifiable customer data – including home addresses, telephone numbers, and usernames. LastPass later released two security bulletins – one aimed at LastPass customers and another at businesses – to help educate users about the breach and steps they can take to protect themselves in the future.
How Did LastPass Respond to the Breaches?
LastPass Hired Cybersecurity Firm Mandiant to Investigate
Shortly after the first two breaches of 2022, LastPass reached out to Mandiant – a cybersecurity company known for its expertise in cybersecurity threat intelligence, incident response, and security consulting services. The firm has helped a number of companies respond to high-profile data breaches.
For example, Mandiant played a significant role in investigating and responding to the massive data breach at Target, which compromised credit and debit card information of approximately 40 million customers. The breach was a watershed moment in cybersecurity awareness and led to increased scrutiny of retail cybersecurity. Mandiant also assisted Anthem–one of the largest health insurance companies in the United States–after it suffered a breach that exposed the personal and healthcare information of nearly 79 million individuals.
Following the Equifax data breach–where the personal information of approximately 147 million consumers was compromised–Mandiant was brought in to conduct a forensic investigation into the incident. The US government would later conduct its own investigation and levy significant fines against the credit reporting agency.
LastPass Conducted a Review of Their Current Cybersecurity Policies
After a cybersecurity breach, companies typically undertake a thorough review and revision of their cybersecurity policies and practices to strengthen their security posture and mitigate future risks. LastPass is no different. The first step is a comprehensive assessment of the breach itself.
This involves determining the nature and extent of the breach, identifying the specific vulnerabilities or weaknesses that were exploited, and understanding the tactics, techniques, and procedures (TTPs) used by the attackers. Forensic analysis is conducted to trace the breach’s origins and identify compromised systems and data. In this case, Mandiant spearheaded the investigation and analysis of LastPass’s 2022 breaches.
Once the breach’s details are understood, the company that was attacked reviews its existing cybersecurity policies and procedures. This typically includes examining access controls, authentication mechanisms, data handling and encryption practices, incident response plans, and employee training protocols.
Based on their findings, the company then enhances its cybersecurity policies and practices. In this letter, CEO Karim Toubba writes that the LastPass security team “incorporated changes to restrict access and privilege” after completing their assessment of existing protocols. It’s essential that companies like LastPass then educate employees on recent changes and the importance of adhering to them.
LastPass Formed a New Leadership Team and Promised Financial Investment in Cybersecurity
In addition to strengthening its security systems, LastPass also formed a new leadership team and promised ongoing financial investment in cutting-edge cybersecurity measures. This leadership team includes Terry Murphy, Abby Miller, Lora Rodstein, and other experienced professionals with extensive knowledge of this industry.
Their role will be to improve LastPass’s internal culture while delivering greater value to consumers. As Toubba notes in the aforementioned letter, this leadership team has already “begun to scope out longer-term architectural initiatives to help drive [their] platform evolution across LastPass.”
What Can We Learn from the LastPass Data Breaches?
In an article for Forbes, Straight Talking Cyber Co-Founder Davey Winder acknowledges LastPass’s wide-ranging improvements to its storage and access controls, but questions why it took a data breach for the company to secure its data. If companies we trust to secure our data do not do so adequately until a highly publicized breach occurs, where does that leave us? How can we better protect ourselves from identity theft, financial loss, and other consequences associated with data breaches? Here’s what consumers should take away from the LastPass data breaches.
Our Data is Vulnerable and We Must Personally Protect It
Breaches remind consumers that even well-established companies with robust security measures can be vulnerable to cyberattacks. It underscores the need for individuals to take personal responsibility for their data security and not solely rely on organizations to protect their information.
Protecting Personally Identifiable Data Starts with Limiting Who We Let Access that Data
Consumers should be cautious about sharing personal information online and should limit the data they provide to companies whenever possible. Being selective about the information shared reduces the potential impact of a breach.
Consumers Must Monitor All of Their Accounts–Even if They Never Shared Passwords or Usernames
Breaches often involve the compromise of user credentials. Consumers should use strong, unique passwords for each account and enable multi-factor authentication wherever available to add an extra layer of security. However, excellent password hygiene is not always enough to protect our data.
Consumers should regularly monitor their financial and online accounts for any suspicious activity. Detecting and reporting unusual transactions or access attempts promptly can help mitigate damage in case of a breach.
Never Open Links You Don’t Recognize, and Educate Employees to Do the Same
Being cautious of unsolicited emails, messages, or links, and avoiding clicking on suspicious attachments or links is crucial. Cybercriminals often use such phishing strategies to trick individuals into revealing sensitive information.
If you are a business owner, educating employees about the risks of opening unsolicited messages is absolutely essential. Be sure to update employees about emerging attack strategies regularly, too.
Data Security Requires Regular Updates and Backups
Regularly backing up important data and files can help consumers recover from data loss resulting from a breach or other incidents. Cloud storage or external backups are viable options to ensure data resilience.
Keeping devices and software up-to-date is also essential, so try not to ignore those software updates. Software updates usually involve placing security patches that address vulnerabilities companies learned about after initially releasing their product. Neglecting updates can expose devices to exploitation.
In addition, consumers and corporations should equip their devices with additional security measures like PBA (Pre-Boot Authentication). PBA prevents unauthorized users–like criminals trying to steal your data–from seeing your drive or any of its data before the device even boots up.
By practicing excellent cyber hygiene, remaining vigilant, and reporting signs of a data breach immediately, corporations and consumers can better protect themselves from criminal attacks. To make your data security systems more resilient, reach out to an expert who can advise you on best practices and the latest solutions.