I hope everyone is having a better start to the year than LastPass is currently having.
In case you missed the news during all the holiday festivities: LastPass, the most widely used cloud-based password manager, was hacked… again.
Here’s a quick recap of what happened with LastPass:
August 25, 2022
LastPass alerts users about “unusual activity” within the LastPass development environment. According to LastPass, hackers get away with “source code and some proprietary LastPass technical information”. But, it is nothing to worry about… says LastPass.
September 15, 2022
LastPass completes their analysis of the initial attack and assures customers that the incident is contained, that additional security controls have been put in place, and that “your personal data and passwords are safe in our care” (remember that one…)
November 30, 2022
LastPass alerts users about new unusual activity where an attacker, using information obtained from the previous attack, gets away with “certain elements of our customers' information”. LastPass assures customers that an investigation is pending.
December 22, 2022
In a blog update heavy with technical details and industry jargon, LastPass informs customers that the latest attacker got away with customer personal details, such as names, billing addresses, email addresses, telephone numbers, and IP addresses, AS WELL AS password vaults.
Yes, you have that right... The password management service devoted to keeping “your personal data and passwords” safe lost the passwords.
As should be expected, the cybersecurity industry is raking LastPass over the coals with this breach, but what exactly did LastPass do wrong? After all, LastPass has been very transparent throughout the incident. Isn't that enough?
We’d argue it isn’t, and we’ll share some takeaways of what LastPass could have done and what lessons organizations can apply to their own security and response plans.
5 Crucial Mistakes LastPass Made During The Data Breach:
1. Lack of apology
The biggest mistake is a simple lack of apology. Nowhere in LastPass's notifications or blog updates is there any signs of contrition. If you do a search for the words “sorry” or “apology” in their recent communications, you will get zero results.
2. Response delay
LastPass took around 3 weeks to investigate each incident. For an average company, that is a good response time. For a company dedicated to security, that is way too long.
3. Shifting Responsibility
LastPass makes a big deal about customers choosing strong master passwords and as long as customers chose strong master passwords, then their password vault won't be breached. However, this statement became an issue as soon as LastPass lost the vaults in the first place.
4. Losing Sight of the Big Picture
LastPass focuses on technical details in their updates. Very technical details. They talk about PBKDF2 and hashing iterations, zero knowledge architecture and cracking technology. While all of that is great for truly random passwords, master passwords are rarely a truly random value. It is something that is designed to be memorized and typed. It might be a very long word or phrase, but it is still a word or phrase with a number or special character thrown in. These are guessable and predictable values. And out of 25.6 million users, many of those master passwords will be cracked in short order.
5. Lack of Security
A security company should have its ducks in a row when it comes to security. Breaches happen, but a security company that claims to have added security and taken care of things and that “you can trust us” and then had another breach a mere two months later, clearly is missing fundamentals.
As a result of these issues, security researchers are now discouraging people from LastPass and actively discussing alternatives. Fortunately for us, LastPass's mistakes give us a lot of learning opportunities for our own response plans:
3 Security Lessons We Can Learn From The LastPass Breach:
Plan your response, especially when it comes to communication. Speak to your audience and be humble.
Be transparent and update regularly (three weeks is not regularly). A simple “investigation is still ongoing” message is a valid update, if necessary.
Take responsibility and be specific. If you want people to trust you, you have to earn it. Why didn't the new security controls you added catch the latest hack? What have you learned? What specifically are you doing now?
Ultimately, only time will tell if users stay with LastPass or whether this will be LastPass's last pass.