A cybersecurity breach at password manager, LastPass, left companies in the firing line of hackers. The effects of that breach will still be felt in the months, perhaps years, to come, which is why companies which use LastPass need to take certain steps to protect their business and staff. David Ballard, Director at Performance Networks, said there are changes that can be made now to make sure you’re as protected as possible.
Worldwide, LastPass manages the blueprint for the digital lives of approximately 25 million people. That number is made up of individuals, but businesses and brands of all shapes and sizes. Last year, the password manager suffered a cybersecurity breach. Now, it has been revealed that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.
The news itself was seismic, one that lays bare how serious the cybersecurity threat is in 2023 – that one of the biggest websites for managing our passwords and protecting our most vital information online was compromised, leaving all of its users exposed.
It’s just the latest high profile example that shows no business is safe from the growing cybersecurity threat, with LastPass joining an extensive list of companies that includes Royal Mail, Meta, Samsung and even Apple to have endured online breaches.
We will not see the true outcome of LastPass’ breach for perhaps months or even years to come. But if you are someone or a business that has been affected, there are changes that can be made now to make sure you’re as protected as possible.
First of all, what happened to LastPass?
In August 2022, LastPass experienced a major cybersecurity breach, involving the unauthorised access of sensitive user data, including passwords, email addresses and other personal data.
However, the true outcome of that breach wasn’t seen until December – just a couple of days before Christmas – when LastPass revealed that, as the result of that breach, there was another breach in November and hackers had gotten their hands on users’ password vaults.
The timing caused a lot of issues. Many individuals and businesses had already finished for Christmas, leaving them very little time to react.
There is a historical element to consider here as well, namely LastPass’ background with password iterations (how many times they reiterate the hashes on them).
Older users of the platform have very few iterations. Rather than going through and fully ensuring that every user had the right amount of hashes, that hasn’t been done, leaving those older users more exposed and their data more vulnerable.
In short, it will take far less brute force to crack an account with fewer password iterations. And as we headed into 2023, it was just the master password that was preventing hackers from gleaning all of their data.
This isn’t just about LastPass. Again, what this breach shows is that nothing is hack-proof. Similar password management platforms will need to be wary because they’ve got a huge target on their back as a result of this, because of the mountain of data they hold.
What action can businesses take now to ensure they’re as protected as possible?
The first thing to make crystal clear is that changing the master password on your LastPass account – and to the recommended best practice standard – is simply not enough.
As a result of that breach, those hackers now have access to all of your vaults, so to speak. Every detail that you or your business had in there is still at risk.
However, there are some key actions that can be taken now to mitigate the risk:
- Implement two-factor or multi-factor authentication
This is the most important first step to take and will need to be implemented across every website or platform that doesn’t currently have either 2FA or MFA.
Essentially, this acts as another layer of protection, which usually comes in the form of a randomly generated code that is sent to a designated phone number by text or via a specific app. It’s also necessary for companies to be thinking about the endpoint, where that information is stored.
Having that in place means a hacker will need to have access to a personal phone or that installed app if they do crack your password.
- Change your email password
This will need to be prioritised above and beyond every other saved website in your vault, because your email account, itself, is another treasure trove of information.
If a hacker has got access to your email and the password you have saved on a platform like LastPass, that hacker has got the keys to your kingdom. When we reset a password, the link is sent directly to our email addresses, so hackers will be able to change it to whatever they want, locking you out and giving them free rein to all of your important websites.
It is also worth clarifying that 2FA or MFA will need to be applied to this, too.
- Work to a priority list and change all of the passwords to all of your websites
This is a time-consuming tip but one that is totally necessary if you are to avoid being stung further down the line.
All the passwords will need to be changed, in line with best practice recommendations and have them randomly generated. That is a huge job, especially for those businesses that have got hundreds of users using LastPass, so the best solution is to create a priority list and work through it as quickly as possible.
Just like your business, there will be areas of that data that hackers will prioritise – the low-hanging fruit and easy opportunities.
In terms of priorities, focus on the websites that are critical to business function, starting with your banking and government platforms and moving down the list to the accounts you have on the website that are critical to performance, which will differ from company to company.
- Be aware that all of your URL lists were unencrypted!
As a result of this, the recent breach on LastPass means that hackers have knowledge of what websites users were accessing.
This will no doubt lead to cyberattacks, like phishing and smishing, so it’s important LastPass users are wary of the communications coming their way and exercise caution. Things may not always be what they seem - Decide whether you want to stay with LastPass
Last, but by no means least, this is the biggest decision users of LastPass will need to make as part of their IT strategy in 2023.
As painful as moving to a new password management website is, LastPass has got to regain customer confidence. Anyone who is educated on this space – the topic of cybersecurity – will have serious concerns about what happened and will need reassurances over how LastPass is both managing the current situation but also reassuring them that it won’t happen again.
It’s not an easy decision to make. The cost of change is high, and this isn’t something any business wanted to have hanging over their heads when they walked back into 2023.
And I’m sure those steps are being taken by LastPass to rectify the situation. However, as we alluded to earlier, the ramifications of this breach are not over and we will not really know the true extent of it for a while yet.
Final thoughts
The breach on LastPass has happened and customer data has been taken. That’s a fact – a potentially scary one that cannot be changed.
What individuals and businesses can do, though, is take action now to ensure they’re as protected as possible when the consequences of this cyberattack take shape and come to light.
While it is a timely exercise to make the changes outlined, it is a necessary one. Because if the hackers behind the LastPass breach manage to get the keys to the kingdom, there is no telling how much damage they could do to your personal life or the company that you have built up.
Click below to share this article