LastPass, the 800 lbs gorilla in the password management space has been breached (majorly). What does that mean for security password management? Well – I think it means, if you are LastPass user, email security is now more important than ever.
Why bring up email security as a vector of concern after this password manager breach? Because every LastPass account holder’s user login and email address used to register and login to their LastPass account is now in the hands of a threat actor, who was sophisticated enough to breach the #1 password management companies cloud databases, and you can bet they will be trying to phish out the LastPass account credentials from every user on that list.
It’s likely that your master LastPass password, and the vault data (your stored usernames and passwords for every site you store in LastPass) were all stolen in the breach, in addition to your LastPass username, email address and IP information. SCARY. However, (unlike your clear text username and email address used for login) your vault data and your master password are protected by SHA-256 encryption and key derivation that will make it incredibly difficult, time intensive, and computationally expensive for a bad actor to crack.
What’s the simple alternative? The bad actor will start routinely and relentlessly hammering email in attempt to spoof and phish every user on that stolen list into clicking on malicious email, redirecting traffic to spoofed sites where unsuspecting users will unknowingly hand over account credentials to the bad folks who now hold their encrypted password and website data.
While it’s probably a good idea to start working on randomizing and changing every password stored in LastPass – the bigger concern is whether or not you are doing everything you can to detect, block and mitigate email born attacks?
What can you do?
- Take a look at our email security assessment to determine if your company maintains good email security posture
- Look into your phishing susceptibility by taking a user awareness phishing test
- Ensure your company requires phish resistant MFA for all critical systems (email, password managers, bank accounts etc.)
- Update passwords and ensure passwords are not duplicated across systems (no two passwords the same for any site)
- Enroll email systems in AI based email security system to inspect, sandbox and stop email threats including phishing
- Enroll users in user awareness training and ensure all staff are equipped to detect and report malicious email
- Deploy web security DNS protection to enforce safe browsing and web link redirection when browsing in the office or remote (home etc.)
You can read more about this breach on LastPass’s blog: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/amp/