QUICKLOOK: LastPass Breach
Video debrief: Worse Than They Want You To Believe
Introduction:
The LastPass breach that occurred in 2020 is worse than we were led to believe, according to a recent transcript on the topic. LastPass, a password manager, suffered a well-crafted phishing campaign that enabled attackers to access a dev environment in LastPass and steal its source code. LastPass initially informed its users that no customer vaults were affected and that the breach was contained. However, in December 2020, LastPass released a press announcement with an update, revealing that attackers used information from the August breach to perform an even better-crafted phishing campaign, giving them access to a LastPass employee's credentials and eventually allowing them to steal a backup of all the data that LastPass stores.
Event Summary:
LastPass, a popular password manager, suffered a breach in 2020 that was worse than initially reported. Attackers gained access to a dev environment in LastPass, allowing them to steal source code. LastPass reported that no customer vaults were affected, and the breach was contained. However, attackers used information from the August breach to perform an even better-crafted phishing campaign, giving them access to an employee's credentials and eventually allowing them to steal a backup of all the data that LastPass stores. The data stolen included web URLs, usernames, and passwords, with the exception of the master password, which is encrypted and stored locally on the user's device.
Assessment:
The breach that occurred at LastPass is a significant security event that highlights the importance of companies being accountable for what happens with their users' data. The mishandling of the event by LastPass is concerning, and the attempts to separate the breach into two events is not ideal. LastPass is a great company, and its zero-knowledge architecture is impressive. However, the fact that LastPass does not encrypt the entire vault and stores only a portion of it is alarming. This approach to data storage and encryption enables attackers to craft better phishing campaigns, making it easier to guess users' passwords and usernames.
Conclusion:
The LastPass breach is a reminder that even the most secure companies are not immune to security breaches. The mishandling of the event by LastPass is concerning and underscores the importance of companies being accountable for what happens with their users' data. The fact that LastPass does not encrypt the entire vault and only stores a portion of it is alarming, and this approach to data storage and encryption enables attackers to craft better phishing campaigns. Users should consider moving away from LastPass and other password managers that do not encrypt the entire vault to ensure their data remains secure.