This incident serves as an important reminder - no matter the size or strength of your organization, social engineering can overcome any security measure. With hackers becoming increasingly sophisticated in their tactics, it is essential for nonprofits to understand how such incidents arise so that they can take preventive steps against similar occurrences in the future.
In this blog post, we'll examine the details behind this incident and discuss key learnings from it that will help nonprofits protect their organizations from falling prey to malicious attacks.
The Details: What Happened and When
In August of 2022, LastPass experienced a security breach where some source code and technical information was stolen. Later in the year, this same bad actor used that stolen information to target a LastPass employee to steal their credentials to gain access to customer data.
This allowed the bad actor to copy information from a LastPass backup of customer vault data that contained both unencrypted data (such as website URLs) and encrypted data such as usernames and passwords.
Most important to note, this does not mean that if you use LastPass as a password manager that all of your passwords are suddenly all over the dark web. The password data that was stolen was still encrypted, and therefore still unusable in most cases. The only two options a bad actor has to use this stolen data to gain access to customer passwords and other encrypted data is to either use brute force or social engineering (phishing, baiting, etc.).
What This Means for LastPass Users
First, don’t panic. This is not the time to abandon the use of password managers altogether. Password managers still help users create long, random and unique passwords for each account. But like all cybersecurity measures, more layers make it more difficult to compromise your information.
The keys to your password kingdom lie in the strength of your master password and multi-factor authentication (MFA). The best thing you can do right now is to review your vault’s master password. Make sure it is long, complex, and not used for any other account. A great master password example could be !w@terMyPlants0n$undays. If it does not meet these standards, change it.
This recent breach highlights yet another reason multi-factor authentication is so important. If a potentially breached password is the only key needed to gain access to an account, MFA is the deadbolt and chain preventing the door from swinging open.
If you have not enabled MFA on your LastPass (and all of your major accounts) yet, do so immediately.
We also recommend changing passwords on your most critical accounts, not just your LastPass master password. As part of the LastPass breach, account URLs and notes that were unencrypted were also stolen, and this is cause to believe that accounts that were stored in LastPass are at risk of being targeted.
If a bad actor happened to have gained access to your password vault, which accounts would be the most damaging if exposed?
Begin with your email, financial systems, cloud applications, social media, and work your way down in priority. And again, make sure multi-factor authentication is in place on these critical accounts, applications or websites. Without those codes, push notifications, or biometric scans, it becomes increasingly more difficult for these attackers to gain access to your sensitive data.
What You Can Do to Protect Your Organization
The very first thing you need to do is change your LastPass master password. As always follow these best practices when it comes to setting a password, especially one as important as your master password.
Once you have ensured that password best practices are being followed, then MFA should be enforced.
Password best practices:
Every password you use should have a 12 character minimum - we like to use pass-phrases (for example - I walk my d0g 2 times a d@y) to make it easier to remember
Don’t ever reuse passwords, each and every password you use should be unique
If you are a LastPass Administrator for your organization:
Disallow master password reuse for anyone in your organization - your master password should be completely unique
Require employees to change their master passwords if it matches another site’s login credentials
Require multi-factor authentication for all employees
Prohibit the saving of your master password
MFA should be enabled and required for all LastPass accounts
PIN code should be required for the mobile device app
Prohibit the ability to disable MFA via email
This incident serves as a good reminder that even the strongest of security systems can be bypassed through social engineering. The initial LastPass breach did not lose any customer data, it did allow the bad actor to use the information gained to target a LastPass employee. It doesn’t matter how good a password is if your employee hands it over to them.
One of the best ways to guard against social engineering attacks is to provide frequent and consistent cybersecurity training, to keep employees on guard and cautious.
The recent LastPass breach is a reminder of the importance of strong password protection and multi-factor authentication. It’s essential that users create long, random and unique passwords for each account they use, as well as enable two-factor authentication whenever possible.
For organizations using LastPass, it’s also important to enforce master password reuse policies, require employees to change their master passwords if it matches another site’s login credentials, prohibit storing your master password on mobile devices, and more. By following these best practices for creating secure passwords and implementing additional layers of security such as MFA you can help protect yourself from any consequences of this breach in the future.