On November 30th, 2022, LastPass was hacked for a second time in 6 months. LastPass, with 25 million users, is one of the most popular password management solutions in the market. This article will discuss what happened, and how you can protect your organization from potential ramification of the LastPass hacks.
LastPass hacked again using information from August 2022 hack
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” Though LastPass is ensuring the customer’s stored passwords are safe it is unclear at this point what was compromised.
The entry point for the hack was not disclosed, though based on the information data was from August incident was used the only assumption we can make is that there remained or remains an external access method that either has no multi-factor authentication (MFA), SMS based MFA, or at least one compromised MFA enabled account.
What is Password Management
A password manager is a software that allows users to store, generate, and manage their passwords for local applications and online services. A password manager assists in generating and retrieving passwords, storing such passwords in an encrypted database, or calculating them on demand. The assumption is because users no longer have to remember the passwords, that each password can be unique and more complex.
A password manager does not remove the necessity of utilizing MFA, but it theoretically reduces the risk associated with memory-based password management.
How to protect your organization from the LastPass hack
Regardless of whether you use LastPass, another password management solution or no solution, it continues to be best practice to utilize non-SMS based MFA on all systems.
If you are you in a business setting, your IT department or IT firm “should” be applying best practices and requiring non-SMS based MFA on all systems at a company level. Hopefully your IT department or IT firm is ISO 27001 certified, and proactively addressing risks, of which lack of MFA is just one.
If you are an individual user of LastPass, go through all your password protected services, and attempt to turn on MFA. Even SMS based MFA will reduce your risk, but of course non-SMS based MFA is your best option if available.
Though the LastPass hack is unfortunate, having such a public company be visibly hacked, serves as a lesson that the rest of us can apply and prevent being hacked ourselves.