LastPass CEO Karim Toubba announced a new “security incident” yesterday which the company is currently investigating. Toubba says that LastPass detected unusual activity within a third-party cloud storage service that is shared with their affiliate GoTo.
Estimated reading time: 4 minutes
Toubba goes on to say that they launched the investigation as soon as the activity was detected and brought in leading security firm Mandiant and also alerted law enforcement. The company says it has determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of customers’ information. They also stress that customer passwords remain safely encrypted, despite the incident.
LastPass says they are working to fully understand the scope of the breach as well as what information was stolen. Their services remain up and running but recommend users follow best practices when setting up and configuring the service. You can read more here.
Chad McDonald, Chief of Staff and CISO, Radiant Logic weighed in on the announcement with these thoughts:
“We’ve seen today another hack of the credential wallet vendor, LastPass which isn’t at all surprising. This isn’t an indictment of LastPass by any means, rather a criticism of the underlying problem that has driven vendors like LastPass to be very successful and effectively a staple both for home users and the enterprise. Any software, given enough time and effort, is crackable or hackable, and LastPass is certainly no exception. While LastPass’s Zero Knowledge strategy with regard to password encryption seems to have kept the attackers from accessing passwords, this didn’t keep them from apparently accessing source code. Attackers will always find a way to defeat security controls–always. Technology practitioners will work to harden code, applications and networks, but in the end given time and resources the attackers will get in.
One of the problems I see with simply continuing to harden the IT stack is that it fundamentally doesn’t acknowledge what is driving ongoing reliance on password wallets for so many people. IT sprawl and more specifically identity sprawl have driven most of us mad with the number of credentials we need to manage simply to get through our personal and professional lives everyday. Assuming we’re trying to be good netizens, we’ll also try to juggle complex passwords and potentially multi-factor authentication. This additional complexity exacerbates the identity problem. We’re effectively left with no choice other than to archive our credentials in a wallet like LastPass or god forbid a notebook somewhere. (Please tell me you aren’t keeping your passwords on the bottom of your keyboard.).
On a personal level, it isn’t realistic to expect a home user to implement an IAM strategy. The enterprise, however, should have an IAM strategy that limits identity sprawl, provides adequate credential security, and limits the need for its users to manage countless sets of credentials in the workplace. Corporations really do themselves and their users a disservice when they continue to push down responsibility for broad credential management to staff. It’s really a recipe for disaster. Consolidation, protection, and effective management of identities and credentials by the enterprise drives internal productivity, deflects Helpdesk calls, and reduces friction on staff that should be focused on their core responsibilities, rather than tracking down their 14th set of credentials and a 20 character password to log in to the CRM system.
While LastPass was the latest victim here, it won’t be the last. I expect that the organization will recover quickly and again work to harden processes and code, but I think the enterprise should do its part as well. Let’s focus on our own IAM strategies so that we can ideally be a bit less reliant on credential wallets in the first place.”Chad McDonald, Chief of Staff and CISO, Radiant Logic:
What do you think of this LastPass security incident? Please share your thoughts on any of the social media pages listed below. You can also comment on our MeWe page by joining the MeWe social network. Be sure to subscribe to our RUMBLE channel as well!