Privacy
Data Privacy Alert: What Happens When a Password Vault Is Breached?
February 3, 2023
Learn about the data breaches at password vault company LastPass that potentially compromised millions of user passwords and accounts.
Overview
This data breach incident began in August 2022, when a criminal gained access to the company’s development environment and stole source code and technical information that allowed it to target an employee. The hacker eventually gained access to credentials and keys, which allowed them to gain access to LastPass’s third-party cloud storage service in November 2022, gaining access to customer information. These incidents are not the first time LastPass has had a cybersecurity issue.
Initially, LastPass (and its parent company GoTo) stated they would e investigating the incident, but didn’t know what data had been accessed or if the data had been exfiltrated. In an updated blog post published just before Christmas, LastPass notified users that the hacker had copied a backup of customer vault data that includes encrypted usernames, passwords, and form-filled data (which is often highly valuable PII). The statement further explained, “There is no evidence that any unencrypted credit card data was accessed,” which, of course, is very different than saying “No unencrypted credit card data was accessed.”
While individual users “unlock” their passwords with a master password (LastPass’s term, not ours) that is not stored on their servers, it is possible for criminals to use brute force to guess passwords and decrypt vault data. Given the frequency of re-used and compromised passwords on the dark web, that may not be necessary.
Who It Applies to
With 33 million business and private users, each storing tens or hundreds of passwords, the LastPass breach applies to a large population of users. The risks of phishing, social engineering, or other types of hacks against users is magnified in this frightening example of the network effect at work. At a minimum, LastPass users should change their master password to a unique, difficult-to-guess (primarily meaning long) password or passphrase. Other measures advised in various sources include everything from changing individual website passwords to adopting two-factor authentication and even choosing a new password vault solution.
Expert Analysis from Amalia Barthel, CIPM, CIPT, University of Toronto
We have seen in the past how important the security and privacy of personal information are for the livelihood of a business, such as when WhatsApp users jumped over to Signal. When that information includes one’s password “vault,” the risks of financial harm, impersonation, and even identity fraud are both very high and very obvious. Two key problems re-surfacing with every breach of this nature:
- Average users often have multiple online accounts using the same password, even in a password vault.
- Organizations must secure development environments and train their developers to develop secure code.
Important banking or government account passwords should not be kept in a vault, particularly when then digital vault does not have multifactor authentication. Other accounts can use vault-generated long passwords that are unique and difficult to guess.
In the absence of a reputable and independent security audit, organizations who rely on third party vendors need to include in their Vendor Security Assessments questions regarding the development environment, secure code review processes, and dev environment access controls. After all, they are directly affected by the third-party providers’ ability to respond promptly to and minimize the impact of data breaches
Data Privacy Tip
Organizations need to classify and categorize their vendors based on the risk they may pose to the organization, especially those processing or holding sensitive PII. Learn some tips on how to evaluate your risk exposure from third-party service providers in Exterro’s Basics of Data Privacy.