LastPass: When the Password Manager Gets Owned
The LastPass hack currently generating media attention is distressingly common. We’re told that an “unauthorized party” was somehow able to appropriate source code and proprietary technical information from password management company LastPass. It’s suspected—but as of yet not definitively known—that development servers were breached, perhaps by an internal account being compromised. The company seems to have contained the breach and rightfully deserves praise for transparency in its disclosure.
That said, this incident deserves all the attention it’s getting and perhaps it deserves even more.
First, LastPass is not only a password manager but one of the world’s largest in its field, with some 25 million users. The company’s core mission is to ease and enhance security. The fact that it’s been breached is not just a meta moment; it’s a clear signal of potentially more significant dangers down the road.
While we all remember the massive breach of technology provider SolarWinds, it was not one of a kind: There were already severe attacks on the software supply chain, and the numbers have spiked since that attack. Despite the abundance of low-hanging fruit—cybercriminals will always prioritize easier targets—we’re seeing an increased willingness to delay immediate gratification in favor of a long-term, potentially more lucrative reward. That’s why the hit on LastPass may signify more severe things to come.
From what we know, it appears that user passwords are not at risk. This is a good thing. But that’s not the only thing we don’t know for sure.
In particular, what deserves far more attention is that at least some of the company’s intellectual property is presumably in the hands of bad actors. If sophisticated thieves access the LastPass software code, will they examine it for vulnerabilities? If any are found, will that lead to direct attacks on user passwords?
In other words, the problem isn’t just what happened, it’s what might yet happen.
For the record, while this episode is troubling, I recommend that users continue using password managers, including LastPass. The value far outweighs the known risks. However, simply shrugging our shoulders and moving on isn’t enough.
If you’re a LastPass customer, you should:
- Ensure that your LastPass accounts have multifactor authentication (MFA) enabled
- Monitor communications from LastPass closely for any developments and
- For sensitive accounts stored in LastPass—such as those related to financial information, health care records and crypto—rotate passwords immediately and ensure MFA is enabled on those accounts.
Thinking more broadly, let’s remember that many organizations use applications in development environments that don’t support security standards like single sign-on. I call this category of software ‘unmanageable applications,’ a category that’s growing with astonishing speed.
Inside the workplace, unmanageable applications encompass technologies acquired and deployed without IT and security approval—sometimes even without their knowledge—that don’t support industry security standards (like single sign-on). Unmanageable apps also break zero-trust principles (which is currently all the rage because it’s not about preventing breaches but significantly containing the blast radius). This means developers often need to manage their own passwords when enterprise-grade options are not available. Of course, this can lead to credential reuse and disabled MFA/2FA.
When unmanageable applications proliferate in a development environment, both on-premises and in the cloud, they create precisely the kind of temptation hackers seek in their assaults on software supply chains. We don’t know yet if this happened with LastPass, but it is undoubtedly happening elsewhere in the threat matrix.
Development environments have long been a target for attackers, but as cloud applications proliferated in the wake of the COVID-19 pandemic, many of these development applications fell into the ‘unmanageable’ category. Security and DevOps teams need to confirm these systems are connected to enterprise identity platforms to ensure they are not creating fragmented islands with heightened risks to the business and the chain of suppliers and customers that depend upon the software they create.
Password managers are a good option for securing passwords, but ensuring all of your apps are connected to your enterprise identity provider (IdP), even those that don’t support standards like SCIM and SAML, is even better.
Make this a priority.
