Reactions to the LastPass breach

LastPass, the company behind the popular password management service of the same name, has announced that they have suffered a breach, and has urged users to verify their account and update their master password.

Here are some of the comments Help Net Security received.

Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre

While a breach of a security service such as LastPass is a worrying event, a lot of credit should be given to LastPass on how they dealt with the issue. Indeed, many companies should look at LastPass at learn from them as to how to better improve the security of their own systems.

Firstly, LastPass has taken a lot of very effective steps to protect the master password of its users, such as storing the passwords securely. Secondly, LastPass’ response to the breach is a good lesson to all, in particular how it communicated the breach to its users and the media. The information from LastPass has been timely, transparent, and detailed enough to enable users make an informed decision on their security risk.

Of course users who employ weak master passwords or do not have the two-factor authentication facility enabled on their accounts are at a higher risk than those who follow good security practices. While companies like LastPass can employ good technology and security practices to technically protect client data, if the clients themselves do not follow good security practices then even the strongest technology controls are undermined.

The breach also highlights the problem the security industry has on relying on passwords as the primary way to authenticate users. We need to invest time and money in developing more secure and user-friendly ways to authenticate users or we will be repeatedly dealing with password breaches.

Per Thorsheim, Independent Information Security Advisor, founder of PasswordsCon

I’ve changed my master password which makes sense, given the warning and information so far provided by LastPass. My master password is not used anywhere else, and with 2FA/2SV enabled alongside gelocation-based login permissions, I feel confident about using LastPass and syncing my devices through their cloud-based storage.

Lots of risks are for real, with threats and weaknesses easily exploitable. In this case, given a strong master password, an attack against the cryptographic security of your passwords stored with LastPass are closer to academic theory than a real threat.

Geoff Webb, Vice President, Solution Strategy at NetIQ

While the breach at LastPass will probably not cause significant problems for their users (provided they change their master password as advised) it does underline the broader issue with authentication and the use of passwords as a single-point of identification.

However the system is implemented, using a password alone ultimately places the totality of our trust in the authentication method in a single factor – in one piece of information that is used to prove we are who we say we are. This is still, and will always be, the weakest link in the chain and so it’s not surprising that attackers focus on it. Whether it’s an attack aimed at a service like this, or simply working to identify users with weak, multi-use passwords, attackers know that successfully gaining access to an account is usually just one password away.

We are at the end of the useful lifespan of the password as the sole method of authenticating who we are – the more complex interactions we undertake online, and the sheer volume of services we work with, now mean we must use an approach that is more sophisticated if we want to stay secure and keep our information private. Whether the right answer is using tokens, smartphones, biometrics, behavioral indicators, or some mixture of them all, will depend greatly on the sensitivity of the information or service being secured, but whatever it is, simply relying on a user to think up, and remember a sufficiently secure password is not going to be enough anymore.

Chris Boyd, Malware Intelligence Analyst at Malwarebytes

The biggest cause for concern in the immediate aftermath of the LastPass breach is ‘easy to guess’ password reset questions and password reuse across multiple websites. If you’ve reused your LastPass Master Password anywhere else, you must change it immediately.

If you’re still happy to use LastPass after this attack, you must ensure you’re using some of the many security options available, which include two-factor authentication and ‘allow or deny’ logins by geographical region.

Many of those affected could say “Enough is enough” and go back to storing passwords on the desktop. While that works for some people, too many would probably fail to consider the security risks brought on by such actions.

For example, if your laptop was stolen would it at least have been encrypted? Or would the passwords be sitting there for all to see? Trading one set of risks for another while failing to take appropriate measures for the replacement tends to backfire, and we shouldn’t rush to make drastic changes without weighing up the pros and cons first.

Tod Beardsley, Security Engineering Manager at Rapid7

The news of the LastPass breach is still evolving, and it’s usually difficult to parse out from initial breach notifications what actually happened. I’m very happy to see that they’re forthcoming in a matter of a weekend’s time that something happened at LastPass HQ, and I’m sure as they work through their incident response procedures, LastPass users will get a more detailed picture of what was compromised and what LastPass is doing about it.

What we do know is that, “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” (Quoting from the notification). What this means is that attackers seem to have all they need to start brute-forcing master passwords. So far, the attackers do not seem to have access to the passwords encrypted with that master password. They incidentally have a list of LastPass users by e-mail address.

The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links. So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action.

Breaches happen, and the difference in sustained damage usually comes down to skilled incident response. I’m sure an organization like LastPass drilled on this kind of event before last weekend, so I’m confident they’ll be able to contain and communicate the full extent of the breach. That said, if users get a follow up e-mail about this, as promised in the comments on the bulletin, they should not click on any links if present. Instead, use the normal LastPass interface from a saved bookmark.

Sergio Galindo, General Manager at GFI Software

I’m in the awkward position where I am a personal customer of LastPass, so was extremely concerned to receive the company’s email to customers alerting them to the situation. The immediate issue is the delay between discovering the breach and notifying those who were potentially affected by it – the users.

Also, there are some stark similarities between what appears to have happened at LastPass and what happened to the US government just over a week ago. This latest breach just goes to prove that this type of attack is not just one reserved for the largest organizations, the same style of cybercrime attack is taking place in the mid-market, going after things like cloud services and other properties that have outward-facing services and which hold large volumes of useful data such as logins and payment information, meaning that the 80% are just as much of a target as the biggest 1%.

Are we beginning to see the emergence of a new hacker trend, the stealth inner-network attack – whereby a hacker can infiltrate a network and latch on for a period of time, often a long period, without being detected. All the time syphoning off useful data from key systems. We have to question who is watching the network and understand why intrusion detection systems, firewalls and other preventative measures to stop external breaches are not doing their job. It’s time for a fundamental rethink of how we police the network perimeter and how we ensure adequate visibility and response to inbound activity does not fall through the cracks.