Last Pass Breach Insights
Recently Tod Beardsley, security engineering manager at Rapid 7, spoke out about the recent developments in the last pass breach. Below is a rundown on what he had to say:
“The news of the LastPass breach is still evolving, and it’s usually difficult to parse out from initial breach notifications what actually happened. I’m very happy to see that they’re forthcoming in a matter of a weekend’s time that something happened at LastPass HQ, and I’m sure as they work through their incident response procedures, LastPass users will get a more detailed picture of what was compromised and what LastPass is doing about it.
What we do know is that, “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” (Quoting from the notification). What this means is that attackers seem to have all they need to start bruteforcing master passwords. So far, the attackers do not seem to have access to the passwords encrypted with that master password. They incidentally have a list of LastPass users by e-mail address.
The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links. So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action.
Breaches happen, and the difference in sustained damage usually comes down to skilled incident response. I’m sure an organization like LastPass drilled on this kind of event before last weekend, so I’m confident they’ll be able to contain and communicate the full extent of the breach. That said, if users get a follow up e-mail about this, as promised in the comments on the bulletin, they should not click on any links if present. Instead, use the normal LastPass interface from a saved bookmark.”
Image source: Last Pass