Why might the LastPass hack turn out to be a good thing?
In the past couple of years, cybercrime rates have skyrocketed worldwide. Even if you don’t follow cybersecurity developments regularly, you might have noticed how many companies – both large and small – have reported a systematic breach by cybercriminals.
However, some of those breaches are more significant than others. In the last week of August (2022), LastPass released a statement confirming that they’ve been hacked. Seeing as they’re the most significant player in the password management market with sensitive information on over 25 million people, this is quite a worrisome predicament.
Still, you’ll find plenty of doom-sayers who are eager to jump on the bandwagon and talk about how disastrous this is. Instead, we’ll take a more realistic approach and show you how this hack might not be such a bad thing after all.
LastPass 2022 Breach: What Happened?
Before we delve into the consequences of the 25 August cybersecurity breach of LastPass – let’s take a look at what happened.
First, the brass tacks – according to the company and numerous third-party cybersecurity experts, everything is under control now. Some two weeks before their announcement of the hack, LastPass had noticed unusual activity in their platform’s development environment.
They launched an investigation immediately, and they’ve released info on what all users are interested in the most: there’s no evidence that the hack involved a breach of any encrypted passwords or any other customer data.
Instead, the malicious hackers managed to gain access to a minor part of the platform’s dev environment – ironically, through a compromised account of a LastPass developer. Then, they stole some proprietary technical data and a part of the source code.
The gist is that all of the LastPass services and products continue to operate normally.
However, that doesn’t mean that LastPass hasn’t reacted to the breach strongly. According to the company, mitigation and containment measures have been deployed promptly, and a leading global forensics and cybersecurity firm has been contracted to help them contain the damage and perform the investigation.
While that investigation resumes, the breach has been contained, and other high-security measures have been implemented. And no further unauthorized activity has been detected since the initial hack.
Based on the current results of the investigation and what LastPass has learned about the breach, they’re already looking at new mitigation techniques to make their development environment more resilient in the future.
The Bottom Line
So, with all of the above in mind – should you be concerned as a LastPass user?
Well, not really. No master passwords have been compromised during the incident, mainly because the whole point of LastPass is that even the company itself doesn’t have access (or even knows) the master passwords of their customers.
Apart from that, no other user data has been compromised either – the entire incident was limited to the LastPass development environment, and no encrypted vault data has been accessed by unauthorized users. The same goes for any other personal information of LastPass customers.
With that in mind, there’s really no cause for concern at the moment – and there’s really nothing that you should be doing at the moment, apart from sticking to the usual best practices regarding the usage of LastPass and your passwords in general.
However, while none of your personal information or password data is in danger – seeing a successful cyberattack on a company whose whole point is cybersecurity and the creation and management of impossible-to-crack passwords is a sobering sight; one that only serves to highlight the importance of cybersecurity in this day and age.
Still, most cybersecurity experts agree that LastPass has shown some excellent crisis management skills. They’ve notified all of their users of the breach in a timely manner; while two weeks seems like too long to a layperson, in reality, incident response teams for cybercrime usually need much longer to assess and surmise a situation fully.
What Does This Mean For Users?
So, what does the LastPass hack actually mean for users?
For starters – it shows us that even the toughest cybersecurity companies are, ultimately, not 100% impregnable. And even though no client data has been breached this time around, the whole case shows us the importance of multi-factor authentication, and multiple security layers in general.
Over the past decade, SaaS (software-as-a-service) has become the dominant industry standard – practically everything that can feasibly be migrated to the cloud has already been placed in a SaaS environment. However, while that process has brought us a lot of benefits; cases like these are great reminders of some of the setbacks that come with putting too much data online as well.
The growing number of online services we use and accounts we make, along with rising cybercrime rates, has created strong demand for secure password managers like LastPass. After all, the prospect of having all of your passwords securely hidden behind a single “master password” that’s kept safe and encrypted is enticing.
In 2022, managing a huge vault of login credentials has become tedious – but what happens if a supposedly secure password manager gets hacked? Again, no passwords or user data were stolen this time around, and the company’s CEO and CISO display confidence in their encryption measures – but still, what if the next attack succeeds?
It’s worth remembering that the human element remains the weakest point in any cybersecurity plan – getting someone’s password is still the easiest way to breach their online identity and compromise their access control, potentially with disastrous consequences. That’s why easily-decipherable login information has always been frowned upon, and that’s precisely why we need LastPass and its competitors in the first place.
With this in mind, this hack might actually be the wakeup call we need. Realistically speaking, it’s not reasonable to expect that the cloud migration tide will somehow be overturned in favor of a SaaS-less Internet; we’ve just gone too far in the other direction for that to happen, and the world’s SaaS market is simply too valuable.
However, privacy and online security will have to become bigger priorities if this cloud-first environment is to remain tenable. And while companies like LastPass are already dedicated to proactive cybersecurity measures and transparency towards their customers – that will have to become the SaaS industry standard.
It’s also worth remembering that this isn’t an unprecedented situation – not even for LastPass. More than ten years ago, the company was the victim of a similar attack. In 2011, the password management company discovered a breach and suspicious activity that also didn’t compromise any passwords or user accounts.
However, the attackers reportedly gained access to email address information and some authentication hashes – which is why users were advised to change their master passwords just in case, and two-factor authentication was a must even if users didn’t have it enabled.
Then and now, the company’s leadership maintains that no crucial user information has been compromised. But how do we know that the next attack won’t get further behind their line of defense – or, for that matter, behind the defenses of another prominent SaaS company?
Because of that possibility, cybersecurity and access management for user accounts across all kinds of online services has to become a top priority. Otherwise, companies stand to lose a lot – and so do their users.