LastPass Continues to Prove You Can’t Trust Them with Your Secrets

Ian Reay

March 2, 2023

This week at the beginning of March 2023, new details emerged about the origin of the significant LastPass Breach that comprised the company's network and enabled attackers to access its production backups and customer data. We recently covered how LastPass customers have been repeatedly shocked since they learned that essential details of their vault were not encrypted in the breach first reported in August 2022.

More LastPass Breach Details

This Tuesday, LastPass customers were shocked again when they learned that hackers accessed LastPass’ corporate vault by targeting the personal computer of one of four engineers who had access to production systems via passwords and encryption keys stored in a LastPass shared folder. This is a massive failure to adequately protect its production resources via Privileged Access Management (PAM) strategies. LastPass has demonstrated that it has not followed zero trust principles that have been the bedrock of enterprise security for more than two decades. Corporate statements suggest a fundamental misunderstanding in PAM practices exists at the company.  

Let's examine the latest LastPass announcement, break down 4 alarming concerns, and highlight how your company can pivot to tried-and-true practices our customers have been using since we were founded almost 30 years ago. 

LastPass’ Production Credentials Lacked the Appropriate Privileged Access 

The first and most egregious problem LastPass encountered is that they are using their own product as the gateway to their production environments. Password managers are a great first step to secure accounts. They provide “Just-a-Little Privilege” to everyone in a company which ensures security fundamentals are being met.

For example, best practices include avoiding password reuse, using strong passwords, and ensuring strong authentication to get access to passwords. These are all great fundamentals that all employees should be asked to adhere to. But these are also insufficient for guarding access to the keys to the castle, your golden goose. LastPass did this and highlighted how four people had access to a LastPass shared folder with the administrative production passwords.  

For such critical resources you should ensure that certain fundamentals are always established: 

Workflow approvals

People should not be able to access passwords without justification. They should have to prove they have a valid business reason for working in production. For example, an industry best practice is to verify the user has a valid ServiceNow ticket and that they are assigned to it before being granted production passwords. 

Just in time Access

This is your castle. And the keys should not be well known. At a minimum use credential rotation. Or adopt more robust just-in-time strategies potentially via proxy solutions for an additional level of protection.  

Randomized Passwords

Frequently and aggressively randomize passwords on highly privileged accounts ensuring that the credentials are different each time they are used. 

LastPass implemented none of these things. Their production credentials were secured at the same level as any employee’s credentials to a third-party portal. Some access is important enough to need a little more PAM. 

Business Critical Credentials Leaked into the Personal Realm

The second fundamental problem is that their employees could access business-critical credentials from their personal devices. Mixing personal and business is straight-up unacceptable when talking about production access  

Personal devices are not secured to company hardening standards. They lack acceptable antimalware capabilities and are not integrated in the security operations of a company. Each company must decide about what personal device usage is acceptable. But this should never include the four people who have access to the keys to your castle.

There are many strategies for ensuring those administrators have the extra level of security they need such as: 

  • Provide product administrators with company-provided laptops with endpoint protection solutions or secured cloud workspaces they can connect to which are protected by endpoint protection solutions. 
  • Leverage a proxy solution to allow people to connect to secured on-premises devices when needed. 
  • Always ensure that Multi-Factor Authentication (MFA) is required to access these resources. 

Your company’s administrators should only be able to access sensitive production systems and secrets from these hardened entry points. This access can be accomplished through multiple strategies that are routinely applied in enterprises these days. It is a smart defense-in-depth strategy that has long been recognized as a terrific way to protect your company’s most valued assets and makes a compromise far more complex to implement.

Missing Just-in-Time Access

The third severe problem is in the mitigations LastPass enumerated that they were taking to secure their networks. Nowhere on that list was adopting Just-in-time access strategies. And instead, they hardened their employee's personal home networks. Your security permitter should never depend on employees securing their personal residence and network. If your defense depends on secured premises, what happens when they travel and connect over airport Wi-Fi? What happens if they take their laptop to their kids' sports game and connect to the local Wi-Fi? You must secure access to the endpoint you have chosen, and you must assume it is in a hostile environment.

Compromised Credentials Are Still in Rotation

The fourth serious problem is that LastPass is continuing the process of rotating credentials in their enterprise that resulted from this compromise. It has been months, and credential rotation in the event of a severe leak should not take months. Credential rotation, account disablement, and host isolation are the foundational steps you should take to limit the blast radius of a compromise once it is detected.  

Short and Long-Term Steps to Protect Your Secrets 

After reviewing what not to do, what does a recommended environment look like?  

Short-Term Steps

  1. All employees should be given an enterprise-grade zero-knowledge password manager like Bravura Safe to provide a baseline level of security with the frictionless experience employees expect. Everyone needs an enterprise-provided secret vault. This is a turn-key solution your company can turn up in a matter of hours and try for free with a no-commitment trial.  
  2. All employees should be given a strong baseline passwordless MFA solution like Bravura OneAuth to ensure they are authenticating securely to your corporate endpoints and applications.  

Long-Term Steps

  1. All administrators of production resources should be provisioned with a secured endpoint to connect to production resources from. General internet or broad VPN access should not be allowed. There are many strategies for this. All start with understanding the identity of who is accessing your resources. Dedicated VPN or bastion host strategies have been tried and true for decades. Enhanced Identity Governance ZTA is gaining traction. This also does not have to be expensive or complex. Long Term: Your production assets should be managed by a proper Just in Time (JIT) PAM platform such as Bravura Privilege so, production should only be accessed when there is a valid reason and for a known and controlled period.  
  2. You should do a tabletop exercise to evaluate just how long it will take you to rotate your credentials in the event of such a compromise. It should not be measured in months. And if your exercise findings are unacceptable, both Bravura Pass and Bravura Privilege bring 20 years of expertise in large-scale credential rotation that works for even the world's largest enterprises and Fortune 500 companies.  

What should LastPass users do to protect themselves? 

Protect your organization against two very common cyberattacks, phishing, and brute-force attacks.

Get started with Bravura Safe and Bravura OneAuth for your business. Sign up for a free trial today. 

Real Identity Security Compromises. Real Strategies to Reduce the Blast Radius. 

As identity security experts for three decades, our seasoned technologists have garnered some great tools and insights for any company to consider. Beyond LastPass risks, a concern on the minds of IT leaders is how to prevent wide-reaching breaches from detecting threats, to reduce the impact radius, and improve the time to recover. View our webinar with Elastic where we strategize about best practices to manage high-stress security incidents, including actions that will increase protection for your organization. Companies at many maturity levels can benefit from both threat detection and analysis which can drive automated response and mitigation to reduce the blast radius and get back to business as usual.