By Roger A. Grimes. KnowBe4 recommends that everyone use a password manager to create and use strong passwords as a part of their password policy https://info.knowbe4.com/wp-password-policy-should-be
LastPass, one of the world’s most popular password managers, recently had bad data breach as revealed here: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/.
LastPass divulged that although user’s plaintext passwords were not accessed, what the hackers did get included the following information:
- website URLs for the user’s stored passwords
- end-user names
- billing addresses
- email addresses
- telephone numbers
- company names
- IP addresses from which customers were accessing the LastPass service
The hackers also got LastPass user’s encrypted passwords for each stored logon. The encryption protection is strong AS LONG AS the master password users used for LastPass was strong. If you’re interested in a more detailed discussion, go here: https://www.linkedin.com/pulse/just-how-bad-recent-lastpass-compromise-roger-grimes.
In summary, if your LastPass password was at least 12-characters long (the current LastPass default), contained some complexity, wasn’t an easy-to-guess password, and was not used on any other site or service, then you’re probably OK. If not, you need to immediately change all your passwords, both the LastPass master password and all the passwords you stored in LastPass.
Spear Phishing Bonanza
However, the plaintext information that was stolen (listed above) is incredibly useful to any hacker doing social engineering and phishing. It allows an attacker to specifically target (i.e., spear phish) a potential victim using information not known to the general public and other hackers. For example, with a list of the web sites that someone logs onto, a phisher can craft specific phishing emails that pretend to be from that web site. It could include the user’s name, telephone number, and mailing address. Each added detail adds to the veil of false legitimacy to a social engineering email. Each included detail increases the percentage of people who will become victims.
Knowing people’s phone numbers and what websites they belong to opens up an avenue for a fake tech support call. Mailing addresses can allow elaborate scams through postal mail. Here’s a brazen example of such a scam: https://www.nasdaq.com/articles/inside-the-scam%3A-victims-of-ledger-hack-are-receiving-fake-hardware-wallets-2021-06-17 . The sky is the limit on the types of spear phishing scams that can be created and delivered using the information that was stolen in the LastPass breach.
Kudos to LastPass for making sure the most critical user information, the user’s passwords, were stored in an encrypted state. But this breach, like all the others before it, are calling into question about what type of user information should or shouldn’t be considered “critical information” and always stored in an encrypted state. If the information can be used to identify or contact you, it should probably be encrypted by default.
Here is a demonstration VIDEO on Vimeo (the blue button is legit) made by Kevin Mitnick how an attack like this might go down, use the password: rockandrollwillneverdie
LastPass users were relieved to learn that their stored passwords were not directly compromised, but what information was taken by the hackers is likely to have spear phishing repercussions for years to come.