Tech

The LastPass Data Breach: Why Strong Passwords Matter?

By

Swarnali Datta

With the increasing dependency on digital life, we are storing a lot of our personal information in the virtual world. And what is the lock to this digital vault? A strong password. Now, what if we say that your password has been hacked and all your data is at risk. Skipped a beat, right?

Over the last few months, the creator of a well-known security application for keeping track of online passwords, LastPass, revealed information about a recent security incident in which hackers stole copies of user password vaults. This, in turn, exposed the online information of millions of people. Intrigued, right? Let’s delve into the story.

The incident

One of the most widely used password managers in the world, LastPass has over 33 million registered individuals and more than 100,000 business customers. LastPass has now acknowledged that hackers have repeatedly breached their servers and stolen a vast amount of extremely sensitive client data. This comes after an expanding sequence of highly damaging exposures.

The hacking of a LastPass software engineer’s user account was accomplished by using stolen login information (username and password). Two-factor authentication (2FA) is used to protect employee accounts at LastPass, but the attacker was successful in tricking the engineer into approving a false 2FA request using a technique known as multi-factor authentication (MFA) fatigue (new window).

Valuable corporate assets were stolen; but client data was saved due to the intrusion of the Amazon Web Services (new window) (AWS) cloud development environment. When the breach was discovered, LastPass thought it had stopped it by deleting and starting over with the development environment and replacing all user credentials for the developer environment.

While it wasn’t known to LastPass at the time, the attackers had looked through AWS logs to learn where the encryption keys for LastPass were kept, who had access to them, and the IP addresses they had been accessed from.

The intruders found that a LastPass Senior DevOps engineer was using an extremely outdated version of Plex on their home network when they ran a vulnerability scan on these IP addresses.

Also read: Strategies to Achieve Tech Nirvana in 2023!

Mistakes made by LastPass in this data breach

Delay in response

It took LastPass about 3 weeks to look into each instance. For an average business, that is a respectable response time. But for a company focused on security, this time is far too long.

Lack of an apology

The biggest error is a straightforward lack of remorse. There are no indications of regret anywhere in LastPass’s notifications or blog posts. If you search for the phrases “sorry” or “apology”, you won’t find anything in their most recent communications.

A shift in responsibility

LastPass makes a big deal about Customers’ password vaults which according to it, won’t be compromised as long as they choose strong master passwords. Nevertheless, as soon as LastPass initially lost the vaults, this assertion started to cause problems.

Absence of security

When it comes to security, a security firm should be prepared with all its arms. While breaches may occur, a security firm that says it has increased security, taken care of everything, and that “you can trust us” but then has another breach just two months later, is clearly lacking in foundations.

Also read: How Technology Has Revolutionized Virtual Trading

Lessons learnt from this incident

The LastPass breach serves as a reminder that it is simpler to put precautions in place for our most sensitive accounts in advance of a breach than it is to attempt to do so after the fact. Here are some tips for choosing strong passwords that everyone should adhere to.

Create a complicated password

A strong password should be lengthy and challenging to decipher. Consider the following examples: “My name is Inigo Montoya. My dad was killed by you. Get ready to perish. And then change them into “Mn!!m.Mdwkby,” using initials for each word and an exclamation point for the Is. This general rule is crucial for the master password that unlocks your vault if you use a password manager. Never use the same password on another website or app.

Use Two-factor authentication (2FA)

This setting creates a temporary code that you must input together with your username and password in order to access your accounts. You may usually set up your phone number or email address to receive a message with a temporary code to log in on banking websites. Certain apps, including Twitter and Instagram, allow you to create temporary codes using so-called authenticator apps like Google Authenticator and Authy.

Also read: Adapting Tech to Your Family-Run Business in 2023 and Beyond

To wrap it up

Remember, you should always have a strategy in place in case something happens that causes you to leave and you need to retrieve your data. On its website, LastPass provides instructions on how to export a copy of your vault into a spreadsheet. The list of passwords can then be imported into a different password manager. Alternatively, you can keep the spreadsheet file for yourself and keep it somewhere secure and easily accessible.

Let us know your thoughts in the comment section below and do not forget to visit trendingnewsbuzz for more mind-boggling updates.