Back in August 2022 the password manager service LastPass had a data breach that leaked customer account information and meta data associated with the people accessing the service, such as email addresses and phone numbers. Recently, LastPass has let its customers know that the data breach was more severe than initially thought, and this raises an important question for small businesses: what if your information was in this data breach? Today, we want to focus on how the LastPass data breach happened and what small businesses can do to better protect their data in case they get involved in a third-party data breach!
What happened?
While LastPass’ data breach is still under scrutiny, how the attack happened appears to be clear. The attackers stole an employee’s credentials, and this account was able to exfiltrate information from a cloud-based backup server. This server stored a backup of customer information that included website URLs, encrypted passwords, and data used to fill in forms. LastPass highlights that credit card information was not stored on the backup server and was not at risk of being stolen. Much of the data that was not encrypted was personally identifiable information (PII) on the account owners, but the stolen passwords were encrypted, so malicious actors will need to brute force the encryption to make them actionable for attacks.
A Lesson in Passwords
The passwords stolen in this data breach are encrypted, which means malicious actors will have to perform a long and tedious process of brute forcing their way through the encryption by guessing a user’s master password. While this provides a level of security, it does mean the stolen passwords are at risk. Importantly, the passwords that take the longest to crack are the ones that are more complex and that the hackers do not have clues for. If a person reuses their master password for other accounts that have leaked onto the dark web, then malicious actors will have an easier time guessing their password. This is a strong reminder to make new and unique passwords for every service used.
Further Mitigation Strategies
If your business was involved in a data breach like this one, the first step to take would be to change your master password to something unique that follows strong password best practices. Changing the passwords generated by LastPass may also help protect more of your information from being accessed by the hackers that performed the initial data breach. Because PII was unencrypted when it was stolen, your business would want to pay attention to dark web scans to catch suspicious activity early. If your business does not already have dark web scans performed, you should work with a local IT consultant to access this service, so you know what information about you and your business has been stolen.
Summary
Looking at how to mitigate the risk to small businesses from LastPass’ data breach can help more than just the customers involved in the attack. Strategies such as implementing strong password habits and monitoring the dark web can help prevent a variety of attacks from happening. More importantly, implementing these strategies earlier will help small businesses defend against data breaches that haven’t come to light yet and improve their overall cybersecurity posture. If you think your small business needs dark web scans or a quick security assessment to see if you’d be vulnerable in a situation like this, our security experts are ready to help bring IT as it should be to your company!
