LastPass Security Breaches: Is It Time to Make a Change?

Almost three-quarters of Americans use handwritten notes or their own memory to store passwords. Unfortunately, relying on manual methods to remember codes is one of the leading causes of security breaches and identity theft. In fact, internet users that do not employ security safeguards such as a password management system are three times more likely to experience identity theft.

To combat this, businesses have turned to password managers for their online security. These programs store passwords and usernames in an encrypted format, giving users access via a single ‘Master Password.’ However, the security of password managers has come into question lately, with repeated breaches of LastPass, a major password management company.

What are the pros and cons of a password manager?

Writing down a password on a Post-it Note means anyone walking by a desk or window can steal it. The benefits of having your passwords in an encrypted format include the following:

  • Strong encryption for passwords protected by a Master Password helps ensure that not even the password managers have access to the information.
  • Individual passwords can be complex and difficult to remember, as only one password is needed to grant access to them.
  • Password managers often have a variety of options to meet a business’s complex needs. Options range from free-of-charge to premium subscriptions.

What are the potential pitfalls of password managers?

  • Though there are many varieties of password managers, not all are created equal. This means organizations need to do their due diligence and research a manager before making a decision.
  • Losing the Master Password will also usually mean losing access to the vault, as the password manager does not store the Master Password.
  • Despite password encryption, the existence of a Master Password means there is still a vulnerability. Password managers are hackable, which is top of mind for many businesses after the recent LastPass security breaches.

There are ways to mitigate the risks of password managers being hacked with features such as multi-factor or biometric authentication. Still, organizations must look closer at the developing security landscape around password managers.

Also read: Blocking Ransomware Attacks with Updated Microsoft Security Features

The LastPass security breaches

LastPass suffered two security breaches in 2022—one in August and another in December. Data from the first security breach was used to access a cloud storage environment. Accessed information included customer account information and related metadata, including:

  • IP addresses of customers detailing where they were accessing the LastPass service from
  • Company names
  • End-user names
  • Billing addresses
  • Email addresses
  • Telephone numbers

What should you look out for?

Master Passwords give access to all the user’s account information. Following the LastPass security breach, organizations need to be on the lookout for the various ways a hacker can obtain that valuable password.

  • Brute-force attacks use trial-and-error guesses and are made easier or more difficult depending on the password’s complexity. In the case of LastPass, the Master Password must be at least 12 characters long.
  • Phishing schemes involve fake emails or text messages in which hackers pretend to be a LastPass employee. Users can then be duped into giving their Master Password to someone they think is a real person from LastPass.
  • Targeted attacks are aimed at a specific business or entity.The LastPass breach gave hackers access to basic customer information—billing addresses, telephone numbers, email addresses, and more—to coerce users into giving up their Master Password.

The reality is that LastPass is no longer secure. In fact, LastPass was sued by a former customer who alleged $53,000 in bitcoin had been stolen from him as a result of the breach. The question becomes: are password vaults still the right choice for businesses?

Password vaults are still the best option

A dedicated password manager is still more secure than a Post-it Note or storing sensitive information online. However, we recommend LastPass users or potential users consider a service with a more reliable cybersecurity history.

A few alternatives to consider include:

  • Bitwarden: A free password manager that is completely open source, meaning everyone can ensure the code is safe and well protected. A paid version for $10/year gives access to additional security features such as 2FA and online storage.
  • 1Password: A completely paid option. The benefit of 1Password is that it immediately notifies users of any password leaks, prompting the user to change the password. The service also encrypts website URLs, adding an additional layer of security.
  • Enpass: This service stores sensitive data in locations that are best for you — places like iCloud, Google Drive, OneDrive, or even completely offline. That means you can protect and safeguard your data against a security breach of the password manager.

Other potentials to consider are Dashlane, which has never been breached; KeePass, a free, open-source password manager; and even password managers from cybersecurity providers such as Kaspersky or McAfee.

Protect yourself with Information Security Insurance

Take your digital security measures one step further by investing in cyber insurance, which protects you from the fallout of inevitable security breaches. McGowanPRO specializes in professional liability, errors & omissions, and related insurance products. Our goal is to provide you with a customized, comprehensive plan to give you the peace of mind you need to focus on your business. Our Information Security and Privacy Insurance provides a variety of industry-leading coverage options, safeguarding businesses against emerging data security and privacy concerns.