Third Party Risk: LastPass Breach Leaks Password Vaults
In August of 2022, LastPass, a cloud-based password management solution, reported a security breach that they believed to be contained. This turned out not to be the case and in December it was disclosed that a threat actor was able to leverage data stolen in the August attack to access backup infrastructure where customer password vaults were stored. While vaults are protected by encryption, the encryption key is derived from the master password, which means that attackers can conduct offline password cracking attacks against the vaults to derive the master passwords and decrypt the vaults.
We recommend that MSPs conduct assessments of their employees, customers and critical service providers to identify any use of LastPass and make sure that those parties have taken steps to change their master password and rotate all passwords stored. Also, given the breach history of LastPass we recommend MSPs consider an alternative solution.
-Kaseya Third Party Risk Management Team