LastPass, a password manager, has suffered the latest in a series of successful breaches.
Password managers like LastPass, which attempt to create unique, complex passwords for many different accounts, which are then stored behind an encrypted master password in a “vault,” are seen as the response to the multitude of credentials we now need across the modern Internet.
While LastPass was quick to report that the compromise affected its development environment and that no user data was compromised [*], this is still of great concern given they did not go far enough to disclose whether the leaked proprietary code could be used to generate exploits to compromise the platform’s integrity. There is also no information about if any steps were taken to prevent future breaches, including a full review of the code to assess how the leaked code could be used as an advantage for attackers.
This is yet another reminder of the importance of multi-factor authentication (MFA), which helps mitigate the risk of stolen or lost passwords. It also underscores the need to transition away from passwords entirely. With MFA mandatory on November 1 (https://go.unu.edu/gQMk5), it would be a good idea to advise your users to start early to avoid any last-minute surprises. Please take action accordingly.
Password managers like LastPass are supposed to be the guards at the front gate, protecting the keys to our kingdoms. But what happens when the guards have been compromised? They may just lower the draw bridge and invite the enemy in.