Hackers Expose LastPass Security Gaps
Think about all the passwords that school employees have to keep up with for applications and software such as Skyward, Canvas, and Office365. For security reasons, passwords should never be written down. That’s why many districts invest in password management tools, which create one master password that controls employees’ individual passwords. If your district uses a tool called LastPass, you need to know about recent cyberattacks that took advantage of the product’s security gaps.
What Happened?
LastPass built a reputation as a reliable organization that uses military-grade AES 256-bit encryption on users’ master passwords. In 2019, the company identified a vulnerability on their Web portal. The LastPass security team quickly patched the vulnerability, and there were no reports of data theft or exposure. In August and November 2022, however, LastPass suffered two large data breaches.
The breaches appear to have been the result of poor third-party vendor security, but a large amount of customer data was stolen. LastPass tried to reassure customers that the data was in big, encrypted blocks. Because of the AES-256 encryption, it would be nearly impossible for hackers to decode.
LastPass didn’t know that metadata associated with saved websites underneath each user’s master password was not encrypted. So, hackers could see saved usernames, website addresses, and passwords stored in browsers when users entered that information into LastPass.
Then in September 2023, cybercriminals emptied the crypto wallets of several prominent cryptocurrency traders. The only common denominator? The victims were all using LastPass master passwords. It is now generally accepted hackers are decrypting stolen data blocks.
What Does it Mean to You?
LastPass strongly recommends customers follow its remediation steps for individual and business users. Work with your IT department to determine whether your organization has been targeted and follow LastPass’ suggested protective measures to ensure you aren’t a secondary victim. If you're exploring other password management tools, make sure you vet your vendors.
Lucas Anderson
Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance.
Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.
You May Also Like…
View All Related Insights
Cybersecurity Is Not Just an IT Thing
Cybersecurity culture is built on every employee embracing their role in keeping criminals at bay. Here are seven tips to help you get there.
Want to Worry Less About Data Breaches?
The accidental release of sensitive information can tarnish your organization’s reputation. Data loss prevention tools help ensure that when employees make mistakes, technology has your back.
Tax Season Tips for Avoiding Cyber Scams
During tax season, cybercriminals are looking to claim their own returns. Stay up to date on this season's scams to protect your organization and employees.
Don't Fall for These Holiday Cyber Scams
Cybercriminals are looking to take advantage of the holiday hustle and bustle. Protect yourself and your organization with these holiday cybersecurity tips.