LastPass - TLDR Version
Lance Peterman, CIDPRO
Digital Identity & InfoSec Professional - Adjunct Professor - IDPro Board Emeritus - Elections Official
Some of you may be aware of a recent announcement from LastPass regarding a 2nd breach in which customer data (including accounts and passwords) were captured by hackers. I'm not going to rehash the events but thought I might provide a simplified message of what should be done if you were caught in the blast radius of the breach, either as a business customer or consumer. The answers will definitely vary.
Consumers:
Business Customers:
The answer is category depends on one key feature of your implementation of LastPass: whether SSO is enabled.
领英推荐
SSO enabled:
You're probably ok here, but I would work with LastPass to ensure you can refresh your keys for all users (and thus would re-encrypt all of their respective vaults).
SSO Not Enabled:
This situation mirrors the consumer scenario for the most part, so follow steps 1-3 above. Also, work with LastPass to turn on SSO ASAP. This has the effect of changing the master password for users and re-encrypting the user vaults.
I would also communicate with users to identify any privileged accounts that are in their vaults. While all passwords should be changed, you want your threat teams to be tracking accounts that may be at particular risk of additional damage in the enterprise.
Change vendors? I won't weigh in here. There are good arguments to be made in both directions but that isn't the purpose of this article. This is triage to manage your immediate risk. I hope it helped.
SDE II at PKI Solutions
2 年Do you see LastPass recovering from this?