When a Cyberattack Strikes, is It the Customer’s Fault? LastPass Seems to Think So.

Three days before Christmas in 2022, LastPass, a company that promises to keep your passwords safe, handed its 33 million customers a lump of coal. Karim Toubba, the chief executive officer of LastPass, warned in a December 22nd blog post about a data breach in which hackers copied a backup of customer vault data, resulting in potentially millions of passwords falling into the hands of cybercriminals.

While it’s appalling that LastPass chose to be a Grinch and drop the bombshell notice during a festive period—when people are rejoicing with family and businesses are closed for the holidays—LastPass’s advice to customers whose vaults were hacked was equally shocking: maybe do nothing.?

According to Mr. Toubba’s blog post, the hacked password vaults were encrypted—and the data secure—as long as the customer’s master password conformed to LastPass’s “default settings” and the customer followed the company’s “password best practices.” ?

LastPass customers use a master password to log into their LastPass account. According to Mr. Toubba’s post, it would take cybercriminals “millions of years” to guess the master password for customers with a strong master password of at least twelve characters in length. Mr. Toubba’s post recommended that customers never reuse the master password for other websites; otherwise, cybercriminals could use a stolen password from a breached website to access the customer’s LastPass account (a cyberattack known as “credential stuffing”).

So customers using a strong, unique master password are probably out of the woods, as Mr. Toubba claims in the post that hashing and encryption methods deployed by LastPass would make it “extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.”

On the other hand, customers who created a weak master password are in hot soup, as hackers using brute force methods can guess the master password to break into the customer’s vault—meaning all of the customer’s passwords are now in the hands of cybercriminals. For customers with weak or reused master passwords, Mr. Toubba advises that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

And therein lies the catch—and quite likely LastPass’s future legal defense. Mr. Toubba’s blog post audaciously contends that LastPass’s security architecture did, in fact, keep the password vaults secure from the prying fingernails of cybercriminals. By Mr. Toubba’s logic, cybercriminals could only access the vault to steal the passwords if the customer created a weak master password or reused the master password for another website. In other words, any data leakage from the breach is not LastPass’s fault—it’s the fault of customers who did not follow the company’s “password best practices.”?

But don’t just take Mr. Toubba’s blog post for it—in a statement emailed to the New York Times, Mr. Toubba wrote about the “strength of the company’s system architecture,” which “kept sensitive vault data encrypted and secured,” and that it was up to users’ to “practice good password hygiene.”

Never mind that LastPass has “required” twelve-character master passwords since 2018 but hasn’t enforced the policy, meaning there are likely to be customers who created an account before 2018 still using a password with less than twelve characters. LastPass could fix this security flaw by forcing users with a weak master password to create a strong master password when they log in—however, LastPass has not taken this step.

Never mind that LastPass offers multifactor authentication (MFA), which is a one-time code used in addition to your username and password, but doesn’t enforce MFA when a customer creates a LastPass account—so customers unaware that LastPass offers MFA are not protected by this essential, powerful defense against brute force attacks. Here again, LastPass could significantly improve “good password hygiene” by forcing MFA when customers establish a LastPass account—but the company has not done this.

Never mind that LastPass has a sorry track record in repelling cyberattacks. LastPass has been hacked six times—2011, 2015, 2016, 2017, 2019, and 2022, with the last breach being the worst. Cybercriminals hacked LastPass in August 2022 and used the information from the breach to trick a LastPass employee into giving up the credentials and decryption keys needed to copy backups of customer password vaults.?

Even worse, LastPass did not encrypt everything stored in the customer vaults—so while passwords in the vault were encrypted, customer metadata was not. Website URLs, IP addresses, and other metadata such as company names, user names, billing addresses, email addresses, and telephone numbers are extremely sensitive pieces of information. In the hands of a cybercriminal, personally identifiable information (PII) is a ticking time bomb. PII can be tied to a specific individual and used by cybercriminals to launch spear phishing attacks against high-value targets, such as journalists, political activists, or company executives. Encrypting stored metadata is an elemental countermeasure to thwarting cyberattacks—yet LastPass didn’t encrypt the metadata.

None of this is the fault of LastPass customers, even the ones who did not practice “good password hygiene." When cybercriminals break into a company’s network and steal customer data, it is the company that is responsible for the breach. What makes pointing the finger at LastPass customers so galling is that LastPass is not simply a password manager—at its core, LastPass is a cybersecurity company that sells peace of mind to its customers.?

With such a poor batting average against cybercriminals, LastPass should not be trial-ballooning the canard that “good password hygiene” is solely the customer’s responsibility. Given LastPass’s long and tortured history of cyberattacks, the company should implement an enterprise-level password reset for all existing customers who are still signing in with weak master passwords. In addition, MFA should not be optional—LastPass should hardwire MFA to force every customer with a LastPass account to enable MFA. Finally, LastPass should come clean about the details of the breach—exactly when the breach happened and how many customers were impacted would be important things to know, but LastPass isn’t saying. It’s likely federal law enforcement agencies are investigating the breach to identify the cybercriminals who launched the cyberattack; but given LastPass’s lack of public transparency, there needs to be an investigation focusing on whether lax cybersecurity on the part of LastPass contributed to the debacle.?

No doubt, individual responsibility is a vital element of cybersecurity. Everyone should practice good cyber hygiene by creating strong passwords that are never reused and enabling MFA whenever available for online accounts. However, responsibility for cybersecurity is not a one-way street leading to the end-user's home; it is the shared responsibility of both the customer and the company.

So LastPass should not get a free pass just because some customers did not follow the company’s “password best practices." A cybersecurity company that promises to keep your passwords and metadata safe should not be wagging a finger in your direction when their network, and your data, have been breached—and practicing “good password hygiene” should not be a cynical legal tactic to shield a company from this responsibility.

?

? ?About the Author: Frank Riccardi, JD, CHC, is a cybersecurity and privacy expert and former C-level executive with 25 years of experience developing compliance and privacy programs for large healthcare systems.?He is the author of Mobilizing the C-suite: Waging War Against Cyberattacks, a call to arms for C-suite leaders to implement the tried-and-true cybersecurity countermeasures proven to thwart cyberattacks.?

??

#informationsecurity #cybersecurity #hacking?