The recent breach at the popular password manager, LastPass, has caused a lot of concern amongst its users. We ourselves have discussed whether this is the last pass we are going to give to LastPass. So, in today’s episode, we discuss what happened, what it means for LastPass users and what are some things you should do or consider doing.
In this episode:
The Last Pass for LastPass? – Ep 389
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[08:03]Lab Pays $16,500 Settlement to HHS, Resolving Potential HIPAA Violation over Medical Records Request
Life Hopes Resolution Agreement and Correction Action Plan | HHS.gov
Data Privacy Week – National Cybersecurity Alliance
Listener Question
[14:56]Got lost in our wonderful documentation system from Oct.
Hello,
Big fan of the podcast. I had a question for you, that’s hard for me to find.
We’re a software engineering company. We have made an app for a hospital. I believe PHI traverses through our app, but no one at our company has access to the actual PHI, in any way, shape, or form. My question is, does our company need to be HIPAA compliant?
Is This The Last Pass for LastPass?
[22:13]Notice of Recent Security Incident – The LastPass Blog
LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…
If you are not yet aware, LastPass has had another breach. This is not the first time LastPass has had a breach, and we’ve discussed those in the past.
We both have used LastPass for years and we have always said that we really appreciate the transparency of the company and how they handled the breaches in the past. However, this time we can’t give LastPass a pass.
We waited to discuss this until the dust settled a bit, so that we had a better understanding of what we were dealing with and could distill this down to you, our listeners. Many folks do not follow infosec news like we do, so this may be new information for you. We’ve also had folks asking us what our thoughts are and what they should do in response to the breach.
Let’s take a minute to talk about what we know so far and then we will discuss how we intend to handle this for our own businesses, as well as what we recommend for you to consider.
Back on August 25, 2022, LastPass publicly announced that it had been a victim of a breach a couple of weeks earlier. At that time, part of the announcement read:
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
So, already I’m not feeling good about this. They took source code and proprietary technical information? At present, we still do not know what this source code or information might be used for or how it could be weaponized against users. However, according to THIS notice, customer data and encrypted password vaults remain safe.
A follow-up announcement about a month later was similarly concerning:
That’s right, MFA was in place and it did what it is supposed to do, however the human firewall failed and let the hackers right in.
Let’s fast forward a few months (yes months) to the most recent notice from LastPass about this incident, dated December 22, 2022:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Great!… just freaking fantastic! Not only does the hacker have my personal information but also an encrypted copy of my LastPass Vault.
[31:40] So, what does this mean for you if you use LastPass? Well, that all depends on the security measures that you personally took BEFORE this breach.Here are a few things we say all the time that come to mind here…
- “You can’t fully outsource your own security.”
- “You should not wait until a security incident to start taking security seriously.”
- “Nothing is 100% in cybersecurity, you need layers of protection.”
From here, we want to shift our focus on what our recommendations are for those using LastPass. There is plenty we can discuss and speculate about what happened and how it happened, however what is really important for us users is how we should best respond to this.
Is Your Password Vault Safe?
[34:18] As safe as it can be in the loving arms of a hacker 🙂. Depending on how good your vault password was will be very important here. If you had an easy password, a password that has been breached in the past, or a password that is part of any known-password list, you probably should be worried.Even if you had a very strong password, you are now facing the possibility of hackers trying to get to you to get you to give up the credentials to your vault. That means more targeted spam, phishing, smishing, and vishing. Since the hackers can see the URLs in your LastPass account, it will be fairly easy to figure out if you are worth their time to target.
As an example, LastPass Account #1 has some gaming sites, a school site, and some porn sites. LastPass Account #2 has three different banking sites, a few credit card sites, and dozens of business and shopping sites. Which do you think looks like the best use of the hackers time and resources?
What Should You Do?
[42:03] Here is our checklist of things we recommend you do or consider:- Change your LastPass master password
- Make sure it is strong
- Never use it anywhere else
- Change the passwords stored inside your vault
- Change your Password Iterations setting to 310000
- Setup 2FA/MFA everywhere you can
- Be very suspicious of everything that “smells funny”
- Whether you decide to move to a different password manager or stay with LastPass, you should have a documented assessment of your decision
We still think password managers are a great tool and maybe even necessary. Like everything that contains sensitive information, it should be well protected. Even better is that you have other layers of security so that even if someone had your passwords, they still could not gain access to your most critical data and sites.
If you haven’t conducted an assessment lately of how your organization creates, uses, stores, accesses, and manages passwords, now is the time. Implementing a password manager for users across your organization is much safer than users who create spreadsheets with their passwords or write them all down in their “password book”.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
