Dear Company with Data to Protect,
You have no doubt heard about the LastPass breach that occurred in December 2022. As a LastPass vendor ourselves (don’t worry, we’re fine), allow us to fill you in on the play-by-play:
- Using technical information obtained during an August 2022 breach (including source code), a cybercriminal targeted an employee account and stole data from LastPass cloud-based backup storage.
- The stolen data included encrypted customer account information including addresses, email addresses, IP addresses and phone numbers.
- The threat actors were also able to obtain encrypted data, including website usernames and passwords. However, this data remains secure without access to the user’s master password, which is unknown to LastPass due to their Zero-Knowledge architecture.
The LastPass cybersecurity breach was shocking due to the sheer amount of data that was compromised. Estimations have placed the breach at a reported 30 million user accounts. Additionally, personal information such as profile data and contact lists were accessed by hackers. Already, many users have experienced phishing messages based on data stolen from their LastPass accounts.
Needless to say, this breach rocked the business community. And with good reason. LastPass touts itself as the leading password management tool in the world with over 33 million customers and 100,000 businesses. It has won a myriad of awards from Best Password Management (from ChannelPro) to Best for Ease of Use (Money.com) to Most Innovative in Multi-Factor Authentication (from Cyber Defense Magazine). If LastPass isn’t hacker-proof, can anyone be?
The answer is yes.
Did you know effective network security can lower your organization’s insurance premiums? Read more.
Password Best Practices for the Win
At Nutmeg Consulting, despite using LastPass for password management not only internally, but for our clients as well, our policies and password management practices shielded us from the worst of the breach. The reason for that is our diligent adherence to password best practices.
Here are some of the password management practices that helped to protect us and our IT services clients:
- Development of long and character-rich passwords, typically a minimum of 13 characters in length and involving a mixture of uppercase letters, lowercase letters, numbers and symbols (and encouraging phrases)
- Changing all passwords regularly – for sites that don’t have 2FA available
- Don’t repeat passwords – all accounts should have unique passwords
- Where there’s no opportunity to create your own questions, simply auto-generate a long-character password and store that in the password manager
- Answers to security questions should be treated like passwords, not like things to remember
- Choose TOTP (Time-based One Time Passwords) that are usually managed by applications like Google Authenticator, LastPass Authenticator, etc.
- Enable multi-factor authentication wherever possible
These are not merely recommended actions that we halfheartedly put in front of our IT support clients; these are cyber awareness absolute must-dos with no room for negotiation. We are an IT services company that doesn’t believe in half-measures when cybersecurity is at stake.
Peace of Mind During a Cybersecurity Crisis
While millions of customers panicked and lost sleep over the potential implications of the LastPass breach, our clients were sleeping well and experiencing the incredible peace of mind that comes with working with one of the best cybersecurity companies in the Northeast.
Interested in experiencing that peace of mind yourself? Robust password protection is just a fraction of the cybersecurity protection provided by Nutmeg Consulting. We take a comprehensive approach to cybersecurity and network protection and our suite of services includes:
- Access to an AI-powered advanced firewall that automatically detects and ceases threats to all devices
- A team of specialists that includes experts in crisis management and rapid response
- Cyber awareness training that empowers your employees to identify the telltale signs of a cyberattack
- Hardware installation and configuration
Combined with the high usage of LastPass among both consumers and business users, this breach served as a stark reminder that even industry-leading security platforms are vulnerable to attack. Given how ingrained online accounts have become in our lives, a breach like this reinforces the importance of proper cybersecurity.
Don’t wait for the next high-profile and mass-scale cybersecurity attack to get your IT affairs in order. Let’s connect and discuss your cybersecurity must-dos … before it is too late.
Here to protect your organization,
The experts at Nutmeg Consulting