LastPass is a secure password manager that allows a user to store his or her usernames and passwords in a virtual vault. The vault is secured by a master password that the user uses to authenticate onto LastPass. Once a password is saved to the vault, LastPass will autofill the users passwords into their corresponding logins. Benefits of this approach is that users do not have to remember individual passwords or login credentials for every site they utilize. Another benefit of this approach is that it prevents a keylogger from capturing a password being typed or a nefarious actor scraping the stored password from a browser file. LastPass currently services approximately 33 million registered users and more than 100,000 business customers.
On August 25, 2022, LastPass published a blog post informing its customers that they had detected “some unusual activity within portions of the LastPass development environment.” The activity reportedly occurred over four days. LastPass stated that while some source code from the development environment was stolen in the incident, at that time, no customer data had been accessed. The company immediately began an investigation and partnered with a leading cybersecurity forensic firm to review its policies and security controls. On December 22, LastPass published an updated blog informing customers that the intruders had managed to obtain a backup of customer vault data in late November. The data was accessed by using cloud storage keys stolen from a LastPass employee. While customer master keys are encrypted, the company explained it would be possible for the intruders to obtain the master password by using brute force attacks. It recommended that customers change any passwords stored within their LastPass vaults as a precautionary measure. LastPass recommended prioritizing those password changes by starting with their online financial accounts and other sites that contain the users critical or sensitive information. On January 3, 2023, an anonymous lawsuit filed under the name, John Doe, was filed with the U.S. District Court of Massachusetts on behalf of all victims of the attack.
Basis of the Case
The plaintiff claims to have had $53,000 of Bitcoin stolen from an online account whose password was protected by LastPass sometime during the week of Thanksgiving, 2022. A police report was filed with the local police and the FBI. The plaintiff states that the master password was created using a password generator and complied with the best practices recommended by LastPass. The suit is based on the failure of the Defendant to exercise “reasonable care” in securing and safeguarding the highly sensitive data that was targeted over the course of several months. Through the ability to brute force the master passwords of its customers, the personal information of LastPass’s customers could be potentially exposed to the public. The exposed information could include the names, billing addresses, contact information and IP addresses. The case filing states that had the plaintiff and the class members would have never entrusted their valuable private information to LastPass had they known that the company was failing to adequately protect their data. The plaintiff argues that because LastPass is in the business of securing passwords, they are fully aware of the importance of reducing their risk exposure to cyberattacks. In addition to the lost value of their privacy, the suit is also pursuing the value of the lost time and effort required to mitigate the impact of the attack by changing passwords and other time-consuming actions initiated because of the attack. There are currently 100 class members associated with this suit.
Call to Action
The attack on LastPass is a clear example of the inherent vulnerability of using a single password to authenticate users and protect information. Relying on a single password to secure computer systems and sensitive data is a practice that should be considered outdated. All sign-ins should be protected by a multifactor authentication (MFA) solution that requires a user to prove their identity using a second authentication mechanism. In addition to using a password, MFA utilizes mechanisms such as an SMS text, an authenticator app, a fingerprint scan, or a FIDO (Fast IDentity Online) key. Many cybersecurity professionals consider MFA to be a reasonable security measure. Reasonable security is otherwise known as “duty of care.” One’s duty of care implies a situation in which a person or organization has a responsibility to act with the same prudence that a reasonable person would in a similar circumstance. If a company can prove that it met this standard of care, they cannot be considered negligent for an event such as this. This is where a Duty of Care Risk Assessment (DoCRA) can strengthen your security program. By establishing a reasonable security strategy for managing risk, you can establish your duty of care in potential litigation.