Way back in August, LastPass disclosed that hackers compromised their development servers. Through this attack, they siphoned proprietary source code and “technical information” about the LastPass product. At the time, LastPass was quick to note that no user data was accessed in the attack. The concluded this investigation in mid-September.
Late last week, the company updated their findings with a huge new bombshell. By using the information obtained from the August attack, it was able to exploit a 3rd-party cloud services company used by LastPass to access customer information.
Nearly a month later, on December 22nd of 2022, LastPass released an update. The hacker was able to obtain a copy of customer data backups. What’s clear right now is that the hackers were able to copy a backup of customer vault data, which included websites, usernames, passwords, secure notes and form data.
According to LastPass, most of this data is encrypted, such as usernames and passwords. However, URLs used in passwords vaults are not. As a result, a hacker would still need access to a vault owner’s master password to decrypt all the stolen data.
However, the data that was unencrypted could be used to launch targeted phishing attacks, and many security firms have warned that hackers may try using leaked customer information to check the Dark Web for re-used passwords that may match master passwords.
There are many things that you could and should recommend for your clients using LastPass:
- Rotate any passwords and keys stored in LastPass
- Check for password re-use across your sites & services
- Enable MFA on everything
- Warn your users of an increased risk of phishing
- Pay careful attention to your accounts for breaches and suspicious activity
BUT…. Is there something more you can do about this latest LastPass big reveal?
Blame LastPass for poor security, ditch the product and move on? This might seem like the most straightforward approach, but I want you to think a little deeper here.
This type of breach will happen again. We need to keep that mindset. Vendors leak data—even very sensitive information—all the time. This is our new normal.
What I want you to think about is what measures can your MSP take to make sure its clients are secure?
Think about risk within your MSP— this LastPass incident is a good reminder to start getting your team to think about security risks within your MSP. Some risk cannot easily be controlled, but there are probably many aspects of day-to-day operations that—if some thought was put into how things are done (and everyone understood WHY it was done that way), you would be able to shore up a ton of security issues. We recommend keeping your entire team up to speed on issues impacting MSPs.
Get your clients in on security conversations—the status quo for security support is to set it and forget it. At least in your client’s mindset, that’s the norm. If you were to have meaningful conversations around their security, what’s at risk, and what they want to do about it, you will turn their heads. One of the easiest ways to get them to realize what’s at risk is by performing a penetration test where you send them a link and show them exactly what is at stake from just a simple click. To see this in action, consider testing your cyber stack for 2023.
Devise plans for vendor breaches— the inevitable will happen again. LastPass is by no means the last vendor who will fall victim to an attack. Get your team to start thinking about the ‘what-ifs’ now. Get them to start owning and planning what steps they would take place if a critical vendor of yours succumbed to a breach or ransomware attack.
Consider a tabletop exercise— The perfect step to start laying out the groundwork of what your team would do is by performing an easy tabletop exercise. Pick a couple of vendors critical to your operations and your client’s well-being. Walk through a tabletop on how you would deal with the breach or attack scenario. For more information on MSP-centered tabletops, here is a resource you might start with.
Now is the time for you to seize the vCSO opportunity
Now is the time for you to become a greater trusted advisor to your clients. As MSPs, we have a huge opportunity right now to lead through cybersecurity. You have the opportunity to claim your seat at the C-level table of clients and prospects. To swim upstream to bigger opportunities.
Now is your time to become their vCSO.