BlogNewsResourcesWebinarsGlossary

LastPass breached, password vaults exposed…now what?

Jan 5, 2023

Jan 5, 2023

blue polygon icon

10 min

Stolen LastPass vaults filled with duplicate passwords gives cybercriminals the effect of a successful, global-scale phishing campaign without sending a single email or SMS.

Link to Linkedin
Link to Linkedin
Link to Linkedin
Josh Mayfield
VP Product Marketing
LastPass breached, password vaults exposed…now what?
This webinar will cover:

LastPass breached, password vaults exposed…now what?

The recently reported breach of LastPass sent many security leaders into a frenzy. And it is easy to see why upon reading a statement from LastPass. WIRED was more pointed, reporting: “A security incident the firm had previously reported (on November 30) was actually a massive and concerning data breach that exposed encrypted password vaults — the crown jewels of any password manager — along with other user data.”

These data included company names, end user names, billing addresses, phone numbers, email addresses, IP addresses (where users come from to access LastPass), and the website and SaaS URLs from password vaults.

While LastPass leans on its Zero-Knowledge architecture, the fact remains that stolen meta data gives threat actors precise user-SaaS relationships and vaults full of duplicate passwords to gain access.

Stolen LastPass vaults paired with unencrypted meta data, gives cybercriminals the effect of a successful phishing campaign without sending a single email or SMS.  

Figure 1.1 - User-SaaS attack path, phishing/smishing initiated

Cybercriminals can now leverage duplicate and weak passwords — effectively skipping steps 1 and 2. Because threat actors can go straight to the SaaS listed in the LastPass vault and gain unauthorized access to hundreds SaaS services — most of which are unknown to IT and security teams. According to a 2021 study by Microsoft, 73% of credentials are duplicates with 100+ duplicate passwords per user, on average.

And even with safeguards like multi-factor authentication or strong master passwords to access LastPass are now ineffective, because cybercriminals already have stolen LastPass vault data, so they can go straight to the SaaS app with stolen vault credentials and log-in.

Figure 1.2 - User-SaaS attack path, compromised LastPass initiated

And the subtle but most significant challenge is the scale of compromise across the enterprise SaaS layer. If the attacker can compromise one credential to a single SaaS service, it can lead to continued successful breaches with the same, duplicate credentials in other tools in the enterprise SaaS layer.

What to do about the LastPass breach, leaked password vaults

Organizations must now mitigate SaaS attack paths by foreclosing the opportunity to gain unauthorized access to SaaS services via stolen LastPass password vaults — many of which are duplicates.  

In response to this risk, Grip Security and Torq have partnered to provide a solution for automatically destroying existing passwords for users and SaaS services stored in LastPass password vaults, and then replacing destroyed passwords with strong, non-fungible credentials for targeted users, SaaS apps, or both.

How to mitigate LastPass compromise: Grip Solution

According to a 2021 study by Microsoft, 73% of credentials are duplicates with 100+ duplicate passwords per user, on average. What follows is a procedure leveraging Grip and Torq workflows to identify SaaS services within each user’s LastPass password vault and trigger Grip’s access revocation and password rotation workflows.

1. Last Pass Data Export

Users' records in LastPass are not exportable for the admin via API. The highest priority is to reset passwords for the SaaS services the user saved in a LastPass password vault. Within LastPass, go to the Reports Center, to generate an activity report of all the sites added to the user’s vault.  

2. Parsing and Querying, Workflow Triggers

The LastPass Activity Report can be exported to a .csv file, which can easily be copied into parsing and workflow tools like Torq. Here, we show the mitigation procedure using Torq for parsing, querying, and Grip workflow triggers.

Figure 1.3 - Torq building blocks setup for LastPass data parsing and query

In this workflow, we integrated with Grip Security to automatically rotate the passwords for all LastPass users. Torq offers no-code automation tools to create workflows and connect with various services through APIs.

3. Grip Automated Offboarding and Password Security

Grip automates offboarding for users and SaaS services across the SaaS service layer. Here, we will show how Grip’s automated offboarding works and the scenarios security and identity teams can use to protect access across the enterprise SaaS layer.

Figure 1.4 - Grip SaaS offboarding and password rotation workflow

4. Grip Portal Monitoring

The workflow described above is automatically run for every user-SaaS relationship or targeted to specific identities or apps. Central to the concerns of credential exposures related to the LastPass breach, Grip automatically destroys passwords and rotates new credentials at the SaaS services, thus neutralizing the risk of compromised credentials, enforcing strong authentication to keep using the app in the future.  

Figure 1.5 - Grip portal monitoring, validate SaaS access removal / revocation

Conclusion

LastPass’s latest breach indicates just how corporate identities are entangled with SaaS services whether we know it or not — punctuating identity risk. And the enterprise SaaS layer is where credentials and identities sprawl, duplicate, and operate outside IT governance or access controls.

Cyber-attacks and SaaS breaches have been well-documented in recent reports from the 0ktapus threat campaign of 2022 to the phishing, smishing, and vishing schemes that impacted Twilio, Digital Ocean, Dropbox, Signal, Uber, and now, LastPass.  

Grip’s automated SaaS offboarding helps mitigate these risks by foreclosing the opportunity to obtain credentials or gain unauthorized access to SaaS services — including eliminating compromised credentials from stolen LastPass password vaults.  

Get started by registering for Grip’s LastPass Breach Response Trial and see how Grip can support your LastPass security response and threat mitigation.

In this webinar:
See More
See more
Fill out the form and watch webinar
Oops! Something went wrong while submitting the form.
Register now and save your seat!
Registration successful!
Webinar link will be sent to your email soon
Oops! Something went wrong while submitting the form.
In this webinar:
See More
See more
You might also like

Talk to an Expert

Request a consultation and receive more information about how you can gain visibility to shadow IT and control access to these apps.

Your request has been sent
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.