The recently reported breach of LastPass sent many security leaders into a frenzy. And it is easy to see why upon reading a statement from LastPass. WIRED was more pointed, reporting: “A security incident the firm had previously reported (on November 30) was actually a massive and concerning data breach that exposed encrypted password vaults — the crown jewels of any password manager — along with other user data.”
These data included company names, end user names, billing addresses, phone numbers, email addresses, IP addresses (where users come from to access LastPass), and the website and SaaS URLs from password vaults.
While LastPass leans on its Zero-Knowledge architecture, the fact remains that stolen meta data gives threat actors precise user-SaaS relationships and vaults full of duplicate passwords to gain access.
Stolen LastPass vaults paired with unencrypted meta data, gives cybercriminals the effect of a successful phishing campaign without sending a single email or SMS.
Cybercriminals can now leverage duplicate and weak passwords — effectively skipping steps 1 and 2. Because threat actors can go straight to the SaaS listed in the LastPass vault and gain unauthorized access to hundreds SaaS services — most of which are unknown to IT and security teams. According to a 2021 study by Microsoft, 73% of credentials are duplicates with 100+ duplicate passwords per user, on average.
And even with safeguards like multi-factor authentication or strong master passwords to access LastPass are now ineffective, because cybercriminals already have stolen LastPass vault data, so they can go straight to the SaaS app with stolen vault credentials and log-in.
And the subtle but most significant challenge is the scale of compromise across the enterprise SaaS layer. If the attacker can compromise one credential to a single SaaS service, it can lead to continued successful breaches with the same, duplicate credentials in other tools in the enterprise SaaS layer.
What to do about the LastPass breach, leaked password vaults
Organizations must now mitigate SaaS attack paths by foreclosing the opportunity to gain unauthorized access to SaaS services via stolen LastPass password vaults — many of which are duplicates.
In response to this risk, Grip Security and Torq have partnered to provide a solution for automatically destroying existing passwords for users and SaaS services stored in LastPass password vaults, and then replacing destroyed passwords with strong, non-fungible credentials for targeted users, SaaS apps, or both.
How to mitigate LastPass compromise: Grip Solution
According to a 2021 study by Microsoft, 73% of credentials are duplicates with 100+ duplicate passwords per user, on average. What follows is a procedure leveraging Grip and Torq workflows to identify SaaS services within each user’s LastPass password vault and trigger Grip’s access revocation and password rotation workflows.
1. Last Pass Data Export
Users' records in LastPass are not exportable for the admin via API. The highest priority is to reset passwords for the SaaS services the user saved in a LastPass password vault. Within LastPass, go to the Reports Center, to generate an activity report of all the sites added to the user’s vault.
2. Parsing and Querying, Workflow Triggers
The LastPass Activity Report can be exported to a .csv file, which can easily be copied into parsing and workflow tools like Torq. Here, we show the mitigation procedure using Torq for parsing, querying, and Grip workflow triggers.
In this workflow, we integrated with Grip Security to automatically rotate the passwords for all LastPass users. Torq offers no-code automation tools to create workflows and connect with various services through APIs.
3. Grip Automated Offboarding and Password Security
Grip automates offboarding for users and SaaS services across the SaaS service layer. Here, we will show how Grip’s automated offboarding works and the scenarios security and identity teams can use to protect access across the enterprise SaaS layer.
4. Grip Portal Monitoring
The workflow described above is automatically run for every user-SaaS relationship or targeted to specific identities or apps. Central to the concerns of credential exposures related to the LastPass breach, Grip automatically destroys passwords and rotates new credentials at the SaaS services, thus neutralizing the risk of compromised credentials, enforcing strong authentication to keep using the app in the future.
LastPass’s latest breach indicates just how corporate identities are entangled with SaaS services whether we know it or not — punctuating identity risk. And the enterprise SaaS layer is where credentials and identities sprawl, duplicate, and operate outside IT governance or access controls.
Cyber-attacks and SaaS breaches have been well-documented in recent reports from the 0ktapus threat campaign of 2022 to the phishing, smishing, and vishing schemes that impacted Twilio, Digital Ocean, Dropbox, Signal, Uber, and now, LastPass.
Grip’s automated SaaS offboarding helps mitigate these risks by foreclosing the opportunity to obtain credentials or gain unauthorized access to SaaS services — including eliminating compromised credentials from stolen LastPass password vaults.