Back in August 2022, password manager LastPass suffered a massive breach.
A still-unknown cyber criminal successfully targeted one of LastPass' four DevOps engineers who had access to the decryption keys for the cloud storage service. Using the engineer's stolen credentials, the hacker was able to infiltrate LastPass' systems undetected. This breach lasted for months and continued even after LastPass believed the threat had been contained.
The LastPass breach enabled the threat actor to obtain access to the "backup customer vault data." According to the company, encrypted data such as usernames and passwords as well as unencrypted data like website URLs were affected.
Breaches at large companies and online platforms are not new. In the case of the LastPass breach, hackers don't need to find some technical flaw to exploit either.
By targeting the human beings who work at these companies, using tactics such as social engineering, every organization technically has a weakness that can be taken advantage of.
However, the LastPass breach was different.
Hackers breached a password manager, a platform meant to protect your passwords and make it possible to use highly secure credentials for each of your logins. And it proved highly successful for the hackers.
Breaching password managers highly lucrative for hackers
Over the past few months, there have been a number of reports detailing how the LastPass breach appears to be linked to cryptocurrency-related heists. Hundreds of millions of dollars have allegedly been stolen allegedly as a result of the LastPass breach.
In one such incident, U.S. federal investigators claim that the LastPass breach seems to be the source of a cryptocurrency heist that resulted in $150 million being stolen from a crypto wallet last year. Authorities arrived at this conclusion after finding that the login credentials were stored in the victim's password manager. In addition, investigators did not find any evidence that the victim's devices were hacked.
And it appears that the worst is yet to come.
Thanks to the hackers' success with the LastPass intrusion, password managers are now under attack. Hackers have realized that instead of wasting time breaking into one platform at a time when targeting a user, they can gain access to all of their login credentials if they can break into their target's password manager.
Here's a great example of how hackers are honing in on password managers and even getting creative in order to target them.
Just a year and a half after the LastPass breach, a threat actor was somehow able surpass Apple's usually stringent review process in order to convince the company to approve a fake LastPass app in the App Store. The LastPass imposter was basically a phishing app that attempted to fool LastPass users into believing it was the official app so they would input their login credentials, which would then go right to the bad actor who created it. It's unclear how many, if any, LastPass users were affected by this specific incident, but it shows what great lengths cyber criminals are going to in targeting password managers.
But, don't be fooled into thinking this is just about LastPass. Hackers are targeting password managers in general. A new report released last month from cybersecurity firm Picus Security found that 25 percent of all malware is now targeting password managers or other credential storage services.
"Threat actors are leveraging sophisticated extraction methods...to obtain credentials that give attackers the keys to the kingdom," said Picus Security co-founder and VP of Picus Labs, Dr. Suleyman Ozarslan.
How to protect yourself from password manager breaches
There are a few lessons here going forward.
For one, we can no longer assume that just because you're using a password manager that your login credentials are somehow more secure. It might be more convenient to use, but breaches can still happen.
Users looking into password managers should should also prioritize encryption. Hackers were able to obtain plain-text website URLs in the LastPass hack. While this may not seem crucial on its own, it provides hackers with a blueprint basically. It shows what platforms you have accounts on, which can be an extremely important tool for a hacker looking to craft a phishing email.
It might not have been as easy to obtain the login credentials themselves, but they knew exactly where to go and how to target users in order to gain unauthorized access. In May 2024, LastPass learned from its mistakes and the company announced it was rolling out URL encryption.
But, the most important lesson is the importance of two-factor authentication. Yes, you may use a password manager in order to make the login process as easy as possible and two-factor authentication will require that you input credentials to get passed yet another layer of security. But, even if a hacker were to break into your password manager and steal your password, they still couldn't access your account unless they had access to your physical mobile device.
Also, in the event that your password manager is breached, you'll need to change your password. No, not just your master password. You should change your password for each and every platform with a login credential saved in your password manager.
Have a story to share about a scam or security breach that impacted you? Tell us about it. Email submissions@mashable.com with the subject line "Safety Net" or use this form. Someone from Mashable will get in touch.
