Breaches at Password Manager LastPass Cause Concern

by Leave a Comment

Password managers are programs that let you store an ever-growing list of online credentials in a safe location. These programs remove the need to record this information insecurely, such as by emailing them and writing Post-it Notes.

Many security experts advise clients to use these programs as part of best security practices because they also let you create strong and unique passwords for each online account you have. Additionally, some programs alert you if you duplicate a password across different accounts and can notify you if your password has appeared in a known data breach.

However, if your program’s secure vault is compromised, it potentially puts every one of your online accounts at risk of compromise. This issue drew my attention following last year’s extensive LastPass breach incident.

In 2022, there were multiple breaches at LastPass. In addition to putting the response and actions of LastPass under the spotlight, the incidents have raised questions over the safety of storing multiple login credentials on password managers altogether.

LastPass announced in late August 2022 that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” This enabled the attacker to take portions of source code and some proprietary LastPass technical information.

After conducting an investigation and forensic review, LastPass said it found no further evidence of activity from the threat actor. The unauthorized access was limited to its development system, which is “physically separated” from its production environment.

At the end of November, they made another announcement that an unauthorized party had gained access to a third-party cloud storage device. This new breach was enabled by the information gained by the attacker during the original August incident.

And a few days before Christmas, the firm informed users that attackers had accessed encrypted customer data (username, password, and notes) and unencrypted data (the website addresses of customers’ online accounts).

Do I believe you should keep your LastPass account following this last episode? No, but the damage has already been done. There is a high likelihood that your account may have been compromised. But if you want to continue to use LastPass, there are three things you must do to continue using the service.

  • First, you must strengthen your master password and ensure it is unique, long, and complex.
  • Second, as an extra security precaution, you should change the passwords for the websites you have stored in the service.
  • Third, you should be on the lookout for targeted phishing attempts in the coming months, with the attackers accessing your unencrypted contact information and websites.

I have reviewed these services over the years and have not found one I have felt entirely comfortable using – and I have not only my accounts to manage but many of my client’s accounts. I hate to say it, but the safest and most secure way of managing your passwords is to use a notebook and write them down.

If you use a document or spreadsheet and your computer is ever compromised, you will lose that information, and bad actors will use it against you.

What is the best way to implement this Luddite approach? Have one page per account, and write the name and website address at the top. Have a one-line entry per password, preferably with the date you first used it. If you must change a password, cross out that line, and write a new one along with the date, you created it.

The more complex we have made our lives by thinking that computers would make things easier for us, the more I think we need to use simple methods to maintain our security.

The Calendar Year has Changed, but Scams Haven’t

by Leave a Comment

In 2017, there was a security breach at the credit reporting firm, Equifax. This breach was significant news at the time, and by 2019 the company agreed to a $425 million settlement of several class action lawsuits. They offered credit monitoring or a cash award of up to $125. At the time, I recommended the former.

In the closing days of December 2022, Equifax began to issue those cash awards. Many people found the amount they received laughable (e.g., most claimed to receive less than $10). However, scammers immediately went on the alert and into action. The website DomainTools.com reported several new domain names, which closely resembled the legitimate one, had been registered in just a few days. The valid website name is equifaxbreachsettlement.com. Fake versions include equifaxbreechsettlement.com, equifaxbreachsettlementbreach.com, and equifaxsettlements.co.

If you get an email notification about payment, do not click on the link in the email. It would be best if you went directly to the legitimate website and manually entered the keycode shown in your email. These instructions also apply if you get a letter in the mail.

Of course, because everyone’s information was made publicly available, scammers know who you are. If you get an email that seems slightly off and want to learn if it is “real,” please forward it to me for verification. Doing so is not an intrusion on my time. I would much rather spend a minute or two to review the contents of an email, than spend several hours — or days — working to restore your stolen identity.

Thanks, and safe computing!

Another Day, Another Data Breach Plus a Settlement

by Leave a Comment

At the end of July 2019, most of you probably heard about a data breach at Capital One. More than 100 million people in the United States and Canada were affected by this event. Thankfully, as of this writing (mid-August), very little of the information was made available to the normal group of bad actors who dwell in the Dark Web. This breach was simply the work of a zealous former Amazon Web Services employee who knew that there was a way to access the data. Pretty freakin’ scary!

To make matters worse, the woman who performed this hack had also obtained information from other organizations. Somehow she made the monumental mistake of publicizing those details. I’m not sure what — or even if — she was thinking. But the fact that someone has the wherewithal to accomplish these feats of what most of us consider the “dark arts” of computing is supremely unsettling.

Why anyone would want to subject themselves to the notoriety of having accomplished this act, when there was no useful purpose, confounds me.

Around the same time, the Federal Trade Commission concluded its work with Equifax and fined them close to $700 million. Almost immediately afterwards, so-called “consumer advocates” started a loud chorus of “Sign up and get your $125 from Equifax!” on news stations and social media.

They did this without telling people the “fine print” of the FTC agreement said there is only $31 million in that particular reward pot. So if just half of the more than 146 million affected individuals filed a claim, each one would end up with about 42 cents. That is sheer stupidity!

The best approach for dealing with this debacle is to sign up for the free credit monitoring that is being offered. It is supposed to last for 10 years. Do that here: https://www.equifaxbreachsettlement.com/file-a-claim.

Even though other forms of free monitoring are available, you usually only get one year. It is in your best interest — given the extent of the potential damage caused by the Equifax breach — to take the longest possible term of protection available.