Stake for over 33 million individuals whose LastPass accounts were compromised?

In a shocking turn of events, LastPass, a popular password manager used by over 33 million registered users and more than 100,000 business customers, has suffered a breach. The incident exposed most of the data held by the service, including encrypted passwords and usernames, unencrypted data like websites accessed, email addresses, phone numbers, and IP addresses.

The breach has raised concerns about the risk calculus of technology stacks, with corporate stakeholders seeking a better understanding of whether they are potential targets. Analysts and researchers dispute LastPass CEO Karim Toubba's claim that master passwords of at least 12 characters would take "millions of years" to guess using generally available tools.

Melissa Bischoping, director of endpoint security research at Tanium, states that it is possible to crack those passwords. Chester Wisniewski, principal research scientist at Sophos, goes as far as to say that unless LastPass was logging peoples' master passwords, the breach is "about as bad as it gets."

LastPass CEO Toubba claims that the encrypted fields and master passwords remain secured. However, this assertion has been met with scepticism from cybersecurity professionals, who take issue with LastPass's handling of the incident. Criticisms include delaying communications, obfuscating the size and severity of the problem, and staying conspicuously silent about how they are dealing with the issue.

Katell Thielemann, VP analyst at Gartner, calls LastPass's handling of the breach a "master class on how not to do things." Thielemann also calls for the Cyber Safety Review Board led by the Cybersecurity and Infrastructure Security Agency to conduct a deep dive into the LastPass breach.

In light of the breach, LastPass users and business customers are advised to change all passwords immediately. Jess Burn, senior analyst at Forrester, advises users to change their master passwords right away and then change passwords for all sites and accounts stored in their vault.

The unencrypted data provides an adversary with specific companies and URLs to impersonate via phishing or social engineering campaigns. In response, Burn also encourages business customers to consider going passwordless by applying a layered approach to workforce authentication with a native mobile authenticator, third-party verified digital certificates, or single-factor biometrics.

The evolving role of CISOs includes keeping up with incidents like the LastPass breach and understanding the risk calculus of their technology stacks. The breach at LastPass in August has certainly highlighted the importance of robust password security and transparent communication in the event of a data breach. LastPass should be more transparent about the impact, risk, and next steps of the breach, according to Thielemann. The identity of the unknown mastermind who gained access to LastPass's cloud-based storage vault remains unknown.