Our investigation into the LastPass Security Incident

Our investigation into the LastPass Security Incident

Here is our response to the recent news of a security incident at LastPass and our recommendations of pre-emptive actions to keep your data safe.

Nickie Le Roy Chen
Nickie Le Roy Chen Head of Account Management

As part of our commitment to follow security best practices, at Ghyston we use a third party password manager service called LastPass https://www.lastpass.com/. This allows us to generate and use random, complex and varied passwords everywhere they are needed, and also allows project teams to share both passwords, and other sensitive information, in a secure and controlled manner. Many of our employees additionally use LastPass to store their own account passwords for the same enhanced security benefits.

LastPass have recently informed us of a security breach that they have suffered in which a copy of their customers‘ encrypted password vaults was stolen by a third party. See here for details: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ 

As indicated in the blog linked above, LastPass are not currently recommending that their users need to take any mitigating actions; they are confident that the encryption algorithm that they use in their solution provides sufficient protection for the secure data they hold. However, at Ghyston we take our responsibility for our partner’s data very seriously and so have dug significantly deeper. You can read more our investigation findings here:

Based on our own independent research we have identified some potential compromise risks that we are concerned about. Specifically: 

  • The metadata around passwords and secure data is not adequately protected. This means that for example, an attacker could identify the URL that a password pertains to, and some context around how we use that account, which could additionally allow them to make a good guess on the username. They could therefore identify where we hold sensitive accounts and with the username too, they would only need to “crack” the password (assuming the account is not additionally protected by two-factor authentication, in which case it is much safer). 
  • Furthermore, the access to that metadata could result in significant “phishing” vulnerability, for example allowing an attacker to more effectively pose as an important provider. 
  • While the passwords are securely encrypted, it can sometimes just be a matter of time before an attacker works out the encryption key and gains access to all passwords in a vault. We expect compromise times to be several years in practice (based on our known password entropy and attackers using a dedicated single GPU) but it could only be a matter of months in some cases. 

Given these risks, we are taking pre-emptive action to ensure that any theoretical future compromise of the encrypted data cannot cause any issues for our partners, or indeed ourselves.  

  • To address the first and last bullets above, we are hardening some of our managed accounts where appropriate, and changing all passwords and other secure data stored in our LastPass instance. You will not be charged for this activity.  
  • To address the middle bullet, we encourage you to make sure that your teams are particularly vigilant against phishing attacks. If you would like advice on how you can work on this, please let us know and we can point you in the direction of training providers and organisations that can help you analyse your current staff awareness – exercises that we carry out at Ghyston on a regular basis. 

If you have any queries about how this might impact you please get in touch with us on hello@ghyston.com.

Nickie Le Roy Chen
Nickie Le Roy Chen
Head of Account Management

We think you'll also enjoy

The Ghyston 2023 Impact Report

Here is what we got up to in 2023 - we are delighted to share with you our impact report for last year.
Learn more

How to make 2024 the year you tackle the big talent shortage

As part of our series on practical business leadership advice for 2024, we’ve put together four steps you can take this year, to make your organisation more effective in its recruitment and retention, and to tackle another common issue: lack of diversity in the team
Learn more

Why investing in innovation during 2023 will set you up to thrive post-recession

How can you set your business up to weather the recession, and to be in a position to thrive when the country returns to growth? This blog looks at why 2023 needs to be the year of business and technology housekeeping
Learn more

Subscribe to our newsletter

The latest news and industry insights, straight to your inbox