As part of our commitment to follow security best practices, at Ghyston we use a third party password manager service called LastPass https://www.lastpass.com/. This allows us to generate and use random, complex and varied passwords everywhere they are needed, and also allows project teams to share both passwords, and other sensitive information, in a secure and controlled manner. Many of our employees additionally use LastPass to store their own account passwords for the same enhanced security benefits.
LastPass have recently informed us of a security breach that they have suffered in which a copy of their customers‘ encrypted password vaults was stolen by a third party. See here for details: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
As indicated in the blog linked above, LastPass are not currently recommending that their users need to take any mitigating actions; they are confident that the encryption algorithm that they use in their solution provides sufficient protection for the secure data they hold. However, at Ghyston we take our responsibility for our partner’s data very seriously and so have dug significantly deeper. You can read more our investigation findings here:
Based on our own independent research we have identified some potential compromise risks that we are concerned about. Specifically:
- The metadata around passwords and secure data is not adequately protected. This means that for example, an attacker could identify the URL that a password pertains to, and some context around how we use that account, which could additionally allow them to make a good guess on the username. They could therefore identify where we hold sensitive accounts and with the username too, they would only need to “crack” the password (assuming the account is not additionally protected by two-factor authentication, in which case it is much safer).
- Furthermore, the access to that metadata could result in significant “phishing” vulnerability, for example allowing an attacker to more effectively pose as an important provider.
- While the passwords are securely encrypted, it can sometimes just be a matter of time before an attacker works out the encryption key and gains access to all passwords in a vault. We expect compromise times to be several years in practice (based on our known password entropy and attackers using a dedicated single GPU) but it could only be a matter of months in some cases.
Given these risks, we are taking pre-emptive action to ensure that any theoretical future compromise of the encrypted data cannot cause any issues for our partners, or indeed ourselves.
- To address the first and last bullets above, we are hardening some of our managed accounts where appropriate, and changing all passwords and other secure data stored in our LastPass instance. You will not be charged for this activity.
- To address the middle bullet, we encourage you to make sure that your teams are particularly vigilant against phishing attacks. If you would like advice on how you can work on this, please let us know and we can point you in the direction of training providers and organisations that can help you analyse your current staff awareness – exercises that we carry out at Ghyston on a regular basis.
If you have any queries about how this might impact you please get in touch with us on firstname.lastname@example.org.