Password management company LastPass is the latest security vendor victim of a cyberattack. While the company said it has taken steps to make sure its clients and enterprise partners are protected, solution providers said the breach points to a trend of sophisticated attackers targeting security vendors.
LastPass said in a blog post that it discovered suspicious network activity last Friday and, upon further investigation, found email addresses, password reminders, server per user salts and authentication hashes were compromised. No encrypted user data was taken and user accounts were not directly accessed, the company said.
LastPass said in the blog post that, while it believes its encryption measures would protect most users, it has taken additional steps to protect customers, including requiring users to verify their accounts upon login from a new device and suggesting users update their master passwords. LastPass said users did not have to change all of their passwords stored with the software company because they were encrypted, but did recommend adding multifactor authentication going forward.
In an email to CRN, a LastPass spokesperson said the Fairfax, Va.-based company had contacted its Enterprise admin users about the breach by email on Monday. The spokesperson said the investigation is still active, but the company had taken steps to protect the 13,000 businesses it serves through partners.
"Although there was an attack, our extensive hashing algorithm coupled with email verification for logins from unknown IP addresses and devices will ensure the security of our users," the spokesperson said. "In the interest of security, we continue to advise our enterprise admins to enable the 'Master Password Strength' policies as well as multifactor authentication."
The breach comes on the heels of an announcement by Kaspersky last week that the security vendor had been the victim of a sophisticated malware attack by infamous APT breach actor Duqu. Jane Wright, senior analyst at Technology Business Research, said the latest LastPass breach adds to the trend of hackers targeting security vendors as a stepping stone to attack end users.
"Customers expect their IAM vendors to stay more than one step ahead of the hackers," Wright said. "They are devoting more of their security budgets to vendors that continually update their threat detection techniques and add new heuristics analysis capabilities to better safeguard customers' credentials and access points."
Scott Fluegge, president and general manager of Fort Lauderdale, Fla.-based JDL Technologies, agreed, saying that security companies are the "gatekeepers for IT," which makes them a tantalizing target for sophisticated hackers. Fluegge applauded security companies, such as Kaspersky, for being so open about the attack and taking active steps to remedy the situation for customers and partners.
"It should be well understood that any company that connects to the Internet in any way is a target. The more public the company, the more likely and, thus more frequently, they are to be attacked. The more sensitive their line of business, the more sophisticated the attacks will be," Fluegge said. "Their products represent the primary threat to those who would look to compromise the systems of others. Their very nature protects them from the casual hack while simultaneously marking them as a key target for the most accomplished and nefarious hackers."
For solution providers, the attacks highlight the importance of solution providers having a multivendor strategy when it comes to security technologies for their clients, JDL's Vice President, Engineering and Business Development Mark Mancini said. "Multiple levels of protection by various manufacturers should not be considered overkill for any size business. That is why we protect our clients with antimalware, antiexploit, antivirus and edge devices with software subscriptions services that update regularly."
PUBLISHED JUNE 16, 2015