The LastPass Breach: Using JupiterOne to prioritize which users you need to focus on

By

The recent LastPass breach resulted in the theft of its customers’ encrypted password vault. If you are a LastPass customer, the only thing standing between the attacker and your decrypted password vault is the strength of your master password.

For those with Enterprise LastPass accounts, it would be helpful to know which users have weaker master passwords. We can find that out easily using JupiterOne:

FIND lastpass_user
  WITH masterPasswordStrength < 100
  AND sitesCount > 0

According to LastPass, the strength of the master password is scored from 0-100% in increments of 25% with 100% being “Very strong.”

Source: https://support.lastpass.com/help/why-does-my-password-strength-and-security-score-change

Anyone with a strength score of 50% or below should probably be advised to change the passwords for *ALL* their accounts in their vault, since changing the master password or deleting the LastPass account won’t address the breach concern. The attackers still have the password vault encrypted with your old weak master password.

For some users who have been actively using LastPass, this can be very time consuming, but better to be proactive here rather than reactive once the attackers break into your password vault.

For those with a score of 75%, even though it is considered “Strong,” under the current circumstances, we may want to take additional precautions and proactively consider who we may want to ask to change passwords in their entire vault.

To that end, I chose to prioritize those users with access to our source code. I can adjust the JupiterOne query above to show me those who have access to our source code repositories and also have weak master passwords. 

FIND lastpass_user
    WITH masterPasswordStrength < 100
    AND sitesCount > 0
  THAT is Person
  THAT is (github_user|gitlab_user|bitbucket_user)
RETURN
  Person.displayName,
  Person.email,
  Person.managerEmail,
  lastpass_user.masterPasswordStrength,
  lastpass_user.sitesCount

We can further reduce noise and prioritize to users who actually contribute to code, filtering out other GitHub users:

FIND UNIQUE lastpass_user
    WITH masterPasswordStrength < 100
    AND sitesCount > 0
  THAT is Person
  THAT is User
  THAT OPENED PR
RETURN
  Person.displayName,
  Person.email,
  Person.managerEmail,
  lastpass_user.masterPasswordStrength,
  lastpass_user.sitesCount

At this point, for those with weak master passwords, it’s a race to make the contents of your vault outdated and therefore useless to the attacker. I encourage everyone to keep using a password manager, but let’s also hope that one day, we won’t need passwords at all.

Sounil Yu
Sounil Yu

Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

To hear more from Sounil, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.