The LastPass Breach: Using JupiterOne to prioritize which users you need to focus on

December 30, 2022
by
Sounil Yu

The recent LastPass breach resulted in the theft of its customers’ encrypted password vault. If you are a LastPass customer, the only thing standing between the attacker and your decrypted password vault is the strength of your master password.

For those with Enterprise LastPass accounts, it would be helpful to know which users have weaker master passwords. We can find that out easily using JupiterOne:

FIND lastpass_user
  WITH masterPasswordStrength < 100
  AND sitesCount > 0

According to LastPass, the strength of the master password is scored from 0-100% in increments of 25% with 100% being “Very strong.”

Source: https://support.lastpass.com/help/why-does-my-password-strength-and-security-score-change

Anyone with a strength score of 50% or below should probably be advised to change the passwords for *ALL* their accounts in their vault, since changing the master password or deleting the LastPass account won’t address the breach concern. The attackers still have the password vault encrypted with your old weak master password.

For some users who have been actively using LastPass, this can be very time consuming, but better to be proactive here rather than reactive once the attackers break into your password vault.

For those with a score of 75%, even though it is considered “Strong,” under the current circumstances, we may want to take additional precautions and proactively consider who we may want to ask to change passwords in their entire vault.

To that end, I chose to prioritize those users with access to our source code. I can adjust the JupiterOne query above to show me those who have access to our source code repositories and also have weak master passwords. 

FIND lastpass_user
    WITH masterPasswordStrength < 100
    AND sitesCount > 0
  THAT is Person
  THAT is (github_user|gitlab_user|bitbucket_user)
RETURN
  Person.displayName,
  Person.email,
  Person.managerEmail,
  lastpass_user.masterPasswordStrength,
  lastpass_user.sitesCount

We can further reduce noise and prioritize to users who actually contribute to code, filtering out other GitHub users:

FIND UNIQUE lastpass_user
    WITH masterPasswordStrength < 100
    AND sitesCount > 0
  THAT is Person
  THAT is User
  THAT OPENED PR
RETURN
  Person.displayName,
  Person.email,
  Person.managerEmail,
  lastpass_user.masterPasswordStrength,
  lastpass_user.sitesCount

At this point, for those with weak master passwords, it’s a race to make the contents of your vault outdated and therefore useless to the attacker. I encourage everyone to keep using a password manager, but let’s also hope that one day, we won’t need passwords at all.

Sounil Yu
Sounil Yu

Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

More blog posts by
Sounil Yu

SUBSCRIBE TO OUR NEWSLETTER

Stay up-to-date on emerging threats and security news

  • Checkmark
    Day-zero vulnerabilities & solutions
  • Checkmark
    Best practices for asset management
  • Checkmark
    Streamlining compliance and audit
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Keep Reading

What’s New in Kubernetes Security: More CIS Rules, Smarter Detection, and Expanded Coverage | JupiterOne
June 13, 2025
Blog
What’s New in Kubernetes Security: More CIS Rules, Smarter Detection, and Expanded Coverage

New Kubernetes Rule Pack covers more CIS controls for Namespace and Secrets Management

Level Up Kubernetes Security with Our New Rule Pack Built on the CIS Benchmark | JupiterOne
June 3, 2025
Blog
Level Up Kubernetes Security with Our New Rule Pack Built on the CIS Benchmark

New Kubernetes Rule Pack covers 26 CIS controls for RBAC & Pod Security

Stop Stitching User Data Together. Get a Unified Identity Instead | JupiterOne
May 15, 2025
Blog
Stop Stitching User Data Together. Get a Unified Identity Instead.

Legacy IAM falls short. Identity first security uses continuous, contextual access controls to protect a decentralized world—far beyond the old perimeter.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.