The LastPass Breach: Using JupiterOne to prioritize which users you need to focus on

by

The recent LastPass breach resulted in the theft of its customers’ encrypted password vault. If you are a LastPass customer, the only thing standing between the attacker and your decrypted password vault is the strength of your master password.

For those with Enterprise LastPass accounts, it would be helpful to know which users have weaker master passwords. We can find that out easily using JupiterOne:

FIND lastpass_user
  WITH masterPasswordStrength < 100
  AND sitesCount > 0

According to LastPass, the strength of the master password is scored from 0-100% in increments of 25% with 100% being “Very strong.”

Source: https://support.lastpass.com/help/why-does-my-password-strength-and-security-score-change

Anyone with a strength score of 50% or below should probably be advised to change the passwords for *ALL* their accounts in their vault, since changing the master password or deleting the LastPass account won’t address the breach concern. The attackers still have the password vault encrypted with your old weak master password.

For some users who have been actively using LastPass, this can be very time consuming, but better to be proactive here rather than reactive once the attackers break into your password vault.

For those with a score of 75%, even though it is considered “Strong,” under the current circumstances, we may want to take additional precautions and proactively consider who we may want to ask to change passwords in their entire vault.

To that end, I chose to prioritize those users with access to our source code. I can adjust the JupiterOne query above to show me those who have access to our source code repositories and also have weak master passwords. 

FIND lastpass_user
    WITH masterPasswordStrength < 100
    AND sitesCount > 0
  THAT is Person
  THAT is (github_user|gitlab_user|bitbucket_user)
RETURN
  Person.displayName,
  Person.email,
  Person.managerEmail,
  lastpass_user.masterPasswordStrength,
  lastpass_user.sitesCount

We can further reduce noise and prioritize to users who actually contribute to code, filtering out other GitHub users:

FIND UNIQUE lastpass_user
    WITH masterPasswordStrength < 100
    AND sitesCount > 0
  THAT is Person
  THAT is User
  THAT OPENED PR
RETURN
  Person.displayName,
  Person.email,
  Person.managerEmail,
  lastpass_user.masterPasswordStrength,
  lastpass_user.sitesCount

At this point, for those with weak master passwords, it’s a race to make the contents of your vault outdated and therefore useless to the attacker. I encourage everyone to keep using a password manager, but let’s also hope that one day, we won’t need passwords at all.

Sounil Yu
Sounil Yu

Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.