Cybersecurity - Security - Hacking - Security Alert

LastPass Hacks – Lessons and What to Do

Intro

LastPass has been hacked… again. This time, user vaults were stolen by hackers. The more updates we receive about this dumpster fire, the worse it gets. In this episode, we explain what happened and how you should protect yourself. We also outline lessons everyone (users, business owners, developers) should take away from this event and apply them to create a more private and secure future.

Podcast

1
00:00:00,000 –> 00:00:15,620
Hey, everybody, welcome to the Bigger Insights Privacy & Security podcast, the most actionable

2
00:00:15,620 –> 00:00:18,180
Privacy & Security podcast.

3
00:00:18,180 –> 00:00:23,380
In this episode, we’re going to be talking about lessons from this most recent LastPass

4
00:00:23,380 –> 00:00:28,940
hack that occurred in 2022, and we’re also going to talk about what you should

5
00:00:28,940 –> 00:00:32,000
do about it if you’re a LastPass user.

6
00:00:32,000 –> 00:00:36,720
This episode is really for anybody who’s interested in cybersecurity.

7
00:00:36,720 –> 00:00:41,440
And if you’re considering using LastPass, you might want to think otherwise and maybe

8
00:00:41,440 –> 00:00:47,160
use something a little bit more private and secure, like KeePass or Bitwarden.

9
00:00:47,160 –> 00:00:51,040
And if you haven’t already, you might want to go back and listen to some of our previous

10
00:00:51,040 –> 00:00:55,680
episodes to help get a little bit more context about what we’re talking about.

11
00:00:55,680 –> 00:01:02,200
More specifically, Why You Need a Password Manager, Don’t Use LastPass, Use These Instead,

12
00:01:02,200 –> 00:01:05,340
and Why Free and Open-Source Software (FOSS) Matters.

13
00:01:05,340 –> 00:01:10,080
So just to provide a little bit of background, we started warning our clients about some

14
00:01:10,080 –> 00:01:15,400
of the troubling things that we noticed about LastPass back in 2021.

15
00:01:15,400 –> 00:01:21,400
And then we wrote a blog post about this on our website, BiggerInsights.com, in September

16
00:01:21,400 –> 00:01:23,600
2022.

17
00:01:23,600 –> 00:01:30,960
And then shortly after that, one of LastPass’s DevOps engineers got hacked.

18
00:01:30,960 –> 00:01:37,320
Basically he was using his personal device, which you should never do, by the way.

19
00:01:37,320 –> 00:01:43,080
I mean, not only is that a risk for you as the employee, but that also presents risk

20
00:01:43,080 –> 00:01:49,040
for the employer, which was made painfully apparent in this case.

21
00:01:49,040 –> 00:01:56,760
So basically this employee was running a very outdated version of Plex, the Plex media

22
00:01:56,760 –> 00:02:03,080
software, that had a very serious remote code execution vulnerability in it.

23
00:02:03,080 –> 00:02:09,720
And some attacker used that to implant malware on this employee’s device that was logging

24
00:02:09,720 –> 00:02:11,560
his keystrokes.

25
00:02:11,560 –> 00:02:13,600
This is known as a keylogger.

26
00:02:13,600 –> 00:02:21,640
And it was used to record this employee typing in his or her username, password, and

27
00:02:21,640 –> 00:02:24,360
multi-factor authentication (MFA) code.

28
00:02:24,360 –> 00:02:30,720
So once the attacker got this information, they used it to log into the LastPass’s corporate

29
00:02:30,720 –> 00:02:37,680
vault, which it sounds like they were using their own service, LastPass, to store some

30
00:02:37,680 –> 00:02:45,320
of their secrets, and then the attacker used that information to get access to customer

31
00:02:45,320 –> 00:02:48,920
vaults and other customer data.

32
00:02:48,920 –> 00:02:52,760
And that data included unencrypted URLs.

33
00:02:52,760 –> 00:02:58,960
So if you were using LastPass, and then you type in a password entry for fecesbook.com

34
00:02:58,960 –> 00:03:03,080
or whatever, that URL was not being encrypted.

35
00:03:03,080 –> 00:03:08,520
So not only did LastPass have access to the URLs of all the accounts that you had, which

36
00:03:08,520 –> 00:03:14,640
is a very bad thing, but now whoever stole that information has that as well.

37
00:03:14,640 –> 00:03:20,720
In addition to that, the hackers now have the names, billing addresses, I think maybe

38
00:03:20,720 –> 00:03:27,680
some partial credit card information, and email addresses of LastPass users.

39
00:03:27,680 –> 00:03:33,080
But back to the whole unencrypted URL issue, this is extremely disappointing.

40
00:03:33,080 –> 00:03:38,440
And if you listen to our episode on Why Free and Open-Source Software (FOSS) Matters, you would

41
00:03:38,440 –> 00:03:45,120
have learned that these are the kinds of prizes that you win when you use closed-source software.

42
00:03:45,120 –> 00:03:50,240
If you use something open-source and more trustworthy, like KeePass or Bitwarden,

43
00:03:50,240 –> 00:03:55,720
for example, they encrypt your URLs, they encrypt all of the information that you type

44
00:03:55,720 –> 00:03:57,480
into the application.

45
00:03:57,480 –> 00:03:59,360
That’s the way that it should be.

46
00:03:59,360 –> 00:04:04,720
And we’re sitting over here scratching our heads saying, “Why would LastPass not be encrypting

47
00:04:04,720 –> 00:04:06,480
people’s URLs?”

48
00:04:06,480 –> 00:04:12,480
That is sensitive information, and you can learn a lot from somebody just based on what

49
00:04:12,480 –> 00:04:18,800
websites they visit or where they have accounts, not to mention, they could have been selling

50
00:04:18,800 –> 00:04:21,240
that information all this time.

51
00:04:21,240 –> 00:04:25,480
I don’t know why else they would want that if they weren’t selling that or sharing it

52
00:04:25,480 –> 00:04:27,440
with a third party.

53
00:04:27,440 –> 00:04:32,760
And even if that’s not the case, now whoever hacked them has all that information.

54
00:04:32,760 –> 00:04:39,680
So LastPass users are now at high risk of being targets of phishing attacks, because

55
00:04:39,680 –> 00:04:45,720
if whoever took these password vaults can’t get into them, they can still see what accounts

56
00:04:45,720 –> 00:04:46,960
you have.

57
00:04:46,960 –> 00:04:52,720
And they can do different things with that information, like try to find other passwords

58
00:04:52,720 –> 00:04:57,400
that you’ve used in the past that have been compromised in other data breaches and see

59
00:04:57,400 –> 00:05:00,200
if they can get into your accounts that way.

60
00:05:00,200 –> 00:05:06,600
They can also send users phishing emails and text messages that are quite convincing.

61
00:05:06,600 –> 00:05:12,720
They can say something like, “Hey, Pepe Silvia, this is Wells Fargo.

62
00:05:12,720 –> 00:05:16,560
We’ve detected some unusual activity on your account.

63
00:05:16,560 –> 00:05:21,960
You better hurry up and click this link and recover your account or we’re going to lock

64
00:05:21,960 –> 00:05:24,600
it.” or something like that.

65
00:05:24,600 –> 00:05:29,320
And unfortunately, I think a lot of people would fall for that, especially if they saw,

66
00:05:29,320 –> 00:05:34,760
you know, their real name being used and an institution that they actually do business

67
00:05:34,760 –> 00:05:41,040
with because as far as they’re concerned, nobody else should really know that information.

68
00:05:41,040 –> 00:05:47,400
But one thing that we’re looking forward to is some of LastPass’s source code also got

69
00:05:47,400 –> 00:05:54,520
stolen and we are really dying to know what all is in there because so far we’ve learned

70
00:05:54,520 –> 00:06:00,160
that not only was LastPass not encrypting URLs, which they should have been, but they

71
00:06:00,160 –> 00:06:06,320
are also doing some questionable things with regard to the iterations that they’re applying

72
00:06:06,320 –> 00:06:08,240
to people’s passwords.

73
00:06:08,240 –> 00:06:13,800
So basically older users had fewer iterations on their passwords, which are used to make

74
00:06:13,800 –> 00:06:17,680
it more difficult to crack those passwords.

75
00:06:17,680 –> 00:06:22,920
And over time, LastPass was increasing the number of iterations for newer accounts,

76
00:06:22,920 –> 00:06:28,120
but they never went back and upgraded the passwords from older users.

77
00:06:28,120 –> 00:06:33,720
But with LastPass being closed-source, we can’t see what other turds lie beneath the

78
00:06:33,720 –> 00:06:34,720
surface.

79
00:06:34,720 –> 00:06:40,360
So we’re hoping that somebody does leak that code so we can see what else they’re doing.

80
00:06:40,360 –> 00:06:45,600
And for some of you who haven’t listened to our previous episodes and haven’t really been

81
00:06:45,600 –> 00:06:51,760
following LastPass over the past several years, some of this might sound a little over-dramatic

82
00:06:51,760 –> 00:06:58,280
because you know, any company is vulnerable to someone hacking one of their employees.

83
00:06:58,280 –> 00:07:04,160
But what you need to keep in mind is this is far from LastPass’s first serious security

84
00:07:04,160 –> 00:07:05,160
incident.

85
00:07:05,160 –> 00:07:10,160
And as far as we’re concerned, it’s probably not going to be the last.

86
00:07:10,160 –> 00:07:14,560
We saw this issue coming from a mile away, which is why we started warning our clients

87
00:07:14,560 –> 00:07:17,480
about it and writing about it on our website.

88
00:07:17,480 –> 00:07:22,440
So you should check that out at BiggerInsights.com and you should also read a little bit about

89
00:07:22,440 –> 00:07:24,840
their history on Wikipedia.

90
00:07:24,840 –> 00:07:34,240
So ever since 2015, they’ve had a significant security incident on almost a yearly basis,

91
00:07:34,240 –> 00:07:40,080
which is interesting because that’s somewhat around the time that LastPass was bought

92
00:07:40,080 –> 00:07:44,160
by LogMeIn, which is now called GoTo.

93
00:07:44,160 –> 00:07:48,960
So now let’s go over some lessons from this incident so that we can learn from it and

94
00:07:48,960 –> 00:07:52,760
try to not repeat some of these mistakes in the future.

95
00:07:52,760 –> 00:07:56,920
The first lesson is to take security seriously!

96
00:07:56,920 –> 00:08:03,400
It’s very clear to us that this DevOps engineer did not take his security very seriously,

97
00:08:03,400 –> 00:08:07,480
or he wouldn’t have been using his personal device for work.

98
00:08:07,480 –> 00:08:13,480
He would have been updating Plex and not using a version that was years old and riddled with

99
00:08:13,480 –> 00:08:15,560
security holes.

100
00:08:15,560 –> 00:08:20,840
I know that security isn’t fun and it’s not something that anybody really wants to think

101
00:08:20,840 –> 00:08:27,080
about or pay attention to, but just think about how much devastation something like this can

102
00:08:27,080 –> 00:08:28,080
cause.

103
00:08:28,080 –> 00:08:35,920
I mean, this incident alone could actually sink LastPass. At a minimum,

104
00:08:35,920 –> 00:08:42,320
it’s going to cost them millions of dollars in terms of losing customers and class-action

105
00:08:42,320 –> 00:08:43,320
lawsuits.

106
00:08:43,320 –> 00:08:48,400
I believe there already is a class-action lawsuit filed against them for this.

107
00:08:48,400 –> 00:08:54,200
I’m assuming that the employee who got hacked was fired and for good reason.

108
00:08:54,200 –> 00:08:59,920
I mean, you can’t have somebody making decisions like that on your staff and guarding some

109
00:08:59,920 –> 00:09:05,440
of your most sensitive business secrets. And from the employee’s perspective, he should

110
00:09:05,440 –> 00:09:07,440
be worried about his career.

111
00:09:07,440 –> 00:09:11,600
I mean, who would hire somebody who would do something like this?

112
00:09:11,600 –> 00:09:18,640
Just imagine trying to explain to a prospective employer that you cost your former employer

113
00:09:18,640 –> 00:09:25,200
millions of dollars in damages because you were using an insecure personal device to do

114
00:09:25,200 –> 00:09:30,320
your work and access highly sensitive business information.

115
00:09:30,320 –> 00:09:34,480
And think about the millions of users whose vaults have been stolen.

116
00:09:34,480 –> 00:09:38,880
Think about how much devastation this can cause their lives if someone’s able to crack

117
00:09:38,880 –> 00:09:41,200
into their LastPass vaults.

118
00:09:41,200 –> 00:09:47,240
I mean, just imagine what a bad actor could do if he could get into your email accounts

119
00:09:47,240 –> 00:09:51,000
and your bank accounts and your social media accounts.

120
00:09:51,000 –> 00:09:55,160
And the second lesson for everyone is to be proactive.

121
00:09:55,160 –> 00:10:01,160
We sat down with the client about a year ago and warned her about the dangers that LastPass

122
00:10:01,160 –> 00:10:06,720
posed because we found out that that was something that she was using and we helped

123
00:10:06,720 –> 00:10:11,000
her open a Bitwarden account and showed her how to use it.

124
00:10:11,000 –> 00:10:16,160
And where we left off with that was we gave her instructions to move all of her accounts

125
00:10:16,160 –> 00:10:20,760
from LastPass to Bitwarden and then cancel her LastPass subscription and delete her

126
00:10:20,760 –> 00:10:21,760
account.

127
00:10:21,760 –> 00:10:24,760
And like I said, that was about a year ago.

128
00:10:24,760 –> 00:10:32,080
So after I learned about this 2022 LastPass hack, I followed up with her and I said,

129
00:10:32,080 –> 00:10:36,600
“Hey, did you ever end up deleting your LastPass account?”

130
00:10:36,600 –> 00:10:39,760
And she said, “No, I haven’t gotten around to that.”

131
00:10:39,760 –> 00:10:44,680
So now we’re worried that someone might crack into her LastPass vault and start breaching

132
00:10:44,680 –> 00:10:46,600
her other accounts.

133
00:10:46,600 –> 00:10:48,280
So stay proactive.

134
00:10:48,280 –> 00:10:53,000
If she was being proactive about this, this would be a non-issue.

135
00:10:53,000 –> 00:10:59,280
And now she’s in a mad scramble to follow the directions that we gave her a year ago.

136
00:10:59,280 –> 00:11:04,440
And not only that, but she has a lot more work to do now because not only does she need

137
00:11:04,440 –> 00:11:11,720
to move her accounts from LastPass to Bitwarden, but now she should really be considering

138
00:11:11,720 –> 00:11:16,160
changing all of those passwords as well, because she doesn’t know if someone’s going to be

139
00:11:16,160 –> 00:11:18,400
able to crack into that vault.

140
00:11:18,400 –> 00:11:22,640
So along those lines, consider becoming a Bigger Insights client.

141
00:11:22,640 –> 00:11:27,720
We go to great lengths to protect our clients in many ways, one of which is helping them

142
00:11:27,720 –> 00:11:32,760
avoid landmines like LastPass and other questionable services.

143
00:11:32,760 –> 00:11:37,960
So if that sounds interesting to you, fill out the short form at the bottom of our website,

144
00:11:37,960 –> 00:11:43,600
BiggerInsights.com, and we’ll reach out to you to schedule your initial consultation.

145
00:11:43,600 –> 00:11:48,280
So now I’m going to share some of the red flags with you that we look out for to help

146
00:11:48,280 –> 00:11:53,160
us identify and avoid turds like LastPass.

147
00:11:53,160 –> 00:11:57,120
And the first one is closed-source software.

148
00:11:57,120 –> 00:12:03,040
We avoid this as much as possible, especially when it comes to protecting our most sensitive

149
00:12:03,040 –> 00:12:06,120
data like passwords.

150
00:12:06,120 –> 00:12:11,080
Like I mentioned at the beginning of this episode, we did a whole episode on why open

151
00:12:11,080 –> 00:12:13,160
source software matters.

152
00:12:13,160 –> 00:12:19,200
And a big chunk of that episode discusses what a lot of the problems with closed-source

153
00:12:19,200 –> 00:12:20,800
software are.

154
00:12:20,800 –> 00:12:26,840
And one of those is a lot of companies like LastPass use the closed-source nature of

155
00:12:26,840 –> 00:12:33,840
their software to hide things from their users like third-party trackers and poor encryption

156
00:12:33,840 –> 00:12:36,920
methodologies and other things like that.

157
00:12:36,920 –> 00:12:42,440
The second red flag are third-party trackers embedded in the software.

158
00:12:42,440 –> 00:12:49,720
It was discovered at least as far back as 2021 that the LastPass mobile apps on Android

159
00:12:49,720 –> 00:12:53,400
and iOS had third-party trackers in them.

160
00:12:53,400 –> 00:12:57,800
The Android app had as many as seven of them, including Google.

161
00:12:57,800 –> 00:13:02,000
And from our own testing, we discovered that there was a Google tracker embedded in the

162
00:13:02,000 –> 00:13:04,280
iOS client.

163
00:13:04,280 –> 00:13:09,160
And that might not sound like a big deal to some of you, but the question is, what does

164
00:13:09,160 –> 00:13:17,880
that say about the company that they value you and your data and your privacy so little

165
00:13:17,880 –> 00:13:23,840
that they’re willing to send your data to third parties like Google without even asking

166
00:13:23,840 –> 00:13:27,640
for your permission or making it clear that this is what they’re doing?

167
00:13:27,640 –> 00:13:32,760
I mean, what if you opened LastPass and a little pop up came up and said, “Hey, by the

168
00:13:32,760 –> 00:13:38,200
way, every time you open the app, every time you use it, we’re going to send information

169
00:13:38,200 –> 00:13:44,080
about what you’re doing and when you’re doing it to Google and these other third-party companies.”

170
00:13:44,080 –> 00:13:46,160
What would you think about that?

171
00:13:46,160 –> 00:13:49,920
And I’m guessing that most people would not be okay with that.

172
00:13:49,920 –> 00:13:53,840
And that’s why they hide it from you with their closed-source software.

173
00:13:53,840 –> 00:13:58,320
As far as I’m aware, you’re not going to see anything like that in Bitwarden or KeePass

174
00:13:58,320 –> 00:14:02,400
or most other open-source software.

175
00:14:02,400 –> 00:14:08,080
Another red flag to look out for our services owned by large corporations.

176
00:14:08,080 –> 00:14:13,640
Now one of the things that makes us unique in the privacy and security world is we are

177
00:14:13,640 –> 00:14:15,560
not anti-business.

178
00:14:15,560 –> 00:14:17,280
We’re very pro-business.

179
00:14:17,280 –> 00:14:22,480
We actually have a finance podcast, by the way, so you should go check out the Bigger

180
00:14:22,480 –> 00:14:28,640
Insights Finance podcast, but pragmatically speaking, it just usually works out that way

181
00:14:28,640 –> 00:14:36,040
that large corporations tend to produce software and services that present very serious privacy

182
00:14:36,040 –> 00:14:39,600
and security risks to their users.

183
00:14:39,600 –> 00:14:45,080
So when LogMeIn bought LastPass, that should have been the cue to a lot of people to leave

184
00:14:45,080 –> 00:14:47,200
for greener pastures.

185
00:14:47,200 –> 00:14:53,480
Because when companies like LogMeIn or Microsoft or Fecesbook or whomever buy these

186
00:14:53,480 –> 00:14:57,920
smaller apps and services, they make a lot of really bad changes.

187
00:14:57,920 –> 00:15:04,160
Typically, the prices go up, they start cutting corners, they start cutting QA and security

188
00:15:04,160 –> 00:15:10,160
staff and the security goes down, privacy goes down, telemetry goes up, advertising

189
00:15:10,160 –> 00:15:11,160
goes up.

190
00:15:11,160 –> 00:15:13,680
It’s just a bad situation.

191
00:15:13,680 –> 00:15:18,440
So just keep that in mind if a piece of software or a service that you’re using gets bought

192
00:15:18,440 –> 00:15:21,040
out by one of these larger players.

193
00:15:21,040 –> 00:15:28,600
So for example, we use Proton somewhat extensively. If Proton came out one day and said, “Hey, we’re

194
00:15:28,600 –> 00:15:34,000
being bought by Google”, you know, we would switch to something else that day.

195
00:15:34,000 –> 00:15:39,720
And another red flag to look out for our apps and services that are really popular as a

196
00:15:39,720 –> 00:15:43,120
result of their affiliate marketing campaigns.

197
00:15:43,120 –> 00:15:49,600
So over time, we’ve learned the hard way that when you go to YouTube or Google or whatever,

198
00:15:49,600 –> 00:15:55,240
and you’re looking for, you know, what’s the best password manager, what’s the best VPN

199
00:15:55,240 –> 00:16:00,520
or whatever, the vast, vast, vast majority of the results that you’re going to get are

200
00:16:00,520 –> 00:16:06,760
just ads. And they don’t look like ads because these are affiliate marketing campaigns.

201
00:16:06,760 –> 00:16:12,440
So basically, some creator will say, “Oh, yeah, LastPass is great, it’s the best password

202
00:16:12,440 –> 00:16:14,640
manager that’s ever been created.

203
00:16:14,640 –> 00:16:15,640
It’s awesome.

204
00:16:15,640 –> 00:16:18,160
Click my link and go buy it.”

205
00:16:18,160 –> 00:16:20,360
And when you do that, they get a commission.

206
00:16:20,360 –> 00:16:26,400
And there’s nothing wrong with that, technically, I mean, you know, even we might do affiliate

207
00:16:26,400 –> 00:16:31,960
marketing at some point for a product and service that we really believe in.

208
00:16:31,960 –> 00:16:37,360
But that’s the fly in the ointment here, because a lot of these creators are not recommending

209
00:16:37,360 –> 00:16:41,320
products and services that they think are actually best for their users.

210
00:16:41,320 –> 00:16:45,280
They’re recommending the ones that give them the highest commissions.

211
00:16:45,280 –> 00:16:51,040
I mean, when I started looking for password managers many years ago, I didn’t hear a single

212
00:16:51,040 –> 00:16:53,520
peep about KeePass.

213
00:16:53,520 –> 00:16:56,080
KeePass is absolutely amazing.

214
00:16:56,080 –> 00:16:59,720
It’s one of the best open-source softwares out there.

215
00:16:59,720 –> 00:17:01,200
Didn’t hear a single word about it.

216
00:17:01,200 –> 00:17:06,200
And the reason is because it’s completely free and no one’s getting paid.

217
00:17:06,200 –> 00:17:09,640
So you’re not going to hear anything about it from most people.

218
00:17:09,640 –> 00:17:12,240
So just to help drive that home.

219
00:17:12,240 –> 00:17:18,240
Just keep in mind that oftentimes a lot of the most private and secure software out there,

220
00:17:18,240 –> 00:17:22,760
you’re hardly going to hear anything about because a lot of them are either completely

221
00:17:22,760 –> 00:17:30,360
free or they just don’t even have affiliate marketing campaigns for integrity reasons.

222
00:17:30,360 –> 00:17:36,800
I believe IVPN is one of those companies. I’m pretty sure. But I think I saw a page

223
00:17:36,800 –> 00:17:41,200
on their website where they basically explained why they don’t do affiliate marketing and

224
00:17:41,200 –> 00:17:43,520
why they think it’s a bad thing.

225
00:17:43,520 –> 00:17:47,120
And you know, unfortunately, one of the side effects of that is you don’t see a lot of

226
00:17:47,120 –> 00:17:50,240
people shilling their service.

227
00:17:50,240 –> 00:17:57,080
Another major red flag, which unfortunately is kind of difficult to determine until you

228
00:17:57,080 –> 00:18:04,760
run into this, is try your best to avoid companies that make it difficult to leave them or stop

229
00:18:04,760 –> 00:18:06,280
paying for their service.

230
00:18:06,280 –> 00:18:10,320
Every time I see this, it reminds me of the Berlin Wall.

231
00:18:10,320 –> 00:18:14,520
You know, when you think about walls, you normally think about those being there to

232
00:18:14,520 –> 00:18:20,000
keep people out, like keep people out of your country or off your property.

233
00:18:20,000 –> 00:18:24,240
But in this case, the Berlin Wall was there to keep people from leaving.

234
00:18:24,240 –> 00:18:30,720
And this is what a lot of garbage companies do is they put up a lot of barriers to prevent

235
00:18:30,720 –> 00:18:33,000
their users from leaving.

236
00:18:33,000 –> 00:18:36,520
Now this isn’t quite the case with LastPass.

237
00:18:36,520 –> 00:18:42,840
From what I remember, when I deleted my LastPass account, the process was pretty reasonable.

238
00:18:42,840 –> 00:18:48,660
But there are other companies like Nord, you know, the makers of NordVPN, which just make

239
00:18:48,660 –> 00:18:55,520
it very difficult and very annoying to stop paying for their service and delete your account.

240
00:18:55,520 –> 00:19:00,760
Last time I looked into this, it was really confusing figuring out how to cancel your

241
00:19:00,760 –> 00:19:01,760
subscription.

242
00:19:01,760 –> 00:19:07,000
And then once you did, they did things like beg you to come back and send you confusing

243
00:19:07,000 –> 00:19:08,440
emails and things like that.

244
00:19:08,440 –> 00:19:10,680
It was is really bad.

245
00:19:10,680 –> 00:19:15,560
And if you want to delete your account, you have to fill out a form on their customer

246
00:19:15,560 –> 00:19:24,440
service page, which asks six or more questions like who you are and even like payment information.

247
00:19:24,440 –> 00:19:28,360
You have to give them information from your payment card, just to get them to delete your

248
00:19:28,360 –> 00:19:29,360
account.

249
00:19:29,360 –> 00:19:32,960
And the message there is: Don’t leave.

250
00:19:32,960 –> 00:19:33,960
We don’t want you to leave.

251
00:19:33,960 –> 00:19:38,480
We’re going to try to put up as many barriers as possible to make sure that you don’t leave

252
00:19:38,480 –> 00:19:43,760
or cancel your subscription, because they know that what they’re offering isn’t good

253
00:19:43,760 –> 00:19:47,480
enough to keep you there on its own merits.

254
00:19:47,480 –> 00:19:52,640
But if you contrast that to a more trustworthy company like Proton, for example, if you want

255
00:19:52,640 –> 00:19:56,760
to delete your Proton account, you go into your account settings, there’s a little red

256
00:19:56,760 –> 00:20:02,040
button at the bottom that says delete my account, and they’ll delete your account with no questions

257
00:20:02,040 –> 00:20:03,040
asked.

258
00:20:03,040 –> 00:20:09,080
I think that there’s like an optional message box to explain why you’re deleting it or something

259
00:20:09,080 –> 00:20:11,480
like that, but they don’t bother you.

260
00:20:11,480 –> 00:20:14,960
You click delete, and then they delete your account.

261
00:20:14,960 –> 00:20:21,320
Another thing to avoid are companies that have very poor responses to privacy and security

262
00:20:21,320 –> 00:20:22,320
incidents.

263
00:20:22,320 –> 00:20:28,280
Now, in this particular case, I think the LastPass has done an okay job.

264
00:20:28,280 –> 00:20:33,000
That’s kind of difficult to evaluate at this point, because this issue is still unfolding.

265
00:20:33,000 –> 00:20:39,560
But we see a lot of cases on a regular basis where companies just don’t take these kinds

266
00:20:39,560 –> 00:20:45,400
of issues seriously, or a security researcher might reach out to them and say, “Hey, you’ve

267
00:20:45,400 –> 00:20:51,000
got this AWS bucket with highly sensitive information in it that’s completely insecure

268
00:20:51,000 –> 00:20:56,320
and we can see all the data”. And they’ll take like months to address it.

269
00:20:56,320 –> 00:21:01,240
If you see anything like that, you need to stay away from those companies, because it’s

270
00:21:01,240 –> 00:21:07,000
clear that the privacy and security of their users is not one of their high priorities.

271
00:21:07,000 –> 00:21:13,320
And along those lines, also be wary of developers that don’t take bugs seriously.

272
00:21:13,320 –> 00:21:19,760
It’s pretty much corporate policy and a lot of these large software companies to spend

273
00:21:19,760 –> 00:21:27,840
99% of your time on new features, and constantly refreshing the UI, and just letting bugs sit

274
00:21:27,840 –> 00:21:31,000
around for months or sometimes years.

275
00:21:31,000 –> 00:21:38,240
And that can be very risky, because sometimes what looks like a harmless bug can actually

276
00:21:38,240 –> 00:21:41,240
present a serious vulnerability.

277
00:21:41,240 –> 00:21:47,000
Sometimes these bugs can also be chained together to create a serious vulnerability.

278
00:21:47,000 –> 00:21:53,320
So just as a perfect example, in 2021, it was discovered that Microsoft Azure had a

279
00:21:53,320 –> 00:22:00,720
feature called Jupyter Notebooks, which they added to their Cosmos DB, which is their database

280
00:22:00,720 –> 00:22:06,200
service, and they turned it on for all customers by default.

281
00:22:06,200 –> 00:22:11,520
And this Jupyter Notebook feature had a bug in it, which allowed anyone who knew how to

282
00:22:11,520 –> 00:22:18,600
exploit it to access the contents of any other customer’s Azure database. Which is really

283
00:22:18,600 –> 00:22:25,480
kind of a nightmare scenario, because a lot of corporate and government entities use Azure

284
00:22:25,480 –> 00:22:31,360
and AWS and other clouds to store tremendous amounts of information about you.

285
00:22:31,360 –> 00:22:38,480
So what probably looked like a pretty benign bug in some stupid little visualization feature

286
00:22:38,480 –> 00:22:44,920
that Microsoft introduced, ended up being a bug that gave someone direct access to everybody’s

287
00:22:44,920 –> 00:22:45,920
databases.

288
00:22:45,920 –> 00:22:51,760
And if you know anything about Microsoft, they don’t exactly have a great history of

289
00:22:51,760 –> 00:22:57,800
producing clean, stable code and fixing bugs promptly.

290
00:22:57,800 –> 00:23:02,560
And that’s why we don’t recommend using Microsoft’s products and services.

291
00:23:02,560 –> 00:23:07,080
If you’re an employee, there are some lessons here for you as well.

292
00:23:07,080 –> 00:23:10,960
First of all, don’t use your personal devices for work.

293
00:23:10,960 –> 00:23:17,680
We’ll probably talk about this in a separate episode, but employers are increasingly using,

294
00:23:17,680 –> 00:23:24,520
I guess what you could call surveillance software to monitor what employees are doing at home.

295
00:23:24,520 –> 00:23:27,520
I think they call this bossware or something like that.

296
00:23:27,520 –> 00:23:29,960
I can’t remember what the term for that is.

297
00:23:29,960 –> 00:23:35,880
So if you’re using your personal devices, your employer has an interest in knowing what

298
00:23:35,880 –> 00:23:42,120
those devices are, what’s on them, how are they secured and what you’re doing with them.

299
00:23:42,120 –> 00:23:47,640
Using your personal devices from work also presents security issues for your employer,

300
00:23:47,640 –> 00:23:50,320
which you may or may not care too much about.

301
00:23:50,320 –> 00:23:56,200
From my own experience, my observations suggest that a lot of employees really don’t care

302
00:23:56,200 –> 00:24:02,480
about their employer’s security, but they just seem to have this attitude that, you know,

303
00:24:02,480 –> 00:24:08,240
“If I get my computer infected and that causes a huge problem for the company and the company

304
00:24:08,240 –> 00:24:12,920
goes out of business or I lose my job or something, I’ll just go work for somebody else.

305
00:24:12,920 –> 00:24:16,520
You know, it’s not my business that’s going under.”

306
00:24:16,520 –> 00:24:20,680
And there’s a little bit of truth to that, but think about it from the perspective of

307
00:24:20,680 –> 00:24:22,160
this DevOps engineer.

308
00:24:22,160 –> 00:24:28,120
I mean, when he goes to interview for another employer, they might not want to hire him.

309
00:24:28,120 –> 00:24:33,240
I mean, who would want to hire somebody who used their personal device that had vulnerable

310
00:24:33,240 –> 00:24:38,040
software on it and ended up, you know, costing his employer millions of dollars?

311
00:24:38,040 –> 00:24:41,880
I wouldn’t hire somebody, at least not in that kind of a role.

312
00:24:41,880 –> 00:24:47,200
I mean, maybe I would hire him to clean the toilets or something like that, but just keep

313
00:24:47,200 –> 00:24:48,200
that in mind.

314
00:24:48,200 –> 00:24:54,400
If you cause a very serious issue like this at work, that could really hurt your own career.

315
00:24:54,400 –> 00:24:59,600
And along those lines, if you’re an employer or a manager, there are some lessons in here

316
00:24:59,600 –> 00:25:06,080
for you as well, and that is that a major security event could sink your business.

317
00:25:06,080 –> 00:25:12,160
You know, it’s not that uncommon that I see these headlines like “Man Spends 22 Years Building

318
00:25:12,160 –> 00:25:17,280
his business and ransomware destroys it in five minutes.”

319
00:25:17,280 –> 00:25:22,720
And what I was talking about before with employee lessons, I have it on good authority

320
00:25:22,720 –> 00:25:28,560
that a lot of employees really, truly don’t care about your security.

321
00:25:28,560 –> 00:25:33,640
You know, they’ll use the weakest passwords that you’ll allow them to use because they don’t

322
00:25:33,640 –> 00:25:38,760
want to spend an extra 20 seconds using a password manager or something like that.

323
00:25:38,760 –> 00:25:44,560
Because again, if that ends up causing a problem, as far as a lot of them are concerned, it’s

324
00:25:44,560 –> 00:25:45,560
not their problem.

325
00:25:45,560 –> 00:25:47,400
It’s your problem.

326
00:25:47,400 –> 00:25:52,880
And even to the extent that the issue isn’t that they just don’t care, some of them are

327
00:25:52,880 –> 00:25:57,640
just blissfully unaware of a lot of the cybersecurity risks that they face.

328
00:25:57,640 –> 00:26:00,480
I’ll give you a perfect example of that.

329
00:26:00,480 –> 00:26:07,120
I worked at a technology firm not that many years ago. And one of the things that they

330
00:26:07,120 –> 00:26:14,960
would do every once in a while is cybersecurity training and one of these phishing email tests

331
00:26:14,960 –> 00:26:20,080
to see if people are paying attention and actually learning from the training material.

332
00:26:20,080 –> 00:26:26,640
And after, I think it was multiple tests, I was talking to one of our IT guys and he

333
00:26:26,640 –> 00:26:33,920
said that about 20% of the employees failed the test, meaning that they clicked on the

334
00:26:33,920 –> 00:26:36,480
links in the phishing emails.

335
00:26:36,480 –> 00:26:43,200
Now keep in mind, this was a company, this was a technology company composed mostly of

336
00:26:43,200 –> 00:26:50,240
younger employees who are very much up-to-date with technology, and about 20% of them

337
00:26:50,240 –> 00:26:52,120
failed this test.

338
00:26:52,120 –> 00:26:57,640
So if you’re an employer or a manager, if that doesn’t terrify you, I don’t know what

339
00:26:57,640 –> 00:27:04,640
does because statistically, just based on this one test, if you’ve got at least five

340
00:27:04,640 –> 00:27:10,120
employees, chances are one of them is going to fall for one of these phishing attacks

341
00:27:10,120 –> 00:27:12,840
and that could sink your business.

342
00:27:12,840 –> 00:27:18,760
Not to mention, I took the test as well as I was one of these employees, and the tests were

343
00:27:18,760 –> 00:27:23,960
not very good, these were not very high quality phishing attempts.

344
00:27:23,960 –> 00:27:29,320
So the lesson here for employers is you need to take the initiative because your employees

345
00:27:29,320 –> 00:27:31,840
are not going to do that.

346
00:27:31,840 –> 00:27:37,840
And along those lines, I wouldn’t rely on things like company policies either. You know, every

347
00:27:37,840 –> 00:27:43,320
company has policies like, you know, “We don’t want you to use personal devices” or things

348
00:27:43,320 –> 00:27:44,320
like that.

349
00:27:44,320 –> 00:27:49,520
But you know, I guess that’s fine to have after the fact, you know, if you want to have some

350
00:27:49,520 –> 00:27:55,440
reason for firing somebody for an issue like what we saw with LastPass.

351
00:27:55,440 –> 00:27:59,840
But most employees ignore these kinds of policies anyway.

352
00:27:59,840 –> 00:28:07,240
So you really need to focus on how you can force them to practice good security practices.

353
00:28:07,240 –> 00:28:12,840
Which admittedly is easier said than done, but there are things you can do like forcing

354
00:28:12,840 –> 00:28:18,400
strong passwords and forcing multi-factor authentication (MFA).

355
00:28:18,400 –> 00:28:25,280
And one of our favorite is when it comes to what employees can access, implement a policy

356
00:28:25,280 –> 00:28:27,160
of least privilege.

357
00:28:27,160 –> 00:28:30,880
If an employee doesn’t need access to something, don’t give it to them.

358
00:28:30,880 –> 00:28:36,040
Because not only might they intentionally do something malicious with that information

359
00:28:36,040 –> 00:28:42,200
or that data, but you also have to account for the possibility that they might be socially

360
00:28:42,200 –> 00:28:47,080
engineered into giving someone else access to that, or, you know, their devices might

361
00:28:47,080 –> 00:28:51,920
be infected and that might expose that information to a bad actor as well.

362
00:28:51,920 –> 00:28:55,680
So a policy of least privilege makes a lot of sense.

363
00:28:55,680 –> 00:28:58,840
And it’s something that we always recommend.

364
00:28:58,840 –> 00:29:05,040
And even though there are significant limitations, we also recommend that you conduct cybersecurity

365
00:29:05,040 –> 00:29:07,520
training and tests.

366
00:29:07,520 –> 00:29:12,360
Like we alluded to earlier, some employees have a tendency to ignore those things, but

367
00:29:12,360 –> 00:29:13,360
it’s better than nothing.

368
00:29:13,360 –> 00:29:17,680
I mean, some people do pay attention and put those ideas into practice.

369
00:29:17,680 –> 00:29:21,880
And if somebody does screw something up, at least you can set them down and say, Hey,

370
00:29:21,880 –> 00:29:26,640
you know, we talked about this, this was in the training, you know, why did you not do

371
00:29:26,640 –> 00:29:28,840
what you were supposed to do?”

372
00:29:28,840 –> 00:29:35,000
And just to illustrate that point, we have a client who works for a professional services

373
00:29:35,000 –> 00:29:36,000
firm.

374
00:29:36,000 –> 00:29:42,560
And he was telling me that one of the employees in their HR department fell for a phishing

375
00:29:42,560 –> 00:29:49,560
scam where an attacker pretended to be someone high up in the company and asked her to send

376
00:29:49,560 –> 00:29:53,520
them all of the employees’ W-2 forms.

377
00:29:53,520 –> 00:29:54,720
And she fell for it.

378
00:29:54,720 –> 00:30:00,840
She sent them out and caused, you know, identity theft and other issues for their employees.

379
00:30:00,840 –> 00:30:05,680
And since then, they’ve had cybersecurity training to try to prevent these things from

380
00:30:05,680 –> 00:30:07,480
happening in the future.

381
00:30:07,480 –> 00:30:16,560
And the same employee fell for almost an identical phishing campaign just a few years later.

382
00:30:16,560 –> 00:30:21,960
But this time the attacker asked for health insurance information and she gave that up

383
00:30:21,960 –> 00:30:23,460
as well.

384
00:30:23,460 –> 00:30:28,640
So not surprisingly, she’s no longer working there anymore. But let this be a cautionary

385
00:30:28,640 –> 00:30:31,000
tale to employers and managers out there.

386
00:30:31,000 –> 00:30:36,320
You know, I hate to be a jerk about it, but there are some people that just don’t get

387
00:30:36,320 –> 00:30:37,320
these things.

388
00:30:37,320 –> 00:30:42,360
And if you’ve got employees who are going to fall for things like this, you got to get

389
00:30:42,360 –> 00:30:45,200
rid of them because they are going to fall for them.

390
00:30:45,200 –> 00:30:50,800
And once they do, attackers have a tendency to keep going back to those people over and

391
00:30:50,800 –> 00:30:54,120
over again to get more information out of them.

392
00:30:54,120 –> 00:30:59,440
We see this a lot in the scamming industry as well. When somebody falls for a scam, like

393
00:30:59,440 –> 00:31:05,360
one of these IRS scams or tech support scams, those people get put on, I believe what they

394
00:31:05,360 –> 00:31:10,800
call it is a “suckers list”, where the scammers will just keep hitting them over and over

395
00:31:10,800 –> 00:31:14,480
and over again, because it’s clear to them that they just don’t get it.

396
00:31:14,480 –> 00:31:18,560
So if you have an employee like that, you need to do something about it, which might

397
00:31:18,560 –> 00:31:24,800
be just putting them in a role where they don’t have access to sensitive information.

398
00:31:24,800 –> 00:31:30,040
So now let’s go over a few lessons for software companies and developers.

399
00:31:30,040 –> 00:31:35,440
There’s a few things that you guys need to stop doing, and one of them is producing close

400
00:31:35,440 –> 00:31:41,040
source software. Especially if that software is supposed to be protecting highly sensitive

401
00:31:41,040 –> 00:31:46,840
information, because chances are you’re going to screw something up, and you have to wonder,

402
00:31:46,840 –> 00:31:53,440
what is that going to mean for you, your business, and your customers, if a major vulnerability

403
00:31:53,440 –> 00:31:57,840
is discovered, and that information gets breached.

404
00:31:57,840 –> 00:32:04,680
And there’s long been this idea that companies cannot open-source their software, because

405
00:32:04,680 –> 00:32:09,920
I don’t know, people have this idea that if you do that, then all your secrets get out,

406
00:32:09,920 –> 00:32:14,880
and people steal your code, and then you won’t be able to make money or something like that.

407
00:32:14,880 –> 00:32:18,640
And I’m just not necessarily convinced that’s true.

408
00:32:18,640 –> 00:32:23,120
I mean, Bitwarden is open-source, and from what I understand, they’re doing quite well.

409
00:32:23,120 –> 00:32:27,120
They’re probably going to end up eating LastPass’s lunch.

410
00:32:27,120 –> 00:32:29,960
From what I understand, GitLab is also open-source.

411
00:32:29,960 –> 00:32:37,240
So it’s not quite true that you need to close source your code in order to protect your business.

412
00:32:37,240 –> 00:32:43,280
And you also have to keep in mind where the mentality of your customers is going.

413
00:32:43,280 –> 00:32:48,640
The world is moving toward open-source software and trustless computing.

414
00:32:48,640 –> 00:32:54,680
So if you’re relying on close-source software and security-through-obscurity, that might

415
00:32:54,680 –> 00:32:57,240
cause a problem for you down the road.

416
00:32:57,240 –> 00:33:00,960
And along those lines, don’t roll your own crypto.

417
00:33:00,960 –> 00:33:07,080
There are a lot of great off the shelf open-source accepted standards for encryption.

418
00:33:07,080 –> 00:33:13,960
It really makes us cringe when we hear companies like LastPass trying to brag about how their

419
00:33:13,960 –> 00:33:17,280
encryption schemes are proprietary.

420
00:33:17,280 –> 00:33:18,520
Why do that?

421
00:33:18,520 –> 00:33:24,400
Why spend your time and money developing a proprietary encryption scheme, which might

422
00:33:24,400 –> 00:33:29,320
very well have holes in it, when you can just use something that’s generally accepted off

423
00:33:29,320 –> 00:33:31,640
the shelf and free.

424
00:33:31,640 –> 00:33:37,440
Another thing to keep in mind is to avoid using third-party trackers, because people are really

425
00:33:37,440 –> 00:33:41,680
starting to wake up to this and they’re starting to use, you know, DNS filtering and other

426
00:33:41,680 –> 00:33:47,680
tools to discover what kind of connections their apps and services are making without

427
00:33:47,680 –> 00:33:48,680
their knowledge.

428
00:33:48,680 –> 00:33:54,280
And over time, I’m starting to gather that a lot of developers and businesses are of

429
00:33:54,280 –> 00:33:58,440
the opinion that these things don’t really matter because they think to themselves, “Oh,

430
00:33:58,440 –> 00:34:05,520
well, when I use Firebase or whatever, I’m getting valuable information or logging information

431
00:34:05,520 –> 00:34:08,240
or telemetry or whatever to help improve my product.

432
00:34:08,240 –> 00:34:09,740
What’s the big deal?”

433
00:34:09,740 –> 00:34:15,880
The big deal is you’re funneling your users’ traffic through a third party without your

434
00:34:15,880 –> 00:34:17,720
users’ knowledge.

435
00:34:17,720 –> 00:34:24,440
You know, just the other day I was on a forum and someone was asking, “How can I get around

436
00:34:24,440 –> 00:34:30,480
people using ad blockers and blocking Google Analytics?” or something like that.

437
00:34:30,480 –> 00:34:33,440
And the top-rated answer said, “You don’t.

438
00:34:33,440 –> 00:34:37,240
If people don’t want to be tracked, don’t track them.’

439
00:34:37,240 –> 00:34:42,360
And the original poster got back on trying to defend their question and said something

440
00:34:42,360 –> 00:34:45,320
like, “Well, we’re not tracking our users.

441
00:34:45,320 –> 00:34:47,920
There’s no tracking going on here.”

442
00:34:47,920 –> 00:34:49,560
But that’s not the issue.

443
00:34:49,560 –> 00:34:54,880
You know, if you are making a password manager, for example, and you’re embedding third-party

444
00:34:54,880 –> 00:34:57,400
trackers into your app, yes, it’s great,

445
00:34:57,400 –> 00:35:02,080
I’m happy for you that you’re getting, you know, whatever analytics or debugging information

446
00:35:02,080 –> 00:35:03,640
that you’re looking for.

447
00:35:03,640 –> 00:35:09,480
But what you’re missing is all the information that these third-party trackers are collecting

448
00:35:09,480 –> 00:35:11,720
from your users.

449
00:35:11,720 –> 00:35:19,520
You know, when I open your app, I do not want that app communicating to Google or Fecesbook

450
00:35:19,520 –> 00:35:25,400
or Twitter or TikTok or any other third-party period.

451
00:35:25,400 –> 00:35:27,320
I don’t care what the reason is.

452
00:35:27,320 –> 00:35:32,640
And I think a lot of other people are starting to come to this conclusion as well.

453
00:35:32,640 –> 00:35:37,520
So if you want to have a business and you want to have users, start thinking about this.

454
00:35:37,520 –> 00:35:43,280
If you’re relying on third-party trackers to get certain information, you should probably

455
00:35:43,280 –> 00:35:45,920
come up with a better alternative.

456
00:35:45,920 –> 00:35:49,160
And along those lines, don’t be creepy.

457
00:35:49,160 –> 00:35:51,920
Don’t ask for privileges that you don’t need.

458
00:35:51,920 –> 00:35:55,440
Don’t share people’s information with third parties unless there’s a very good reason

459
00:35:55,440 –> 00:36:02,880
to. Not only are those things unethical, but they can cause real compliance headaches.

460
00:36:02,880 –> 00:36:06,300
You know, on our website, for example, we don’t use cookies.

461
00:36:06,300 –> 00:36:08,120
We don’t track our users.

462
00:36:08,120 –> 00:36:10,360
We don’t do any of that garbage.

463
00:36:10,360 –> 00:36:16,520
That’s a huge load off of our shoulders because it makes it very easy to comply with the various

464
00:36:16,520 –> 00:36:20,320
laws that are out there regarding collecting people’s information.

465
00:36:20,320 –> 00:36:27,720
I mean, right now, business owners need to worry about GDPR and the CCPA and whatnot.

466
00:36:27,720 –> 00:36:33,160
Just imagine if, you know, 10 years down the road, we have these kinds of laws for every

467
00:36:33,160 –> 00:36:36,280
country and every state.

468
00:36:36,280 –> 00:36:40,480
If you’re one of these creepy websites that are tracking your users and sharing their

469
00:36:40,480 –> 00:36:45,600
information with 800 different parties, which a lot of them do, by the way, how are you

470
00:36:45,600 –> 00:36:48,320
going to comply with these laws?

471
00:36:48,320 –> 00:36:53,200
And when you’re not being creepy, not only does it help boost your reputation, but it

472
00:36:53,200 –> 00:36:58,040
also makes it easier to get things like HIPAA compliance, for example.

473
00:36:58,040 –> 00:37:03,320
So if you take a look at Bitwarden’s website, for example, it says that they have compliance

474
00:37:03,320 –> 00:37:11,800
with GDPR, Privacy Shield, HIPAA, CCPA, and that helps them get new customers.

475
00:37:11,800 –> 00:37:16,160
And that’s a lot easier to do when you’re not being creepy.

476
00:37:16,160 –> 00:37:22,240
You know, companies like Microsoft are in this constant battle with certain jurisdictions,

477
00:37:22,240 –> 00:37:28,800
mostly in Europe, regarding privacy and, you know, what data is going where, and that’s

478
00:37:28,800 –> 00:37:31,880
because they collect a tremendous amount of data.

479
00:37:31,880 –> 00:37:36,360
If Microsoft products weren’t collecting so much user data to begin with, this wouldn’t

480
00:37:36,360 –> 00:37:37,880
be a problem for them.

481
00:37:37,880 –> 00:37:43,920
And, you know, if you read the news, you’ll see things like France and Germany banning,

482
00:37:43,920 –> 00:37:46,120
you know, certain Microsoft products.

483
00:37:46,120 –> 00:37:51,120
I think some European schools have also banned Microsoft Office because of this data sharing

484
00:37:51,120 –> 00:37:52,120
concern.

485
00:37:52,120 –> 00:37:56,680
And, you know, that’s what you’re going to get if you’re going to be creepy.

486
00:37:56,680 –> 00:38:03,480
And the final lesson for software companies here is to stop relying on affiliate marketing

487
00:38:03,480 –> 00:38:04,880
to push your product.

488
00:38:04,880 –> 00:38:08,960
You know, a good product or service sells itself.

489
00:38:08,960 –> 00:38:14,040
So if you feel like you need to pay a bunch of creators to shill your product because

490
00:38:14,040 –> 00:38:19,400
it won’t stand on its own, you need to go back to the drawing board and figure out how

491
00:38:19,400 –> 00:38:25,360
to create a good product or service that people actually want and will pay for.

492
00:38:25,360 –> 00:38:30,600
So now let’s switch gears and talk about what you should do if you are an existing

493
00:38:30,600 –> 00:38:32,440
LastPass user.

494
00:38:32,440 –> 00:38:36,520
The first thing you’re going to want to do is change your master password. Because if

495
00:38:36,520 –> 00:38:43,120
this threat actor is able to crack into the copy of your vault that they already have,

496
00:38:43,120 –> 00:38:48,880
then that will allow them to potentially log into your existing database and look at any

497
00:38:48,880 –> 00:38:50,880
changes that you make.

498
00:38:50,880 –> 00:38:57,040
You’re also going to want to be on the lookout for text and email phishing attacks.

499
00:38:57,040 –> 00:39:04,200
So like I was saying earlier, this hacker has your name, your address, your vault and

500
00:39:04,200 –> 00:39:07,000
the URLs of the accounts that you have.

501
00:39:07,000 –> 00:39:13,040
So they can craft, you know, pretty convincing phishing email and text messages that have

502
00:39:13,040 –> 00:39:18,400
your name in them, and they’ll pretend to be from one of these companies that you have

503
00:39:18,400 –> 00:39:19,400
an account with.

504
00:39:19,400 –> 00:39:26,520
So you might get an email like, “Hey, Bob Smith, this is the Fecesbook security team.

505
00:39:26,520 –> 00:39:31,840
We’ve discovered that your account has been compromised as a result of this LastPass data

506
00:39:31,840 –> 00:39:33,000
breach.

507
00:39:33,000 –> 00:39:36,800
Click this link right here and recover your account.”

508
00:39:36,800 –> 00:39:40,500
And we’re quite certain that a lot of people are going to fall for things like that.

509
00:39:40,500 –> 00:39:46,680
The next step that we recommend is that you set up KeePass and or Bitwarden so that you

510
00:39:46,680 –> 00:39:52,960
can start moving your accounts from LastPass to those more trustworthy password managers

511
00:39:52,960 –> 00:39:54,760
and then update your passwords.

512
00:39:54,760 –> 00:39:57,320
I realize that that’s a lot of work.

513
00:39:57,320 –> 00:40:01,440
So we recommend that you start with the most critical passwords that you have, like those

514
00:40:01,440 –> 00:40:06,760
for your email account, your bank account, your mobile phone service, things like that.

515
00:40:06,760 –> 00:40:11,520
And also focus on the passwords that are most vulnerable. Those could be either

516
00:40:11,520 –> 00:40:15,800
ones that you reuse a lot, which you shouldn’t do, but you know, obviously a lot of people

517
00:40:15,800 –> 00:40:22,480
do. And also passwords and accounts that are not protected with multi-factor authentication.

518
00:40:22,480 –> 00:40:27,280
Once you get all of your accounts outside of LastPass, then we recommend sanitizing

519
00:40:27,280 –> 00:40:33,120
your account, which we’ll go into more detail in a separate episode, but basically that

520
00:40:33,120 –> 00:40:38,640
will involve doing things like downloading your invoices and screenshotting whatever

521
00:40:38,640 –> 00:40:45,840
data is in your account, changing your LastPass email to an alias, changing your name, deleting

522
00:40:45,840 –> 00:40:51,120
your billing address, deleting your credit card information, whatever, then canceling

523
00:40:51,120 –> 00:40:54,240
your subscription and deleting your account.

524
00:40:54,240 –> 00:40:59,960
And the reason why we recommend going through that sanitizing process is to help protect

525
00:40:59,960 –> 00:41:02,640
you from future data breaches.

526
00:41:02,640 –> 00:41:06,880
So there is always the risk that when you delete your account that they’re not actually deleting

527
00:41:06,880 –> 00:41:07,880
your data.

528
00:41:07,880 –> 00:41:12,840
So if they get breached again in the future, ideally what someone would see is just a bunch

529
00:41:12,840 –> 00:41:14,800
of fake information about you.

530
00:41:14,800 –> 00:41:18,000
All right, so that wraps up this episode.

531
00:41:18,000 –> 00:41:21,960
If you know anybody else who uses LastPass, you might want to share this episode with

532
00:41:21,960 –> 00:41:25,000
them so that they can help protect themselves.

533
00:41:25,000 –> 00:41:29,000
And if you haven’t already done so, make sure you subscribe because we’re producing a lot

534
00:41:29,000 –> 00:41:35,040
of great content like this, and we are going to be warning about other software and services

535
00:41:35,040 –> 00:41:41,760
that we think you should avoid, like NordVPN, for example, that’s going to be a future episode.

536
00:41:41,760 –> 00:41:43,680
So you can look forward to that.

537
00:41:43,680 –> 00:41:47,280
And finally, consider becoming a Bigger Insights client.

538
00:41:47,280 –> 00:41:52,400
We understand that these things can be complicated and confusing to a lot of people, and we’re

539
00:41:52,400 –> 00:41:57,200
concerned that without some sort of an advisor on your side, that people are going to hear

540
00:41:57,200 –> 00:42:02,160
things like this and think to themselves, “Oh gosh, well, you know, this password manager

541
00:42:02,160 –> 00:42:07,040
got hacked and that one got hacked, I think I should just go back to putting all of my

542
00:42:07,040 –> 00:42:12,840
passwords in an Excel file in my Dropbox account”. Which is a bad idea.

543
00:42:12,840 –> 00:42:17,440
So consider becoming a client because we can sit down with you in one-on-one sessions and

544
00:42:17,440 –> 00:42:22,120
help you make sense of these things and live a more private and secure life.

545
00:42:22,120 –> 00:42:26,320
So if that’s interesting to you, go ahead and go to our website, BiggerInsights.com,

546
00:42:26,320 –> 00:42:28,440
and fill out the short form at the bottom.

547
00:42:28,440 –> 00:42:30,240
So thanks for staying until the end.

548
00:42:30,240 –> 00:42:54,000
Stay tuned and stay safe out there.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top