The LastPass Hack: Why Go-it-Alone Backups are a Bad Idea

W. Curtis Preston, Chief Technology Evangelist

It is mind-boggling to me that a $200 million dollar company would have a home-grown backup system – one that stores other people’s sensitive data, no less. It appears that because they did that (and other things), customer data was stolen. I’m referring to the latest LastPass hack, where it appears a backup copy of its customer database was stolen by hackers.

Backups (and their security) should come with a disclaimer like they do on stunt shows: don’t try this at home. Backups may sound simple. I mean, how hard can it be? You just have to copy data from one place to another place and have some versioning so you can restore older files, right?

Modern-day cloud storage and bandwidth mean all I have to do is write a shell script, right? The cloud storage has some security in it, of course, so I’m going to need the shell script to authenticate itself. I’ll just hardcode a username and password into the script. That’ll do it. Now it’ll run around the clock and copy our crown jewels into a safe space in the cloud. I’ll move on to my next project now.

What’s that, you say? Our development environment was compromised by a hack of another service we use? They were able to roam around our computing environment for a few days undetected? I should probably change my passwords. That would be a good idea.

Of course, there’s that backup account I rarely think about. I hope no one scanned the network, found my backup script, read it, and then scraped my username and password. They’d be able to log in to the cloud account as me and do whatever they want – like download backups of our customer database! The one containing all the super secret information they are hiring us to store!

Well, if that happened, it would all be encrypted, right? Oh…. the customer account information and the URLs they store passwords for aren’t encrypted? Why not? That’s another department. 

And… scene.

This is how a hacker gained access to LastPass’s customer information. Yes, the passwords and account names stored in the password vault were encrypted, but a lot of other information was not. This is what happens when you grow your own backup system. 

Leave Backup and Recovery to the Professionals

If, on the other hand, you used a well-designed system like Druva, you would not need to hardcode usernames and passwords like that, so even if a threat actor roams your data center for weeks, they’re not going to find anything to help them attack your backups. And, of course, all your backups are air-gapped and encrypted. Leave backups to the professionals: please don’t try this at home.

Cyber defense and recovery have never been easier — discover Druva for cyber resilience with a live, personalized demo and free trial. See firsthand how easy it is to safeguard your backups and ensure your company doesn’t become a headline.