On November 30, 2022, password manager LastPass informed customers of a cybersecurity incident following unusual activity within a third-party cloud storage service. While LastPass claims that users’ passwords remain safely encrypted, it admitted that certain elements of customers’ information have been exposed. The security incident was the latest to affect the service in recent times in the wake of unauthorized access to its development environment in August last year, serious vulnerabilities in 2017, a phishing attack in 2016, and a data breach in 2015.
Here is a timeline of the most recent LastPass data breaches from August and November.
August 25, 2022: LastPass detects “unauthorized” access
LastPass CEO Karim Toubba wrote to inform LastPass users that the company had detected unusual activity within portions of the LastPass development environment. “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
In response to the incident, LastPass deployed containment and mitigation measures and engaged a cybersecurity and forensics firm, Toubba added. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
September 15, 2022: LastPass says no customer data or passwords compromised
LastPass announced that it had completed its investigation of the August breach and determined that the attacker did not access any customer data or password vaults. It also confirmed that the access point was a developer’s compromised computer and that the attacker was in the system for a total of four days.
November 30, 2022: LastPass notifies customers of new security incident
LastPass notified users of a new security incident that its team was investigating. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” Toubba wrote.
The company determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain customers’ information, Toubba said, while stating that passwords remained safely encrypted due to LastPass’s Zero Knowledge architecture. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” he added. Users were advised to follow best practices around the setup and configuration of LastPass.
December 1, 2022: Researcher urges LastPass customers to stay vigilant
Yoav Iellin, senior researcher at Silverfort, stated that given the vast number of passwords LastPass protects globally, it remains a big attack target. “The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically it’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.”
Iellin urged users to stay vigilant for updates from the company and to take time to verify these were legitimate before taking any action. “In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security,” Iellin added.
December 22, 2022: LastPass confirms theft of source code and technical information
In an update on the investigation, Toubba stated source code and technical information stolen from the LastPass development environment were used to target an employee and obtain credentials/keys, which were used to access and decrypt some storage volumes within a cloud-based storage service. “To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass services,” Toubba wrote.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data, he added. “There is no evidence that any unencrypted credit card data was accessed.”
Toubba warned that the threat actor may attempt to use brute force to guess master passwords and decrypt the copies of vault data they took, but because of the hashing and encryption methods used by LastPass it would be extremely difficult to attempt to brute-force guess master passwords for those customers who follow its password best practices, he continued.
“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault.” LastPass added additional logging and alerting capabilities to help detect any further unauthorized activity and is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security, Toubba stated. “We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed. This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”
Copyright © 2023 IDG Communications, Inc.