LastPass shared additional updates regarding the second security incident that was disclosed in December where an unnamed threat actor combined data stolen from a breach in August 2022 with information from another data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. In this attack, the threat actor targeted a senior DevOps engineer by breaching their personal home computer and exploited vulnerable third-party software. They installed a keylogger, bypassed existing controls, and gained unauthorized access to cloud backups.
The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
In the aftermath of the incident, LastPass claimed to have upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor. In addition, they applied extra S3 hardening measures to put in place logging and alerting mechanisms. LastPass has released a new security advisory and a PDF detailing further information about the breach and the stolen data. The parent company of LastPass, GoTo, announced that it will inform individuals if their data has been breached and provide “actionable steps” to ensure greater security for their accounts. It is highly recommended for LastPass users to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.
Summary of data accessed
- DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
- Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
- Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
Additional details can be found here.
Recommendations
LastPass users are strongly urged to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.
Mitigations
LastPass has provided two security bulletins to assist customers in their own incident response efforts.
- Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families Customers. This bulletin guides our Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their accounts by confirming best practices are being followed.
- Security Bulletin: Recommended Actions for LastPass Business Administrators. This bulletin guides administrators for our Business and Teams customers through a risk assessment of LastPass account configurations and third-party integrations. It also includes information that is relevant to both non-federated and federated customers.
Resources & Related Articles
- LastPass says employee’s home computer was hacked and corporate vault taken
- LastPass: DevOps engineer hacked to steal password vault data in 2022 breach
- LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults
- Hacker Breached LastPass by Installing Keylogger on Employee’s Home Computer
- LastPass Shares New Details of Second Hack | Entrepreneur
- Incident 2 – Additional details of the attack – LastPass Support
- Security Incident Update and Recommended Actions