LastPass, one of the leading password management services, disclosed two security incidents in 2022 that affected both LastPass and its customers. LastPass just delivered an announcement reviewing all of the details. They also offered recommendations on the actions should you take to protect yourself or your business.
In this blog post, we will review what happened in these security breaches, what actions LastPass took in response, and what people should do moving forward to protect themselves.
LastPass disclosed two separate security incidents in 2022. Neither of these incidents was caused by any LastPass product defect or unauthorized access to or abuse of production systems. Instead, a threat actor exploited a vulnerability in third-party software, bypassed existing controls, and accessed non-production development and backup storage environments.
The first incident occurred when a software engineer’s corporate laptop was compromised. This allowed the unauthorized threat actor to gain access to a cloud-based development environment. From there they were able to steal source code, technical information, and certain LastPass internal system secrets. No customer data or vault data was taken during this incident. This is because there is no customer or vault data in the development environment. LastPass initially declared this incident closed but later learned that sensitive information stolen in the first incident was used to identify targets and initiate the second incident.
The second incident was more serious. The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. This was used to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
In response to these incidents, LastPass mobilized its internal security teams and resources from Mandiant. As part of the containment, eradication, and recovery process, LastPass took the following actions:
- Removed the compromised development environment and rebuilt a new one to ensure full containment and eradication of the threat actor.
- Deployed additional security technologies and controls to supplement existing controls.
- Rotated all relevant cleartext secrets used by its teams and any exposed certificates.
- Analyzed LastPass cloud-based storage resources and applied additional policies and controls.
- Analyzed and changed existing privileged access controls.
- Rotated relevant secrets and certificates that were accessed by the threat actor.
LastPass has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October.
What Data Was Accessed?
As detailed in the incident summaries, the threat actor stole both LastPass proprietary data and customer data, including the following:
In Incident 1:
- On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.
- Internal scripts from the repositories – these contained LastPass secrets and certificates.
- Internal documentation – technical information that described how the development environment operated.
In Incident 2:
- DevOps Secrets – restricted secrets that were used to gain access to LastPass’s cloud-based backup storage.
- Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using LastPass’s Zero knowledge model and cannot be accessed by the threat actor.
What Actions Should You Take to Protect Yourself or Your Business?
LastPass has recommended that all customers change their master password, enable multi-factor authentication methods, and verify that their devices are secure. In addition, if customers shared their master password or used it on any other sites, they should change their password on those sites as well.
- Change Your Master Password: If you have not already done so, change your master password to a strong, unique password.
- Enable Multi-Factor Authentication: Enable multi-factor authentication (MFA) for your LastPass account to provide an additional layer of security.
- Review Your LastPass Vault: Review your LastPass vault for any suspicious activity or unauthorized access.
- Rotate Your Passwords: Rotate your passwords on a regular basis and use unique, complex passwords for each account.
- Stay Informed: Stay informed about the latest security threats and best practices for protecting your sensitive data.
For LastPass business customers, LastPass recommends that administrators reset all user passwords, enable multi-factor authentication, and review all user accounts and permissions. LastPass also recommends that businesses review their LastPass audit logs and monitor their networks for any signs of unauthorized access.
- Enforce Password Policies: Enforce strong password policies for all employees and require the use of multi-factor authentication.
- Monitor Employee Access: Monitor employee access to LastPass and revoke access for any employees who no longer need it.
- Review Activity Logs: Review activity logs for any suspicious activity or unauthorized access.
- Rotate Passwords: Rotate passwords on a regular basis and use unique, complex passwords for each account.
- Train Employees: Train employees on cybersecurity best practices and conduct simulated phishing exercises to raise awareness.
Multi-Factor or two-factor authentication is going to be a major theme when helping secure accounts. Using a mobile phone for multi-factor authentication through an authenticator app is a secure and convenient way to verify user identity. MFA can act as effective security measure by providing an extra layer of protection to prevent unauthorized access.
To learn more about multi-factor authentication and for a deeper overall look into cybersecurity, be sure to check out EVERNET’s Cybersecurity Essentials Guide E-book.
What Does The Recent Breach Mean for LastPass Subscribers?
The breach allowed unauthorized access to sensitive user account data and vault data. As a LastPass subscriber, you should be concerned about the safety and integrity of your data stored in the vaults. You may want to question LastPass’s capacity to keep your data safe, despite the latest security improvements mentioned in the company’s latest blog post.
At EVERNET, we understand that our customers’ security is of utmost importance. That’s why we immediately notified them of the security incidents when we were made aware by LastPass and advised them to take the proper actions to ensure their data security. We will continue to keep them informed throughout these processes. Taking care of our customers during times like this is our top priority.
If you’re a LastPass subscriber, an unauthorized party might have access to your personal information such as your LastPass username, email address, phone number, name, and billing address. Additionally, the IP addresses used while accessing LastPass were exposed during the breach, meaning that the attackers could see the locations from which you used your account. The unauthorized party could also view all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted) because LastPass doesn’t encrypt users’ stored website URLs.
This information provides potential attackers the ability to launch a phishing attack and socially engineer their way to account passwords. If you have any password reset links stored that may still be active, an attacker can easily create a new password for themselves.
According to LastPass, encrypted vault data like usernames and passwords, secure notes, and form-filled data that was stolen remains secured. This is important but your accounts are still at risk. This is because if the attacker were to crack your master password then they would be able to access all of that information, including all the passwords and usernames to your accounts.
Changing your master password now will not protect you. That is because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers have an unlimited amount of time to crack master passwords. The best course of action is to do a site-by-site password reset for all of your LastPass-stored accounts. By changing your passwords at the site level, the attackers would only have access to your old, outdated passwords.
LastPass’s security breaches serve as a reminder that even the most secure systems can be vulnerable to attack. By following the recommended actions and best practices outlined in this post, LastPass customers can further enhance the security of their accounts and data.
At EVERNET Consulting, we believe in building strong relationships with our customers. We are always there for them whenever they have a question or concern. Our dedicated team of experts is ready to provide support and guidance at every step, ensuring that our customers can rely on us for all their technology needs.
If you are interested in learning more about password management software, check out EVERNET’s Password Management For Business and How It Helps E-book.
At EVERNET Consulting, we are dedicated to helping organizations with their cybersecurity needs. We work diligently to find the solutions that best fit the needs of your business. Whether you’re looking for IT support, software recommendations, or guidance on how to get the best protection for your computer systems, we are here to help. Let’s schedule a discovery call and see how we can help you work smarter, not harder.
Eric is a Business IT cybersecurity advisor, consultant, manager, integrator, and protector who founded EVERNET in 2007. Eric co-hosts a podcast called “Finance and Technology Insights by Brian & Eric” on YouTube. Eric is a regular contributor to the EVERNET blog, writing about the latest technology news and providing his expertise in cyber security prevention and management. Meet with our CEO and say goodbye to one-size-fits-all IT support and cybersecurity.