New details have emerged about last year’s LastPass breaches. Here’s some background on what happened and how to protect passwords stored in LastPass vaults.
LastPass has released an update that discloses some additional details about the second of two data breaches in 2022 that saw the exfiltration of both internal and customer password vaults.
With headlines about LastPass this last week, how does this affect users of their products and are your stored credentials at risk?
The latest stories are in response to the company’s disclosures of how their employee was individually targeted to steal his corporate cloud storage access. It appears from statements by LastPass that customer data risk remains unchanged.
What’s the nature of the breach?
In a March 1, 2023 blog post, LastPass summarized the situation to clarify what exactly happened in the two known incidents:
Incident 1 Summary: A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets. No customer data or vault data was taken during this incident, as there is no customer or vault data in the development environment. We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.
Incident 2 Summary: The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
What data was accessed?
LastPass has published a very detailed matrix of the exact data they know was accessed. Below is a summary from the company:
Data accessed in Incident 1:
- On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.
- Internal scripts from the repositories – these contained LastPass secrets and certificates.
- Internal documentation – technical information that described how the development environment operated.
Data accessed in Incident 2:
- DevOps Secrets – restricted secrets that were used to gain access to LastPass cloud-based backup storage.
- Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using the LastPass Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password.
End user master passwords are not known to LastPass and are not stored or maintained by LastPass – so they were not included in the exfiltrated data.
- Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
What should I do to protect my passwords and accounts?
LastPass has published some security bulletins that outline best practices for securing and using your password vaults. The bulletins are split into use cases for personal and free tier users, and Business/Teams customers.
The general best practices are roughly the same, with business users considerations pertaining more to integrations with federated accounts, API keys, reset of SCIM, Enterprise API, and SAML Keys, and deprecation of password apps.
Here’s an index of the topics covered:
- Your master password
- Iteration counts for master password
- Evaluate password hygiene
- Multifactor authentication (MFA) for your vault
- Master password length and complexity
- Iteration counts for master passwords
- Super admin best practices
- MFA shared secrets
- SIEM Splunk integration
- Exposure due to unencrypted data
- Deprecation of Password apps (Push Sites to Users)
- Reset SCIM, Enterprise API, SAML keys
- Federated customer considerations
- Additional considerations
LastPass has proven to be very transparent, and to a great level of detail, in the nature of the breaches and what exactly was accessed. It may have taken them some months to publish the information but that’s how long incident response postmortem investigations can take.
For users of their products, it seems password vault data remains theoretically safe but risk management policies will dictate following their best practices to ensure that with exhaustive measures.
It is recommended that if you or your organization use LastPass, to carefully review their security bulletins and implement as many of their best practices as possible reduce risk from scenarios that may arise as a result of the breaches.
LastPass blog and statement on the events
LastPass Security Bulletin and Recommendations