- August 2022: LastPass announces that unknown criminals used a single compromised developer account to gain access to the development environment, take portions of source code, and some proprietary technical information.
- September 2022: LastPass completed the investigation and forensics process in partnership with Mandiant. The forensic investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022.
- During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident.
- There was no evidence of any threat actor activity beyond the established timeline.
- There was no evidence that this incident involved any access to customer data or encrypted password vaults.
- November 2022: LastPass detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate.
- LastPass immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
- It was determined that an unauthorized party, using the cloud storage access key and container decryption keys obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Apparently, these keys were not changed immediately after the initial breach was identified, which may have prevented access to the cloud storage.
- December 2022: LastPass disclosed that criminals used some of the information obtained in the earlier breach to steal backup data, including customer names, addresses, phone numbers, email addresses, IP addresses, and partial credit card numbers. In addition, user password vaults were stolen containing unencrypted website URLs and site names as well as encrypted usernames and passwords.
LastPass customers should ensure they have changed their master password and all passwords stored in their vault. The threat actor may also target customers with phishing and vishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault. Last Pass’s password best practices can be found here.
While LastPass has been transparent with its disclosures to date, obviously, the theft of user password vaults is bad news for any password-manager solution. The latest disclosure from LastPass included a list of remediations taken to strengthen security, including decommissioning the hacked development system and rebuilding it from scratch, retaining a managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been affected.
The threat actor will likely attempt brute force attacks to break the stolen master password hashes and decrypt the copies of vault data taken. This may be a difficult task considering current technology but not an impossible task, considering the potential advances in next-generation computing expected.
The stolen encrypted fields are secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using LastPass’s Zero Knowledge architecture. The master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.
LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. LastPass customers should make sure they're using settings that meet or exceed the LastPass default. For those with a desire for a stronger security posture, consider the Open Web Application Security Project’s (OWASP) recommendation of a 310,000-iteration threshold for PBKDF2 in combination with the SHA256 hashing algorithm used by LastPass. The 310,000 iteration threshold complies with Federal Information Processing Standards (FIPS) 140.
SBS Recommended Mitigations for LastPass users
- LastPass customers should check the current number of PBKDF2 iterations for their accounts. In addition, make sure your master password is unique for only the LastPass vault and not reused elsewhere.
- The scope and depth of the LastPass breach will continue to manifest over the next year, much as the effect of other third-party breaches (i.e., SolarWinds) continue to be headline news months and years after the initial disclosure.
- Organizations utilizing LastPass should follow their incident response procedures when responding to this breach. Make sure to work with the incident response team and document the actions taken then report to management.
- Due to the suspicion that attackers will try to decrypt passwords from within users’ password vaults, SBS recommends methodically changing the master password and all passwords in their password vault. These passwords that attackers will likely decrypt, may be included in a password dictionary in the future for password guessing attacks. In addition, make sure multi-factor authentication is enabled.