LastPass’s March 1, 2023 press release provides an update on the 2022 security incidents, the results of their investigations, and recommended remediation actions. These incidents highlight the fact that no one security measure can be 100% effective. However, when password managers are used as part of layered security, they can be an effective control. It is important, though, that users follow the advice of vendors and stay aware of changes in security guidance. Some key points of the LastPass release are:

• The investigation into the LastPass security incidents has been completed, and no threat-actor activity has been discovered since October 26, 2022.
• The investigation indicates that the incident was not caused by a defect in any LastPass product or unauthorized access to production systems. Instead, a vulnerability in third-party software was exploited.
• The threat actor accessed non-production development and backup storage environments. The threat actor stole source code, technical information, internal LastPass secrets, and both encrypted and unencrypted customer data.
• In response, LastPass has taken several actions to secure its systems and customer data. These actions include analyzing cloud-based storage resources, applying additional policies and controls, changing existing privileged access controls, and rotating relevant secrets and certificates.
• The investigation reveals that the data accessed included on-demand, cloud-based development and source code repositories, internal scripts, internal documentation, DevOps secrets, cloud-based backup storage, backups of all customer vault data (encrypted), and backup of LastPass multi-factor authentication/Federation Database.
• LastPass recommends that customers reset their master password and enable multi-factor authentication.

What happened?

The two 2022 incidents affected both LastPass and its customers. These incidents were not caused by defects in LastPass products or unauthorized access to production systems. Instead, each incident was caused by a vulnerability in third-party software that allowed the threat actors to bypass existing controls and access non-production development and backup storage environments.

In response, LastPass shared technical information, Indicators of Compromise (IOCs), and threat-actor tactics, techniques, and procedures (TTPs) with forensic partners and law enforcement. There have been no contacts or demands from the threat actors. To date, the identity and motivation of the threat actor remain unknown. A review of underground activity reveals no indication that threat actors are actively marketing or selling the information obtained in the incidents.

Incident A occurred in August 2022. A software engineer’s corporate laptop was targeted and compromised in this incident. The threat actor was able to gain access to a cloud-based development environment. The threat actor stole source code, technical information, and certain LastPass internal system secrets from this environment. No customer information was taken in this incident. LastPass investigated this incident and initially declared it closed. However, LastPass learned that the data from this incident was being used to identify targets and initiate the second incident. In response, LastPass mobilized its internal security teams and external resources and took various actions, including removing the development environment and deploying additional security technologies and controls.

In Incident B in November 2022, the threat actor targeted a senior DevOps engineer by exploiting a vulnerability in third-party software to deliver malware. This malware ultimately led to unauthorized access to cloud backups. The data accessed in those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted customer data. Responding to this incident, LastPass mobilized its incident response team. The team took various actions, including analyzing and changing existing privileged access controls, rotating relevant secrets and certificates, and applying additional policies and rules to LastPass cloud-based storage resources.

As stated above in the incident summaries, the threat actors obtained LastPass proprietary and customer data, which included:

• In Incident A:
  • Cloud-based development and source code repositories. Of 200 software repositories, 14 were compromised.
  • Internal scripts from these repositories that contained LastPass certificates and secrets.
  • Technical documentation that detailed how the development environment worked.
• In Incident B:
  • DevOps secrets containing confidential information to access LastPass’s cloud-based storage.
  • Cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, customer metadata, and all customer vault data backups. Customer vault data, excluding URLs, file paths to installed LastPass Windows or macOS software, and specific use cases involving email addresses, were encrypted using LastPass’s zero knowledge model and could only be decrypted with a unique encryption key derived from each user’s master password. LastPass does not store or maintain user master passwords.
  • Backup of LastPass MFA/Federation Database that included copies of LastPass Authenticator seeds, telephone numbers used for MFA backup (if enabled), and a split knowledge component (the K2 "key") used for LastPass federation (if enabled). This database was encrypted, but the decryption key was included in the secrets stolen by the threat actor.

LastPass details the information about specific customer data impacted by these incidents here.

How does LastPass recommend you respond?

LastPass has created two (2) Security Bulletins – one for our consumer users (Free, Premium, and Families) and one for our Business and Teams users. Each Security Bulletin contains information that can help customers secure their LastPass account and respond to incidents based on their specific needs or security environment.

For Free, Premium, and Families customers, the Security Bulletin recommends reviewing important LastPass settings to confirm that best practices are being followed. This can help secure their accounts and protect their personal information. Some of the steps indicated include:

• Create a strong and unique master password by following best practices, such as using a minimum of 12 characters, using upper- and lower-case letters, numbers, symbols, and special characters, and avoiding personal information.
• Reset your master password if it is not strong enough or has been reused elsewhere.
• Increase your master password iteration count settings to at least 600,000.
• Review the passwords in your vault and ensure they are all strong and unique, using a random password generator if possible.
• Review your overall password strength using the Security Dashboard, which displays your security score and dark web monitoring alerts.
• Change all passwords identified as weak or compromised to maintain good password hygiene.

Detailed instructions for each step can be found on LastPass’s Security Bulletin.

For Business and Teams customers, the Security Bulletin guides administrators on conducting a risk assessment of LastPass account configurations and third-party integrations. The bulletin is relevant for both non-federated and federated customers. Some of the steps indicated include:

• Master password length and complexity:
  • Review master password policies and enforce strong master passwords.
  • Review security reports related to master passwords.
  •  (OPTIONAL): Reset select master passwords.
• Iteration counts for the master password:
  •  Review users' master password iteration count settings.
  •  Review shared folders accessed by users with a low iteration count.
• Super admin best practices:
  • Ensure super admins follow master password and iterations best practices.
  • Review super admins with “Permit super admins to reset master passwords” policy rights and weak master passwords/iterations.
  • Review super admins with "Permit super admins to access shared folders" rights.
• MFA shared secrets:
  • Reset shared secrets for non-federated customers.
• SIEM Splunk integration:
  • Update Splunk instance token.
• Exposure due to unencrypted data:
  • Generate URL reports to assess risk.
  •  (OPTIONAL) Communicate with users about risks.
• Deprecation of password apps (Push Sites to Users):
  • Stop using push sites/apps to users and take remedial action.
• Reset SCIM, Enterprise API, and SAML keys.
• Additional considerations:
  • Review vault item password policies.
  • Review user security scores and remediate as required.
  • Review the security of shared folders.
  • (OPTIONAL) Enable dark web monitoring for your users.

Detailed instructions for each step can be found on LastPass’s Security Bulletin.

The revelation surrounding these incidents serves as a reminder that complete safety cannot be guaranteed when using the internet. It highlights the potential dangers of relying on a centralized password storage system. Nevertheless, password managers (PMs) still provide the most secure means of protecting passwords despite imperfections. It is essential to note that PMs should be just one component of a comprehensive security strategy. Multifactor Authentication (MFA) is one example of an additional layer of protection. It is recommended that users of LastPass or other PMs follow the guidance provided by the vendor to safeguard their information. For those who are contemplating changing their PM, our blog post on the topic of password managers may be helpful.

** SBS CyberSecurity does not partner with nor endorse any password management vendors or solutions.**

Written by:
Joe Davis, Information Security Consultant - SBS CyberSecurity

SBS Resources:

• Assessing the Risk of the LastPass Data Breach: The theft of user password vaults is bad news for any password-manager solution. Learn more about the LastPass breach and recommended mitigations for users.
• Are Password Managers Secure?: The recent LastPass breach reminds us there is no way to stay 100% safe online and highlights some of the risks associated with using a central vault to store passwords and other secrets. So, are password managers still the safe solution?