Cybersecurity Threat Advisory: LastPass’ security incident update
LastPass provided an update to their August incident where an unauthorized access occurred in their cloud storages. The incident involved storages that contain production data and certain metadata of LastPass subscribers. LastPass recommends businesses to review and update their passwords, review their security measures, and stay vigilant for social engineering attacks on their accounts.
What is the threat?
LastPass first announced the security incident on a blog in August 2022. In this recent update, they have found that the source code, including other specific technical information were extracted from Lastpass’ production environment. This information was used to target an employee to obtain the keys to unlock storage volumes on their cloud-based environment. This could potentially lead to threat actors discovering vulnerabilities in client’s software for exploitation or to execute a cyberattack on customers. Since LastPass’s production environment is on-premises and segmented from where the original breach occurred, they did not experience an outage with their services.
Why is it noteworthy?
LastPass is a known password manager for clients to store credentials securely. It is used to protect sensitive information and to provide easy log in access to services for automatic credential fill in. The investigation for this August security incident is ongoing and this recent update includes additional information such as what was stolen by threat actors, remediation recommendations, and additional actions taken by LastPass.
What is the exposure or risk?
LastPass disclosed that the data copied by the threat actor contained basic metadata of their customers, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses of those accessing LastPass services.
Additionally, the customer vault data was also copied which included both encrypted and unencrypted data, and partial credit card data. The encrypted data included website credentials, secure notes, and form-filled data. These items remained encrypted since the encryption key can only be accessed through the user’s master password using LastPass’s proprietary (Zero Knowledge) architecture. The encryption/decryption process can only be done on their account locally on the LastPass client. As for the unencrypted content, this contained website URLs and partial credit card information. Complete credit card information is not saved or archived in storages by LastPass.
All customers of LastPass are potentially at risk. Since threat actors have information on their customers, this opens the door for brute forcing and social engineering attacks. A successful attack could lead to a breach to customer’s saved credentials and ultimately have them stolen. LastPass is continuing to investigate this incident and have already made strides to mitigate the issue at hand. Their development environment is planned to be completely rebuilt and hardened. This includes machines being switched out, processes changed, and authentication mechanisms updated. LastPass has also improved the security of their product by adding additional logging/alerting, updating credentials and certifications, and testing password cracking methods. Law enforcement and other authorities have been notified of the incident and LastPass has been continuing to analyze deeper into affected data on their cloud environment.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of this LastPass security incident:
- Review the password policies outlined by LastPass (https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014)
- Ensure Federated Login Services by LastPass are implemented into your business (https://support.lastpass.com/download/lastpass-technical-whitepaper)
- Conduct phishing campaigns and trainings onto your organization to create awareness of social engineering attacks
- Audit and take inventory of user/admin accounts and their access to LastPass
- Review LastPass’s Zero Knowledge architecture (https://www.lastpass.com/security/zero-knowledge-security)
- Be informed on the latest updates to LastPass’s security incident (https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/)
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.