Most people have heard of LastPass, in fact many people may use it in their workplaces or personal lives. For those who may be unaware, LastPass is a password manager platform that stores a users login information for various services, websites, and applications that they use everyday. LastPass allows you to create complex and unique passwords for all of your websites and locks them in their vault, behind a master password. This lets a user create as many complex and secure passwords for all their accounts while only having to remember one "master password". LastPass is an attempt to solve one of the most fundamental security concepts: passwords.
LastPass has grown tremendously over the last several years and has become the largest password manager in the market. LastPass was acquired by GoTo back in 2015 but has since been re-established as it's own company. This transition process began in 2022 and is still underway. Many rely on LastPass to secure their personal and business accounts from bad actors. However, due to a security incident in December of 2022 many peoples trust in the company is fading.
Read on to learn more about the details regarding LastPass' security incident.
LastPass boasts some of the most advanced security practices in the business. They operate on zero trust architecture designed to prepare for the inevitability of a cyber attack. Additionally, they are SOC 2 and ISO 27001 compliant and engage in regular audits and penetration tests. LastPass also encrypts your sensitive data using AES-256 encryption and uses "salt-and-hash" methods to protect sensitive data. Despite all of these impressive protocols in place many have still questioned LastPass' security over the years. Some experts in the field have criticized their encryption policy, including their decision not to encrypt everything. While your passwords are encrypted other meta data including websites and URLS are not.
LastPass also prides themselves on working with the cyber community to improve their security posture by providing "bug bounties" for ethical hackers who find exploits in their security architecture and report them. All of this information can be found on LastPass' website. With all these security practices, it's important to ask the question: What went wrong?
To understand what happened regarding LastPass in late December it's important to look even further back to August of 2022. In August of 2022 LastPass revealed that they had been the victim of a data breach they had claimed was limited to the "LastPass Development environment". This breach had exposed parts of LastPass' source code as well as certain "technical information".
After the breach had taken place LastPass quickly partnered with another organization to implement an investigation and forensics analysis to discover how the bad actor had manages to breach their organization and what they had managed to take. At the time of the investigation LastPass assured customers that:
"Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults."
This is encouraging right? The cyber criminal who had managed to breach LastPass was only able to access company technical data while individuals customer data was left intact and protected.
Several months later we would find out that this statement was incorrect. On November 30, 2022 LastPass updated their statement regarding the August security breach stating that, indeed, some customer information had been leaked in the initial August breach. While the details were intentionally kept vague as all the information hadn't been gathered yet, LastPass did confirm that an unauthorized party had accessed to "certain elements of our customers' information".
All of this leads to December when the full extent of the breach had been exposed. LastPass explained that a bad actor had gained access to their cloud-based storage environment in August 2022. Using the technical information taken from the August breach the threat actor was able to obtain employee credential keys that were used to decrypt "some storage volumes within the cloud-based storage service".
Using this information the actor was able to access basic customer data including: company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses that were used by customers accessing LastPass.
As you can probably guess this constitutes a huge breach of security. The threat actor who was able to exfiltrate data from LastPass now knows individual customers, companies who use the service, personal contact information, and the exact computer from which LastPass was used. Despite not gaining access to any master passwords, or information regarding what is inside a users vault this information can be used to conduct large scale phishing schemes and social engineering attempts.
The cyber criminal who implemented this attack now knows 1) Who they need to target and 2) The means in which they target them.
LastPass has already contacted those individuals and the companies that may be exposed and targeted by the threat actors involved in the breach. If you have been reached out to it is important you take the steps necessary to change any passwords that may be at risk and to implement MFA on all of your accounts including your LastPass account and the websites within your vault.
More details regarding the state of the breach (LastPass' security incident) are still developing. As LastPass provides updates regarding the breach they will be outlined here. For now, you can read LastPass' current statement on the security incident here.
Read more on LastPass Security Incident on CorpInfoTech’s blog: How Should You Respond to LastPass' Latest Security Incident?
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.