On 25th August ‘22, LastPass CEO Karim Toubba, released a statement informing LastPass’ customers that they had detected some unusual activity within a portion of the LastPass development environment. This was traced back, and the point of origin was identified to be a single developer account, which proved to have been compromised, giving an attacker developer level access to the development environment.
Development Environments are also referred to as “sandboxes” and are locations within an organisation where new patches and features are tested by developers prior to release, to discover bugs, errors, and potential security faults. In this instance, LastPass stressed that the Development Environment is physically separate to their other networks and hosts no customer data whatsoever.
During this statement, LastPass stipulated that Master Passwords for user accounts have not been compromised, as LastPass utilise a Zero Knowledge Architecture, they can never plainly view, nor obtain access to view user’s Master Passwords. Their initial investigation led them to believe that since the breach occurred within their Development Environment, no live, private, user data had been compromised.
LastPass issued an update into the issue on 15th September ’22, wrapping up the incident as being dealt with, and remediation steps had been taken to bolster their internal security. LastPass contacted Mandiant, a Cybersecurity Firm in the USA, for external aid in their investigation.
Mandiant was able to uncover the activity period, which was limited to a total for 4 days. During this time, the threat actor was able to prompt the end user for their MFA, which the end user simply accepted, granting the threat actor further impersonated access. This access was restricted to solely the Design Environment due to the nature of the ZK architecture LastPass use.
On 30th November ’22, LastPass released another statement, informing customers of a separate security incident, pertaining to a third-party cloud storage service which had experienced a breach. Again, LastPass sought the aid of Mandiant to isolate and trace the security incident.
Once more on 22nd December ’22, LastPass became more transparent about what the incident included, what data may have been affected, and future steps. LastPass at this stage admitted that the threat actor from the breach in August ’22, may have obtained technical information and source code, which resulted in targeting another employee for their credentials and encryption keys, which in-turn, allowed the threat actor to decrypt “some” storage volumes held on LastPass’ third-party cloud provider.
As LastPass have been trying to play off the security incidents in a somewhat blasé manner, it appears that LastPass have still not been as open and honest about the severity of the breach, and how both the breaches are linked together. A plethora of Cybersecurity researchers agree that the breach is more severe than initially disclosed, based on the obscurity from LastPass in their Security Incident Notices, and the likelihood of encrypted data volumes being extracted and decrypted.
Lily Newman of WIRED wrote that LastPass store user’s saved passwords as encrypted within a password vault, but the accompanying data, such as URLs, is stored in plaintext. This simply highlights high-value password targets within a password vault for a threat actor to hit and begin cracking the encryption. If the threat actor exfiltrated any password vaults, the threat actor would have obtained “a snapshot in time” of the user’s LastPass vault.
Giving them time, and potentially the availability of resources, to crack user’s Master Passwords and gain access to the user’s vaults. This is no small breach, as it can potentially result in the exposure of a user’s password vault contents. LastPass have been quite relaxed about their recent security incidents but have preached about Transparency.
The general security advice is to move away from LastPass completely. There are other password managers available which have proved to be more secure, such 1Password or Keeper. LastPass and other Cybersecurity researchers have advised users to change all their passwords, which would have been within their LastPass Vault, to something completely different.
Simply rotating passwords is not recommended in this scenario, as the threat actor potentially has a full record of your passwords, they will be aware of techniques like password rotation and attempt to brute force your account login with the other cracked passwords. Downloading an Authenticator App and enabling Multifactor Authentication across your accounts/devices is another quick step end users can take to try to bolster their own endpoint security.
At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here.