LastPass Security Incident: A Comprehensive Update and What It Means for You

In late 2022, LastPass, a leading password management service, disclosed a significant security incident involving unauthorized access to a third-party cloud storage service. This article provides a detailed breakdown of the incident, its potential impact, and the recommended actions for LastPass users to safeguard their data. It consolidates information from LastPass' official blog posts to provide a clear and actionable guide. Password managers can be useful and it is a good idea to know how to use them safely and avoid credential stuffing.

Understanding the Timeline of Events

The security incident unfolded in several stages:

• August 2022: LastPass detected unusual activity in its development environment. An unauthorized party gained access through a compromised developer account, taking portions of source code and proprietary technical information. Crucially, no customer data was accessed during this initial breach.
• November 2022: LastPass detected further unusual activity within a third-party cloud storage service shared with its affiliate, GoTo. An unauthorized party leveraged information obtained in the August 2022 incident to access certain elements of customer information.
• December 2022: LastPass provided a detailed update outlining the extent of the breach. The threat actor accessed backups containing basic customer account information and a backup of customer vault data from the encrypted storage container.

What Information Was Compromised?

The unauthorized party gained access to the following information:

• Basic Customer Account Information: Company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses from which customers were accessing the LastPass service.
• Encrypted Vault Data: A backup of customer vault data stored in a proprietary binary format containing both unencrypted data (website URLs) and fully encrypted sensitive fields (website usernames and passwords, secure notes, and form-filled data).

Importantly, LastPass emphasized that no unencrypted credit card data was accessed. The company does not store complete credit card numbers in the affected cloud storage environment.

Is Your Data at Risk? Assessing the Potential Impact

The primary risk stems from the possibility of brute-force attacks on master passwords and phishing attempts. Here's what you need to know:

• Brute-Force Attacks: The threat actor may attempt to guess your master password and decrypt the copies of vault data they stole. The difficulty of this attack depends heavily on the strength of your master password and the PBKDF2 iterations used by LastPass.
• Phishing Attacks: Customers may be targeted with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault.

Recommended Actions for LastPass Customers

While LastPass assures that data remains safely encrypted for users following best practices, it's crucial to take proactive steps:

• Evaluate Your Master Password Strength:
  • Minimum Length: Ensure your master password is at least 12 characters long. LastPass has required this since 2018.
  • Complexity: Use a strong, unique password that you don't reuse on other websites.
  • PBKDF2 Iterations: Verify that your LastPass account uses at least 100,100 iterations of PBKDF2. You can check this here.
• Change Website Passwords (If Necessary): If your master password doesn't meet the best practice recommendations above, consider changing the passwords of websites stored in your vault as an extra security measure.
• Be Vigilant Against Phishing: Be extremely cautious of any unsolicited emails, calls, or texts claiming to be from LastPass. Remember, LastPass will never ask you for your master password except when signing into your vault from a LastPass client. Learn how to spot and avoid social engineering attacks and phishing scams.

Actions Taken by LastPass

In response to the security incidents, LastPass has implemented several measures:

• Development Environment Rebuild: Decommissioned the compromised development environment and rebuilt a new one from scratch.
• Enhanced Security Measures: Replaced and hardened developer machines, processes, and authentication mechanisms.
• Improved Monitoring and Alerting: Added logging and alerting capabilities to detect unauthorized activity, including a second line of defense with a managed endpoint detection and response vendor.
• Credential and Certificate Rotation: Actively rotating all relevant credentials and certificates that may have been affected.
• Account Analysis: Performing an exhaustive analysis of every account with signs of suspicious activity.

LastPass for Business Customers: Federated Login Services

For business customers using LastPass Federated Login Services, the good news is that no additional actions are required. The threat actor did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure.

However, business customers not using Federated Login and whose master passwords do not meet best practice recommendations should consider changing website passwords as a precaution.

Staying Informed

LastPass has committed to transparency throughout this process. Stay updated on the latest developments by monitoring the LastPass Blog and official communication channels.