- A threat actor ran a sustained data theft campaign that lasted from at least August until October and involved the breach of encrypted and unencrypted LastPass customer data
- The attacker leveraged valid credentials stolen from one of four senior DevOps engineers to access a shared cloud-storage environment
- Cloud anomaly detection made investigators aware of enumeration and exfiltration of LastPass cloud backups
LastPass Breach Timeline
“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.”
- LastPass, Security Incident Update and Recommended Actions, March 1, 2023
LastPass recently released an update on two security breaches that occurred from August through October 2022. In the first incident, reported in August 2022, a threat actor was able to steal credentials from a software engineer’s corporate laptop and gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets. The initial attack vector used to access the engineer’s laptop is unknown. The laptop was properly configured and included an EDR, which was “tampered with” and did not trigger. The threat actor gained access to the cloud-based development environment via the software engineer’s legitimate authentication with MFA. The threat actor also used “anti-forensic” techniques and a third-party VPN service to obfuscate their activity in the cloud environment. In this first incident no customer or vault data was accessed. In response to this first incident LastPass collaborated with Mandiant and their own internal security teams. They built a new development environment and removed the compromised one. They added security technologies and controls and changed all relevant clear text secrets used by their teams and replaced any exposed certificates. LastPass then closed the incident.
Later on, LastPass discovered that the attack was not, in fact, over. The threat actor used information gained in the first attack to launch the second. LastPass notes that the second attack demonstrated very different TTPs (tactics, techniques, and procedures) and IOCs (indicators of compromise) from the first and it was not initially obvious the attacks were related.
Investigation of the second incident revealed that the same threat actor had hacked a senior DevOps engineer’s home computer. The threat actor was able to access the employee’s home computer by exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. Alerting and logging was enabled, but because the threat actor used legitimate credentials stolen from the engineer, their activity was not easily identified as malicious. In this second attack, the threat actor gained access to the cloud-based backup storage. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
Since the incidents, LastPass has taken significant measures to improve the security of their systems. They have deployed new security technologies, invested in security and operational best practices, expanded the use of encryption, revoked credentials, and implemented additional logging and alerting.
The consequences of the LastPass hack are potentially severe for both individuals and businesses who rely on the password manager. While LastPass claims that sensitive customer vault data was encrypted using their zero knowledge model and can only be decrypted with a unique encryption key derived from each user's master password, the fact that the threat actor had access to this data is still concerning. Additionally, the backup of the LastPass MFA/Federation Database was accessed, containing copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option, as well as a split knowledge component (the K2 "key") used for LastPass federation. This information could be used to access other accounts that use the same phone number or authenticator app. LastPass has advised all users to change their master passwords and all passwords stored in their vaults. LastPass provides detailed guidance for both personal and business accounts in response to the breaches.
To learn more about responding to the breach from a CISO whose been there—read recommendations from CISO Jack Roehrig.
If you are a LastPass customer, business or personal, you have a decision to make. In response to the security breaches, LastPass has advised all users to change their master passwords and all passwords stored in their vaults, as a precautionary measure. You might also consider using a different password manager altogether.
Learn more about password best practices.
Get involved in the conversation
Join us in a candid conversation about the LastPass incidents on LinkedIn
Are you in the hot seat?
It’s time for developers, security professionals, and IT operations to work together in true DevSecOps fashion, to reduce silos and harden defenses.
SANS 2022 DevSecOps Survey Report
Shift your security up
Your developer’s laptop is just a hop away from your cloud infrastructure. Attackers don’t think in silos, so why would you have siloed solutions protecting the public cloud, private cloud, containers, laptops, and servers?
Learn about Uptycs for unified CNAPP and XDR security
- In the first version of this blog we mixed up the first and second part of the attack in that we said the "customer vaults" were accessed in the first part of the attack, but that didn't happen until the second part.
- We implied that this all happened to the same employee, but the LastPass blogs talk about a "software engineer's corporate laptop" in the first attack and a "senior DevOps engineer's home computer" in the second.
- The first version of the blog was published at 7:30 p.m. EST March 1. The correction to the blog (on the two issues noted above) was made at 6:00 p.m. EST March 2.
We apologize to the community and to LastPass for moving too fast on this one.