LastPass Incident
High Level Summary of the Security Advisory
LastPass is a password management service that allows users to store, generate, and autofill passwords across different devices and web browsers. It offers a variety of features designed to make password management easier and more secure, including Multi-factor authentication, secure sharing and secure auditing.
LastPass experienced 2 critical incidents in a 3 month span.
Incident 1: In August 2022, LastPass experienced a security incident where a threat actor gained access to a cloud-based development environment, accessed technical documentation, source code, and exfiltrated 14 source code repositories (including cleartext embedded credentials, stored digital certificates related to our development environments, and more). The attacker compromised a software engineer's corporate laptop to gain access to the environment, and used VPN services to obfuscate their activity. LastPass engaged Mandiant to assist with incident response, and took a range of remediation actions, including deploying additional security controls, rotating credentials, and disabling and recreating the affected environment. No customer data or vault data was taken during this incident, as there is no customer or vault data in the development environment. It is also important to note that the cloud-based development and on-premises production data center environments are physically and logically separated. Further details on this incident can be found here.
Incident 2: In December 2022, LastPass revealed that the data exfiltrated during the first incident was used to target the personal home computer of one of its devops engineers and launch a second successful cyberattack in October 2022. LastPass published a Security Incident Update and Recommended Actions on March 1st 2023, after performing a comprehensive investigation. The attacker gained access to a DevOps engineer's home computer, capturing their master password and gaining access to their LastPass corporate vault. From there, the attacker leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data. LastPass has shared technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with law enforcement and their threat intelligence and forensic partners. The threat actor stole both LastPass proprietary data and customer data in the second incident, including the following:
- DevOps Secrets – restricted secrets that were used to gain access to the devops engineer's cloud-based backup storage
- Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data
- Backup of LastPass MFA/Federation Database
Detailed information about the specific customer data impacted by these incidents can be found here. As part of their ongoing containment, eradication, and recovery activities related to the second incident, they have taken the following actions:
- Applied additional policies and controls to LastPass cloud-based storage resources
- Changed existing privileged access controls
- Rotated relevant secrets and certificates that were accessed by the threat actor
Should I be concerned?
Maybe. It depends on the relationship you have with LastPass. Click on the link below to find out if you have a relationship with this vendor. If you do, take the immediate corrective steps and incorporate security best practices, as recommended by LastPass below.
Note: this link is specific to the LastPass directory record. You may also want to search your RLP for "LastPass" to confirm.
What to do if you have an active relationship with LastPass
LastPass indicated as part of their Security Incident Report that as they progress through incident response and as part of their on-going containment, eradication, and recovery activities related to the second incident, they have performed the several remedial actions, with additional work currently being accomplished in scoping and planning.
If you or your vendors are using the LastPass platform, LastPass has prepared two Security Bulletins – one for their Free, Premium, and Families consumer users, and one tailored for their Business and Teams users. Each Security Bulletin includes information designed to help their customers secure their LastPass account and respond to these security incidents.
- Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families This bulletin guides their Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their accounts by confirming best practices are being followed.
- Security Bulletin: Recommended Actions for LastPass Business This bulletin guides administrators for our Business and Teams customers through a risk assessment of LastPass account configurations and third-party integrations. It also includes information that is relevant to both non-federated and federated customers.
If you have any questions regarding the recommended actions, please contact technical support or your customer success team from LastPass.
---------------------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
The VISO Trust team