LastPass publishes final analysis of hack into password infrastructure
LastPass has notified its business customers via email that it has finished the analysis of the 2022 hack of its password infrastructure.
The company confirmed that it suffered a security breach in August 2022. What looked like a minor incident first, resulted in a second breach later in 2022. In that second hack, customer data was stolen. This included user vault data, which contained all the stored passwords, notes and other private information of LastPass customers.
Users were asked to change all their passwords stored by the service at once, as the threat actors had all they needed in their possessions to decrypt password vaults and gain access to all stored passwords.
LastPass hack: the final analysis
LastPass confirms now that it has completed the investigation of the 2022 hack of its infrastructure. The information is available here, but there is no blog post or official announcement about it yet on the site.
LastPass reiterates that the two hacks were not "caused by any LastPass product defect or unauthorized access to - or abuse of - production systems". The threat actor used a vulnerability to gain access to non-production development and backup storage environments.
The summary of the first incident provides details on what happened. According to LastPass, the corporate laptop of a software engineer was compromised; this allowed the threat actor to gain access to a cloud-based development environment. They managed to copy source code data, technical information and "certain LastPass internal system secrets". Customer data or vault data was not obtained during the first hack.
LastPass deployed additional security technologies and controls in response to the incident, removed the development environment and created it from scratch anew, and "rotated all relevant cleartext secrets" and exposed certificates".
The second LastPass hack
The threat actor used information obtained during the first hack to target "a senior DevOps engineer", again by exploiting vulnerable third-party software, according to LastPass' post.
The vulnerability was used to deploy malware, bypass controls and gain access to cloud backups. Data from those backups included "system configuration data, API secrets, third-party integration secret, and encrypted and unencrypted LastPass customer data.
In a second support document, LastPass confirms that the threat actor was able to copy LastPass customer vault data backups for five different dates: August 20, 2022, August 30, 2022, August 31, 2022, September 8, 2022, and September 16, 2022.
The data is stored in aggregated format, BLOBs, which consist "of collections of binary strings separated into designated sections". These are not "representative of the complete assembled 'vaults' that are rendered as human-readable form within each customer's LastPass client".
BLOBs contain encrypted and decrypted data according to LastPass.
Encrypted fields in the vault:
- Site name, site folder, site username and history, site password and history, site note content, encrypted TOTP secret, custom fillable form-field, custom fillable form-field content.
- Secure notes name, folder, attachment file name, attachment, encrypted attachment encryption key, note content.
- Group names, encrypted sharing keys, encrypted super admin sharing key.
The customer database contained unencrypted information.
- Business customer and teams data: billing address, company name, EIN/Tax ID, email address, end user name, IP address, telephone number, mobile device unique identifier, PBKDF2 SHA256 Iterations.
- Home users: billing address, email address, end user name, IP address, telephone number, mobile device unique identifier, PBKDF2 SHA256 Iterations
LastPass notes what the threat actor could do with the obtained data and information:
"The threat actor may attempt to brute force and decrypt the copies of the vault data they took. Our Zero Knowledge encryption architecture is designed to protect customers’ sensitive information to defend against attempts to brute force encrypted data. The threat actor may also use some of this data to target customers with phishing attacks, credential stuffing, or other social engineering attacks against online accounts associated with their LastPass vault."
What LastPass has done to strengthen security
LastPass deployed "several new security technologies" across its infrastructure as a response. The company says that it has "prioritized and initiated significant investments in security, privacy, and operational practices", performed a "comprehensive review" of security policies and has "incorporated changes to restrict access and privilege.
The company hired new leaders and has enhanced its investment in security "across people, processes and technology".
LastPass plans to update password iterations to 600K for new and existing customers. URL and URL-related fields will be encrypted in the future, which they are not right now, and other improvements. The company plans to introduce Argon2 support in the near future as well.
LastPass states that it was not approached by the threat actor and that it is not aware of attempts to sell the data on the dark web. For customers, it is still essential that the master password and all stored passwords are changed, as the threat actor may brute force vaults to gain access to passwords.
Now You: were you affected by the incident?Advertisement