History of the Breach
LastPass first disclosed details of the breach in August 2022, and they have issued several updates over the past months with the most recent being just before Christmas (Dec 22 2022). Here is a summary of each disclosure on that timeline:
August 25, 2022
- Unauthorized party gained access to parts of the developer environment at LastPass through an individual compromised developer account.
- The unauthorized party took some source code and proprietary technical information.
September 15, 2022
- The unauthorized party was in the developer environment for four days.
- The incident did not involve any access to customer data or encrypted password vaults
November 30, 2022
- Unusual activity within a third-party cloud storage service was detected.
- Previously gained knowledge facilitated this incident.
- The unauthorized party gained access to certain elements of customer information.
December 22, 2022
- The threat actor obtained customer account information such as names, billing addresses, email addresses, telephone numbers, and their encrypted vaults.
- The encrypted data is strongly encrypted and requires that a customer’s master password be decrypted first.
One of the key takeaways from these disclosure statements is that this wasn’t a single hack that took place in August. This was a series of compromises that built off of each other ultimately resulting in the loss of significant customer data. We don’t know based on the disclosures what the initial access was to the developer environment, but one likely scenario is both phishing that resulted in malware on the developer system and providing command and control access to the developer tools and environment. Over time, the attacker was able to pivot and target a separate employee to gain two critical pieces of information: access keys to a cloud environment and decryption keys for that cloud environment. This means the attacker was able to easily download copies of those vaults and the other customer data there.
The data taken can be divided into two categories, account information and unencrypted vault data. The account information should be considered exposed and includes:
- Company names
- End user names
- Billing addresses
- Email addresses
- Telephone numbers
- IP addresses
The vaults are encrypted but also include unencrypted data such as website URLs. This has a number of implications for customers involved. If you were a LastPass user with a vault copied, the only thing preventing that vault from being fully exploited is your LastPass Master Password. Due to the fact the attacker has an offline copy of the vault the attacker can brute force the Master Password. If you have a strong Master Password and follow all of the posted minimum recommendations by LastPass, you are probably not under immediate threat of having the encryption cracked quickly or ever.
What to do now
It’s still a good idea and recommended to change your Master Password. Also consider changing the passwords on all accounts within the vault. Focus on your personal critical accounts first.
Be on the lookout for highly targeted phishing emails. The data exposed already includes a large amount of useful information for crafting highly targeted phishing attempts. Be particularly wary of anyone asking for your Master Password. No one should ever be asking for that.