LastPass breach, part II — what you need to know


The LastPass breach was a pretty stunning turn of events for a company on the cutting edge of cybersecurity best practices. It proves that regardless of how sophisticated or careful a company is, with enough time and motivation, talented hackers can breach some parts of said system. Here’s what happened, and what you can learn from the breach.

Incident 1

From LastPass’ recent update: “A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets. No customer data or vault data was taken during this incident, as there is no customer or vault data in the development environment. We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.”

Incident 2

Again from LastPass’ recent update: “The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.”

So, what data was accessed?

Summary of data accessed in Incident 1:

  • On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.
  • Internal scripts from the repositories – these contained LastPass secrets and certificates.
  • Internal documentation – technical information that described how the development environment operated.

Summary of data accessed in Incident 2:

  • DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
  • Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
  • Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

Proactive Steps Businesses Can Take to Minimize Risk Exposure

The LastPass security incident serves as a reminder that all businesses, no matter the size or industry, have to take proactive steps to protect their sensitive data. Here are some steps we recommend to minimize your risk exposure:

  1. Implement a Strong Password Policy: Mandate strong, unique passwords for all staffers and implement multi-factor authentication.
  2. Regularly Review Access Controls: Ensure that only authorized individuals have access to sensitive data, and that credentials/access are right-sized for each employee.
  3. Educate Employees on Security Best Practices: Employees are usually the weakest link in an organization’s security posture. Education, training and then simulation drills with employees are essential to minimizing risk exposure.
  4. Conduct Regular Security Audits: These can help identify vulnerabilities and ensure that all security controls are functioning as intended.

As a long-time advocate of password managers (and someone who has used LastPass for his personal password management as well), I’m by no means advocating for leaving the service outright. But, the LastPass security incident highlights the importance of taking proactive steps to protect sensitive data. LastPass issued a set of recommended steps to protect user accounts. With a focus on security and proactive measures, businesses can ensure they are doing all they can to protect themselves and their customers’ sensitive data.