Breaches aren’t always what they seem and containment isn’t always guaranteed or long lasting. Just ask LastPass.
A breach of the password manager’s infrastructure, first detected in August 2022, was declared contained by LastPass CEO Karim Toubba weeks later. By late November, it was very much not contained.
While the initial breach occurred in August 2022, LastPass three months later said an unknown threat actor had accessed its cloud-based storage environment and encrypted password vaults, using information obtained during the August incident.
As the year came to a close, LastPass said customer data was significantly compromised as a result of the incident. The threat actor accessed and copied a cloud-based backup of customer vault data that included encrypted passwords, usernames and much more.
Here’s how everything unraveled, according to updates provided by LastPass. The company has not responded to requests for comment.
Aug. 25, 2022: Toubba, in a blog post, informed customers the password manager detected “some unusual activity within portions of the LastPass development environment.”
The company, following an initial investigation, said it uncovered no evidence of an unauthorized party accessing customer data or encrypted password vaults.
The unidentified threat actor gained access through a compromised developer account and stole portions of source code and proprietary technical information, Toubba said.
LastPass made a distinction between its production and development infrastructure at this stage, and said the unauthorized access was contained to its development environment, which doesn’t hold personal data.
The company, which has more than 100,000 business customers and more than 33 million registered users, said it deployed containment and mitigation measures and hired a cybersecurity and forensics firm to assist with further investigation.
“We have achieved a state of containment, implemented enhanced security measures and see no further evidence of unauthorized activity,” Toubba said.
In a brief FAQ, LastPass told users and administrators that no recommended actions need to be taken.
Sept. 15, 2022: LastPass said its security team detected a threat actor inside its development system during a four-day period and was able to contain the activity.
After it completed an investigation and forensic review with incident response firm Mandiant, LastPass said it found no further evidence of activity from a threat actor nor was any customer data or encrypted password vault accessed.
The company again emphasized that the unauthorized access was limited to its development system, which is “physically separated” from its production environment, leaving no direct access.
LastPass contained the incident sometime between mid-August when LastPass first detected the unusual activity and mid-September, Toubba said in the updated blog post.
The threat actor used a developer’s compromised endpoint to gain access to the LastPass developer environment.
“While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multifactor authentication,” Toubba said.
Nov. 30, 2022: For the first time, LastPass acknowledged customer data was compromised as a result of the August breach.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba said in a brief update.
The incident was now spreading and exposing customer data.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Toubba said.
The company did not say when it discovered the subsequent breach, what type of customer information was exposed or how many customers were potentially compromised.
Toubba blamed “unusual activity within a third-party cloud storage service,” and LastPass reengaged with Mandiant and notified law enforcement.
Dec. 22, 2022: Just before the holidays, in its most detailed update yet, LastPass said customer data was significantly compromised after an unknown threat actor copied a cloud-based backup of customer vault data.
The information included encrypted passwords, usernames and form-filled data. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero knowledge architecture,” Toubba said in the updated blog post.
“The master password is never known to LastPass and is not stored or maintained by LastPass,” Toubba said.
The backup of customer vault data also contained unencrypted data, such as the website URLs customers access via the password manager, company names, billing addresses, email addresses, phone numbers and the IP addresses customers use to access LastPass.
The company warned customers a threat actor may attempt to use brute force to guess master passwords or target customers with phishing attacks or credential stuffing.
If LastPass’ default master password settings are followed, such as a minimum of 12 characters, Toubba said it would take “millions of years” to guess a master password using generally-available technology for password hacking.
Less than 3% of LastPass’ business customers were identified at risk based on specific account configurations and advised to take certain steps.
“This remains an ongoing investigation,” Toubba said. “Our services are running normally and we continue to operate in a state of heightened alert.”
