In August 2022, LastPass suffered a data breach with escalating impact, ultimately resulting in a mass user exodus toward alternative password manager solutions.
This post provides an overview of the timeline of events during the LastPass cyber attack and critical lessons to help you avoid suffering a similar fate.
Learn how UpGuard streamlines Vendor Risk Management >
Timeline of Events During the LastPass Data Breach (2022-2023)
To most effectively draw critical lessons from this LastPass cybersecurity incident, it helps to understand the complete context of Lastpass’ response efforts, outlined in the timeline of key events below
August 25, 2022
Event: Unauthorized access detected
LastPass CEO Karim Toubba publishes a notice informing users that unusual and suspicious activity was detected inside the LastPass development environment.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
- Karim Toubba (LastPass CEO)
September 15, 2022
Event: LastPass claims no customer or password information was compromised.
With assistance from cybersecurity firm Mandiant, LastPass completes an investigation into the security incident. The findings revealed that the threat actor only had access to the company’s dev environment for a total of four days, and during that time, no evidence of customer information or password compromise was found.
“We have completed the investigation and forensics process in partnership with Mandiant. Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident. There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”
- Karim Toubba (LastPass CEO)
November 30, 2022
Event: Unusual activity in third-party provider detected
Hackers, using details stolen during the August incident, gain access to LastPass’ third-party cloud storage service used to archive backups of production data. This led to certain aspects of Lastpass customer information being compromised.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
- Karim Toubba (LastPass CEO)
December 22, 2022
Event: Unusual activity in third-party provider detected
LastPass discovers that, while inside the third-party cloud-based storage environment, the threat actor compromised basic LastPass customer account information and a backup of customer vault data, which included unencrypted data. In other words, the hackers had access to customer password vaults but, without the master passwords, did not have the means to open them.
This, however, didn’t remove the potential of gaining access. If LastPass users were impacted in previous data breaches, hackers could have attempted to use their compromised passwords purchased on the dark web; or other brute force strategies.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data.”
- Karim Toubba (LastPass CEO)
March 01, 2023
Event: Threat actor accesses non-production development and backup storage environments.
Additional critical developments are announced, labeled as “Incident 2.” LastPass reveals that the cybercriminals gained access to the home computer of a senior DevOps engineer by exploiting a security vulnerability in their third-party media software package (suspected to be Plex media software). This employee was targeted because they had access to decryption keys needed to access the vaults of compromised LastPass accounts (mentioned in the previous update).
Once inside the DevOp engineer’s computer, hackers deployed keylogger malware to capture the user’s master password as it was being typed after they authenticated themselves with Multifactor Authentication (MFA). The theft of this master password then allowed the hackers to access the employee’s corporate vault.
According to LastPass, the following sensitive data categories were accessed in each incident.
Due to the security controls protecting and securing the on-premises data center installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service.
This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gained access to the DevOps engineer’s LastPass corporate vault.
- Karim Toubba (LastPass CEO)
Data accessed in the first Incident:
- On-demand, cloud-based development, and source code repositories
- Internal scripts from the repositories
- Internal documentation
Data accessed in the second incident:
- DevOps Secrets
- Cloud-based backup storage
- Backup of LastPass MFA/Federation Database
The compromise of LastPass’s backups allowed the threat actors to access a wide range of sensitive customer information, including Recovery One-Time Passwords.
See the complete list of compromised LastPass data >
4 Critical Lessons from the LastPass Breach
The following key lessons can be learned from this LastPass security incident.
1. Segment your Network
One of LastPass’ few commendable responses was its attempt to mitigate the impact by deploying containment measures. It’s much easier to isolate active cyber threats within the context of a segmented network. Network segmentation is also an effective method of disrupting the workflows of sophisticated cyberattacks, like phishing and ransomware attacks.
Learn how to defend against ransomware attacks >
2. Be Completely Transparent with Impacted Users
LastPass’ primary flaw wasn’t that its primary security controls failed to prevent a data breach (although such cybersecurity capability is expected from a Password Manager); it was its vague and drawn-out method of alerting impacted customers. In total, LastPass published five different updates about its security incident, and each time it felt like LastPass failed to be completely blunt about the incident’s degree of impact - as evidenced by LastPass hiding the inflammatory details about how its employee’s corporate vault was compromised in a separate “Additional Details” document.
If there’s one major lesson to be learned from this data breach, and all other major breaches, it’s this - take ownership of your mistakes. Being entirely upfront about the cybersecurity mistakes that resulted in a breach might not prevent reputational damage, but it could significantly reduce the time it takes to recover from it.
For another example of public relations efforts not to follow, read about how Optus responded to its major data breach.
3. Implement a Strong Password Policy
Ensure your password policy strictly prohibits poor habits like password recycling. Because so many data breaches have already happened, chances are some of your passwords have already been compromised and are available on the dark web.
When the cybercriminals compromised backup customer vault data (announced on December 22, 2022), they could have gained access to their vaults if the victims had been compromised in previous breaches and practiced password recycling.
4. Implement Strong Security Policies for Remote Devices
The highest degree of damage during this event occurred after a LastPass DevOps Engineer’s laptop was compromised, which only happened because the device was exposed through a vulnerability inside a third-party media software package (speculated to be Plex). If this third-party media package was Plex, the employee used their work computer for personal entertainment.
Your security policy for WFH devices should demarcate the permitted use of corporate laptops and other endpoints entrusted to remote employees. As a minimum, these policies should prohibit the installation of personal applications without explicit approval from security teams.
Even seemingly innocent actions, like accessing social media apps like Linkedin or web apps like Amazon, increase your phishing attack surface and should, therefore, also be addressed in securities policies.
Shut Down Security Vulnerabilities Fast with UpGuard
UpGuard helps businesses discover and shut down security risks before cybercriminals exploit them. By combining attack surface management with Vendor Risk Management features, UpGuard provides the most comprehensive protection against internal and third-party security risks.
Watch this video for a quick tour of the UpGuard platform.