LastPass has, for the longest time, been one of the big names when it comes to password managers. Unfortunately, with a registered user base of over 25 million, it’s also a big target for cybercriminals. Indeed, LastPass has quite the history of security incidents stretching back to 2011 when all users were requested to change their master passwords following a network traffic anomaly. I have always defended LastPass for being transparent about such security incidents and advised against switching to another password manager.
Until now.
2022 was a very worrying year for LastPass users
Fast forward to August 2022, and the LastPass CEO, Karim Toubba, confirmed that an “unauthorized party gained access to portions of the LastPass development environment,” and “took portions of source code and some proprietary LastPass technical information.” At the time I reported Toubba had stated that the incident had not compromised master passwords. Toubba updated the LastPass incident statement in September with further details of what the attacker had accessed. This continuing transparency only cemented my trust in LastPass as a security company. Sure, it’s bad when any breach occurs, but being open about it and spelling out what was and wasn’t accessed is key, along with steps taken to prevent further breaches. LastPass had been ticking all the trust boxes so far.
And then, on November 30, Toubba updated that statement again: it was now apparent the attacker “was able to gain access to certain elements of our customer’s information,” it revealed. Once again, however, there was confirmation from Toubba that user passwords remained safely encrypted. So, the transparency was holding up, and I still wasn’t suggesting users needed to move to another password manager.
The LastPass security incident updates kept getting worse
I admit that my patience was stretched thin on December 22 when Toubba published yet another incident update. We now knew that the threat actor had leveraged information gained during the August breach to gain access to a cloud-based storage environment used by LastPass to store archived backups of production data. That sounds bad, but it could be worse, I thought. Then I carried on reading, and it was worse, much worse. The attacker accessed and copied “basic customer account information and related metadata” and a “backup of customer vault data.”
The vault data included, we were informed, both encrypted and unencrypted data. An example of the latter was given as website URLs, while the former, and more critical, included usernames and passwords, secure notes, and form-filled data. Toubba emphasized that the encrypted data was “secured with 256-bit AES encryption” and could only be decrypted with user master passwords the attacker didn’t have. Indeed, as with any password manager worth its salt (every pun intended), master passwords are not known to, or stored by, the vendor.
LastPass attacker stole customer password vaults
This meant the attacker now had customer password vaults but not the means to open them. Unless, of course, they used brute-force methods to try known passwords from other breaches. With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. At this point, I recommended that users change their master password, which would also re-encrypt their password vault, based on better safe than sorry. This wouldn’t help anyone with a weak master password in terms of the stolen vaults, of course, so those customers were advised to change all their passwords as soon as possible.
At this point, I stated that if I were a LastPass user, I’d be looking for alternatives given the drip feed of breach information, especially since it took so long to determine that customer vaults had been stolen. This gave the attacker a head start on any attempts to decrypt vaults, as users had been advised that no further action was required up until this point. “Trust is paramount in the world of password management,” I concluded, “and there can be little doubt that trust is being tested hard right now.”
The final LastPass hack attack bombshell drops
And then, on March 1, yet another update to the December 22 incident disclosure dropped. This confirmed that LastPass needed to catch up regarding communication regarding the security incidents being comprehensive and frequent enough. That’s fair enough; file under lessons learned. However, the red flags started waving for me when the statement confirmed that a threat actor had “targeted a senior DevOps engineer by exploiting vulnerable third-party software.” Wait, what?
By doing so, we were informed that the attacker delivered malware that could bypass security controls and gain access to those cloud backups. The security incidents were not, the statement read, “caused by any LastPass product defect.” Maybe not, but corporate security processes and controls appear to have fallen even shorter than corporate comms.
LastPass confirms senior developer using home computer was hacked
Even now, in the same statement that assured customers that LastPass had listened to concerns about communicating more comprehensively, the bombshell disclosure was contained in a separate ‘additional details’ document. I will quote the paragraph that broke this security camel’s back in full as it relates to how the attacker got access to the decryption keys for the cloud storage service:
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.“
A textbook persistent attack, experts say
“This attack is a textbook persistent attack where the attackers increased their foothold in stages and without rushing the process. This is why even minor breaches should not be overlooked,” Javvad Malik, lead security awareness advocate at KnowBe4, said.
My trust in LastPass has now been broken into little pieces. Admittedly, this was a persistent and seemingly well-resourced attacker. But targeting high-value employees in a valuable organization is a familiar attack model. A password manager company should have processes in place, beyond bring your own device and work from home policy, to prevent a ‘home computer’ with apparently vulnerable third-party software installed from getting anywhere near these services. So where on earth were the access controls? Why wasn’t an alert raised when the senior developer, apparently one of only four holding the keys to these services, started using their home computer to access them?
“These incidents demonstrate the critical importance of privileged access management, as the attackers specifically targeted employees (in this case, DevOps personnel) with privileged access to sensitive systems and data,” Mike Walters, vice president of vulnerability and threat research at Action1, said. “Therefore, it’s crucial for businesses to implement strong privileged access management controls, including regular access reviews and monitoring of privileged accounts. Additionally, these incidents raise concerns about the efficiency of vulnerability management measures in LastPass.”
“In 2023, we should expect a surge of sophisticated attacks on privileged tech employees aimed at stealing their access credentials and getting access to the crown jewels,” Dr. Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said. “Organizations should urgently consider reviewing their internal access permissions and implement additional patterns to be monitored as anomalies, such as excessive access by a trusted employee or usual access during non-business hours.”
Questions asked of LastPass
I contacted LastPass and asked why the engineer’s home computer use was not flagged before the keylogger incident. Was the computer covered by a BYOD policy, and why was third-party media software installed on it? Finally, I asked why the engineer in question was not provided a corporate laptop for work from home usage, which one would hope, might have avoided the circumstances leading up to the compromise. A LastPass spokesperson pointed me to the March 1 security incident update. “The information includes what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what customers can expect from us going forward,” the spokesperson said.
It’s time to switch to another password manager
My recommendation now is for a firm ‘choose something else’ when it comes to password managers. Both Bitwarden (free) and 1Password (subscription) come highly recommended. Watch the password manager Straight Talking Cyber video at the top of this article for details of how 1Password combines a master password and a secret key for additional password vault security.
OK, so LastPass has applied additional policies and controls for cloud-based storage resources and changed privileged access controls. Both of which are good, but why were they not there before?
One thing is for sure, LastPass has my trust ground right down. Let’s be clear; it’s not that LastPass was successfully attacked. I’ve already made the point that absolute security is a complete fallacy. However, how breaches are communicated to customers is critical, and the methods used to affect the breach provide insight into security culture.
LastPass has failed in both regards, in my never humble opinion.
A totally unscientific poll of 175 of my largely infosecurity professional following suggests that I’m not alone in coming to this conclusion.
A poll of the author’s Twitter followers agreed it’s time to switch
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
