LastPass Data Breach: What the company has said and what users should do.
LastPass, a popular password manager that we recommend to our clients, was recently the target of a cyberattack.
Here's an update on last year’s data breach:
On February 27, 2023 – after extensive investigation – LastPass determined that the malicious actor used information obtained in an earlier, August 2022 data breach (see below), to target an employee and obtain credentials and keys used to decrypt storage volumes within their cloud-based storage service.
The information stolen in the first breach targeted a senior DevOps engineer by exploiting vulnerable third-party software, which ultimately allowed them to access their corporate vault. The data accessed included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
During the second incident, the threat actor accessed copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled).
LastPass has disclosed that the identity of the threat actor and their motivation remains unknown. There has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.
Recommended Actions for LastPass Users:
LastPass recommends a minimum of 12-characters on your “Master Password” and not reusing the “Master Password” in any other places. If you’re not meeting this minimum guidance, you should change your “Master Password” and any passwords in your Vault.
Security Experts recommend changing your Master Password regardless of its length, and you should consider changing the passwords in your vault as well. The threat actor may try to brute-force decrypt your data.
Any accounts in your vault that have MFA enabled have an additional layer of protection as long as that MFA code is not stored in LastPass itself (which is possible). You may still want to update those account passwords as well.
Be on the lookout for Phishing emails that “look” like they’re coming from LastPass but are in fact coming from an attacker. LastPass will never contact you seeking your master password.
December 2022 Data Breach
On December 22 – after extensive investigation – LastPass determined the malicious actor downloaded basic customer data including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. Read statement here!
Additionally, the malicious actor was able to obtain a backup copy of encrypted customer vaults (where passwords are stored).
November 2022 Data Breach
On November 30th, LastPass detected some unusual activity within a third-party cloud storage service that they use – reporting that some customer data (excluding passwords) was stolen from their environment.
In response, LastPass immediately initiated an investigation, deployed containment and mitigation measures, engaged a leading cybersecurity and forensics firm, and alerted law enforcement.
After the investigation, it’s been determined that an unauthorized party, using information obtained in the August 2022 data breach incident (see below), was able to gain access to certain elements of our customers’ information.
LastPass has said it will continue to “deploy enhanced security measures and monitoring capabilities” to detect further threats to its infrastructure. Read statement here!
August 2022 Data Breach
On August 25th, LastPass suffered a cyberattack after an unauthorized party gained access to portions of the LastPass server infrastructure through a single compromised developer account.
LastPass has insisted that all user data or encrypted password vaults are safe and have not been compromised. Read statement here!
What Users Should Do:
Change their LastPass passwords as a precautionary measure.
Use a unique and strong master password. Make sure you’re not using personal information like pet names as part of your master password
Enable two-factor authentication
Make sure you have 2FA turned on protecting your LastPass vault.
The recent LastPass data breach is a reminder that this sort of thing happens far too often, and businesses need to have a comprehensive strategy for protecting systems and accounts. (Also have a comprehensive disaster recovery strategy)
To learn more about how our strategic IT planning solution can help secure your business, fill out the form below or schedule a free consultation to talk with one of our IT experts.