LastPass provided an update in late December 2022 detailing follow-on damage stemming from their breach earlier in the year. Here is what they said:
Notice of Recent Security Incident
To Our LastPass Community,
We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.
What We’ve Learned
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
LastPass production services currently operate from on-premises data centers with cloud-based storage used for various purposes such as storing backups and regional data residency requirements. The cloud storage service accessed by the threat actor is physically separate from our production environment.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
What Does This Mean? Is My Data at Risk?
The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.
The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.
What Should LastPass Customers Do?
As a reminder, LastPass’ default master password settings and best practices include the following:
- Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
- To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
- We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.
However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
For those Business customers who have implemented LastPass Federated Login Services, LastPass maintains our Zero Knowledge architecture and implements a hidden master password to encrypt your vault data. Depending upon the chosen implementation model, this hidden master password is actually a combination of two or more separately-stored, 256 bits or 32 characters long cryptographically-generated random strings that must be specifically combined to use (you can read more about this in our Technical Whitepaper here).
The threat actor did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure and they were not included in the backups that were copied that contained customer vaults. Therefore, if you have implemented the Federated Login Services, you do not need to take any additional actions.
However, it is important to note that if you are a Business customer who is not using Federated Login and your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
What We’ve Done, and What We’re Doing
In response to the August 2022 incident, we eradicated any further potential access to the LastPass development environment by decommissioning that environment in its entirety and rebuilding a new environment from scratch. We also replaced and further hardened developer machines, processes, and authentication mechanisms.
We have added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defense with a leading managed endpoint detection and response vendor to supplement our own team. We have also continued to execute our plans of implementing a new, fully dedicated, set of LastPass development and production environments.
In response to this most recent incident, we are actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security. We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed.
We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations. If you are a Business customer and you have not already been contacted to take action, then there are no other recommended actions for you to take at this time.
This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.
We thank you for your continued support and patience as we continue to work through this incident.