Risk Advisory: LastPass Data Breach

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

What has happened?

In August 2022, an unknown cyber threat actor gained unauthorised access to LastPass’ development environment through a compromised developer’s account. It was reported that “some source code and some proprietary LastPass technical information” was stolen.

The information stolen through the compromised account was used to target another employee and steal “credentials and keys” that gave access to one of LastPass’ cloud environments. This second incident was reported in late November 2022.

On 22nd December, LastPass provided further details on their investigations into the incident and confirmed that the threat actor had been able to download and decrypt data backups within their cloud storage.

These data included customer identifying information and copies of customers’ password vaults. Having taken a copy of this password vault data means that the threat actor may be able to decrypt the passwords inside and use this to access the websites, apps and services they have protected using LastPass.

The customer information that was stolen by the threat actor includes customer metadata:

• Company names
• End user names
• Billing addresses
• Email addresses
• Telephone numbers
• Customer IP addresses used to access LastPass

… and a backup of customer vault data, containing:

• Website URLs (unencrypted)
• Website usernames and passwords (encrypted)
• Secure notes (encrypted)
• Form-filled data (encrypted)

Notices of the related security incidents and their incident investigations are available on the LastPass blog.

What is the risk?

There have been no immediate reports of the stolen information being used. This is an example of a supply chain attack that causes disruption to typical business activities.

Where customer trust has been sufficiently eroded, they may wish to change suppliers.

Source:

• Compromised supplier

Risk event:

• System intrusion (use of stolen credentials)
• Information breach (unauthorised access to information)

Consequences:

• Operations (business disruption; loss of supplier)

What factors drive the consequences?

A customer’s master password enables a threat actor to decrypt the copied vault data. Using a weak master password increases not only the likelihood, but also the severity of the attack should they be able to brute force it.

If you are following their recommended password best practices (including 12 character minimum master password length; not reusing that password anywhere else), LastPass say “it would take millions of years to guess your master password using generally-available password-cracking technology”.

What factors drive the frequency?

Businesses or individuals who use LastPass as their password manager may be targeted. The threat actor knows which sites you visit and has your encrypted username and password that could face brute force attempts.

Usernames and passwords of sites that may be attractive to the threat actors, such as those containing sensitive or financial data, are more likely to be targeted.

How may it evolve?

Using the information obtained from the attack on users, we may see an increase in customers being targeted by spear-phishing attacks in the near future as the threat actor will be aware of sites the customer visits and their contact details.

There may also be an increase in brute force attacks. Not only will this be attempted with master passwords, but using their knowledge of the URLs, hashed usernames and passwords, threat actors may attempt to log into the sites you store logins for.

Source:

• External / Criminals, seeking commercial or financial benefit, or
• State-sponsored, for espionage purposes and with interests in furthering national agendas

Risk events:

• Information Breach (unauthorised access to systems; unauthorised access to information)
• System Intrusion (use of stolen credentials)

Consequences:

Potential consequences will depend on the nature of the accounts that each customer has protected using LastPass.

• Financial (unplanned costs; theft of money; theft of data)
• Compliance (regulatory fines)
• Operations (business disruption; other harms)
• Strategic (damaged reputation; embarrassing reporting)

What action is required?

For LastPass business customers who are “not using Federated Login” and whose “master password does not make use of the defaults”, LastPass recommends changing the passwords of every website that every user has stored within their LastPass password vaults.

We recommend that all users of LastPass follow these actions to help protect themselves and their accounts. (For business customers these may need to be applied to each individual user):

1. Confirm if your master password adheres to LastPass’ password best practices?
2. Change your master password (regardless of its strength)
3. Confirm that multi-factor authentication is enabled on your LastPass account
4. Check the password iterations setting for your account is at least 100,100 (310,000 is recommended by OWASP)
5. Consider moving to an alternative password management solution
6. Consider changing the passwords on all sites in your vault (especially if your master password was weak)
7. You may wish to check for data breaches of sites in your vault and sign up for notifications with Have I Been Pwned
8. Be wary of phishing emails, especially any from LastPass.

For further information or assistance in understanding or measuring this risk to your organisation please contact us for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.

Photo by regularguy.eth from Unsplash