LastPass was hacked twice last year by the same actor; one incident was reported in late August 2022 and the other on November 30, 2022. The global password manager company released a report on Wednesday with new findings from its security incident investigation, along with recommended actions for users and businesses affected.
How the LastPass attacks happened and what was compromised
As reported by LastPass, the hacker initially breached a software engineer’s corporate laptop in August. The first attack was critical, as the hacker was able to leverage information the threat actor stole during the initial security incident. Exploiting a third-party media software package vulnerability, the bad actor then launched the second coordinated attack. The second attack targeted a DevOps engineer’s home computer.
“The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault,” detailed the company´s recent security incident report.
LastPass has confirmed that during the second incident, the attacker accessed the company´s data vault, cloud-based backup storage — containing configuration data, API secrets, third-party integration secrets, customer metadata — and all customer vault data backups. The LastPass vault also includes access to the shared cloud-storage environment that contains the encryption keys for customer vault backups stored in Amazon S3 buckets where users store data in their Amazon Web Services cloud environment.
The second attack was highly focused and well-researched, as it targeted one of only four LastPass employees who have access to the corporate vault. After the hacker had the decrypted vault, the cybercriminal exported the entries, including the decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources and related critical database backups.
Security recommendations from LastPass
LastPass issued recommendations for affected users and businesses in two security bulletins. Here are the key details from those bulletins.
The Security Bulletin: Recommended actions for LastPass free, premium, and families includes best practices primarily centered on master passwords, guides to creating strong passwords and enabling extra layers of security such as multifactor authentication. The company also urged users to reset their passwords.
LastPass master passwords should be ideally 16 to 20 characters long, contain at least one upper case, lower case, numeric, symbols, and special characters, and be unique — that is, not used on another site. To reset LastPass master passwords, users can follow the official LastPass guide.
LastPass also asked users to use the Security Dashboard to check the security score of their current password strength, to turn on and check the dark web monitoring feature, and to enable default MFA. Dark web monitoring alerts users when their email addresses appear in dark web forums and sites.
The Security Bulletin: Recommended Actions for LastPass Business Administrators was prepared exclusively after the event to help businesses that use LastPass. The more comprehensive guide includes 10 points:
- Master password length and complexity.
- The iteration counts for master passwords.
- Super admin best practices.
- MFA shared secrets.
- SIEM Splunk integration.
- Exposure due to unencrypted data.
- Deprecation of Password apps (Push Sites to Users).
- Reset SCIM, Enterprise API and SAML keys.
- Federated customer considerations.
- Additional considerations.
Super admin LastPass users have additional privileges that go beyond the average administrator. Given their extensive powers, the company issued special recommendations for super admin users after the attacks. LastPass super admin recommendations include the following.
- Follow master password and iterations best practices: Ensure that your super admin users have strong master passwords and strong iteration counts.
- Review super admins with “Permit super admins to reset master passwords” policy rights: If the policy to permit super admins to reset master passwords is enabled, and users identify super admins with a weak master password and/or low iterations, their LastPass tenant may be at risk. These must be reviewed.
- Conduct security review: Businesses should conduct comprehensive security reviews to determine further actions to a LastPass Business account.
- Post-review actions: Identify at-risk super admin accounts and determine super admins that have a weak master password or iteration count should take the following actions:
- Federated login customers: Consider de-federating and re-federating all users and request users to rotate all vault credentials.
- Non-federated login customers: Consider resetting user master passwords and request users to rotate all vault credentials.
- Rotation of credentials: LastPass suggests using a risk-based approach to prioritize the rotation of critical credentials in end-user vaults.
- Review super admins with “Permit super admins to access shared folders” rights: Reset the master password if the super admin password is determined to be weak. Rotate credentials in shared folders.
- Investigate MFA: Generate the enabled multifactor authentication report to show users who have enabled an MFA option, including the MFA solutions they are using.
- Reset MFA secrets: For LastPass Authenticator, Google Authenticator, Microsoft Authenticator or Grid, reset all MFA secrets.
- Send email to users: Resetting MFA shared secrets destroys all LastPass sessions and trusted devices. Users must log back in, go through location verification and re-enable their respective MFA apps to continue using the service. LastPass recommends sending an email providing information on the re-enrollment process.
- Communicate: Communicate security incident reports and actions to take. Alert users on phishing and social engineering techniques.
LastPass alternatives and impact of the hacks
LastPass has expressed confidence that it has taken the necessary actions to contain and eradicate future access to the service; however, according to Wired, the last disclosure of LastPass was so concerning that security professionals rapidly “started calling for users to switch to other services.” Top competitors to LastPass include 1Password and Dashlane.
SEE: Bitwarden vs 1Password | Keeper vs LastPass (TechRepublic)
Experts have also questioned the transparency of LastPass, which fails to date security incident statements and has still not set the record straight on exactly when the second attack happened, nor how much time the hacker was inside the system; the time a hacker has inside a system significantly impacts the amount of data and systems that can be exploited. (I contacted LastPass for a comment, but I did not receive a reply by the time of publication.)
For LastPass users, the consequences of these recent security incidents are evident. While the company assures that there is no indication that the data compromised is being sold or marketed on the dark web, business administrators are left to deal with the extensive recommendations issued by LastPass.
A passwordless future
Unfortunately, the trend of hacking password managers is not new. LastPass has experienced security incidents every year since 2016, and other top password managers like Norton LifeLock, Passwordstate, Dashlane, Keeper, 1Password and RoboForm have been either targeted, breached or proved to be vulnerable, as reported by Best Reviews.
Cybercriminals are increasingly targeting password manager companies because they hold the sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted. In this highly competitive landscape, cybersecurity practices, transparency, breaches and data exfiltration can influence the future of these password manager companies.
Despite the fact that the password manager market is expected to reach $7.09 billion by 2028, according to SkyQuest reports, it’s not a surprise that a passwordless future continues to gain momentum, driven by Apple, Microsoft, and Google under the FIDO alliance. Read TechRepublic’s recent interview with 1Password about its plans for a password-free future.