LastPass was compromised twice last year by the same actor, once in late August 2022 and again on November 30, 2022. On Wednesday, the global password manager company released a report with new findings from its security incident investigation as well as recommended actions for affected users and businesses.
As per LastPass, the hacker first gained access to a software engineer's corporate laptop in August.
The first attack was critical because the hacker was able to use information stolen by the threat actor during the initial security incident. The bad actor then launched the second coordinated attack by exploiting a vulnerability in a third-party media software package. The second attack targeted the home computer of a DevOps engineer.
“The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault,” detailed the company´s recent security incident report.
LastPass has validated that the attacker gained access to the company's data vault, cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, customer metadata, and all customer vault data backups during the second incident. The LastPass vault also includes access to the shared cloud-storage environment, which houses the encryption keys for customer vault backups stored in Amazon S3 buckets, which users utilize to store data in their Amazon Web Services cloud environment.
The second attack was laser-focused and carefully planned, as it targeted one of only four LastPass employees with access to the corporate vault. After decrypting the vault, the hacker exported the entries, including the decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and related data.
In two security bulletins, LastPass issued instructions to affected users and businesses. The following are the key points from those bulletins. The Security Bulletin: Recommended actions for LastPass free, premium, and families include best practices for master passwords, guidebooks to creating strong passwords, and allowing extra layers of security such as multifactor authentication. Users were also urged to change their passwords.
LastPass master passwords should be between 16 and 20 characters long, include a minimum of one upper and lower case, numeric, symbol, and special character, and be unique — that is, not used on another site. Users can reset LastPass master passwords by following the official LastPass guide.
LastPass also requested that users use the Security Dashboard to check the security score of their current password strength, enable and test the dark web monitoring feature, and enable default MFA. Users are notified when their email addresses appear in dark web forums and sites. To assist businesses that use LastPass, the Security Bulletin: Recommended Actions for LastPass Business Administrators was created exclusively after the event. The more comprehensive guide contains ten points:
- Master password length and complexity.
- The iteration counts for master passwords.
- Super admin best practices.
- MFA shared secrets.
- SIEM Splunk integration.
- Exposure due to unencrypted data.
- Deprecation of Password apps (Push Sites to Users).
- Reset SCIM,, Enterprise API, and SAML keys.
- Federated customer considerations.
- Additional considerations.
Superb administration LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations. LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations.
LastPass has stated that it is confident that it has taken the necessary steps to limit and eliminate future access to the service; however, according to Wired, the most recent disclosure of LastPass was so concerning that security professionals "started calling for users to switch to other services." LastPass' main competitors are 1Password and Dashlane.
Experts have also questioned LastPass's transparency, pointing out that it fails to date security incident statements and has yet to clarify when the second attack occurred or how long the hacker was inside the system; the amount of time a hacker spends inside a system has a significant impact on the amount of data and systems that can be exploited. (I contacted LastPass for a response but did not receive one.)
The consequences of these recent security incidents are clear to LastPass users. While the company convinces that there is no evidence that the compromised data is being sold or marketed on the dark web, business administrators are left to deal with LastPass' extensive recommendations.
A password-free future
Unfortunately, password manager hacking is not a new phenomenon. Since 2016, LastPass has had security incidents every year, and other top password managers such as Norton LifeLock, Passwordstate, Dashlane, Keeper, 1Password, and RoboForm have been either targeted, breached, or proven to be vulnerable, according to Best Reviews.
Password manager companies are increasingly being targeted by cybercriminals because they store sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted. Cybersecurity practices, transparency, breaches, and data exfiltration can all have an impact on the future of these password manager companies in this highly competitive landscape.