SquidSec Impact Report
Breached data includes
- Backup of customer vault data from encrypted storage which contains both unencrypted data such as website URLs as well as encrypted data
- Customer Account Information
- Company Names
- End Usernames
- Billing Addresses
- Email Addresses
- Telephone Numbers
- Ip Addresses
SquidSec Recommended Action Items
- Reset passwords contained in LastPass storage system (should only be done out of precaution)
- Be highly skeptical of any communications about your LastPass account
- Never give your master password to anyone
- Never reuse your master password for anything
In early August of 2022 an unknown threat actor was able to breach the LastPass cloud storage system. LastPass issued a noticed announcing the breach around two weeks later. On November 30th and December 22nd LastPass CEO released an update to the breach. This is what we know so far.
In August they were addiment that the breached data was limited to their development environment. However, this information was then leveraged to target an employee. That employee had their credentials and keys compromised which was then used to access and decrypt cloud storage volumes.
SquidSec is recommending out of an abundance of caution that any Business LastPass customers have their employees reset passwords stored in LastPass. All LastPass passwords should have been stored using zero knowledge security
However, now that the threat actors have the encrypted data, it’s inevitable that they will attempt to brute force master passwords.
Here’s an example of an attack vector:
- Threat actor gains access to customer emails and have them correlated to encrypted data
- Threat actor checks customer emails against past data breaches and aggregates known breached passwords
- Threat actor then runs a brute force attack against encrypted volumes with breached password list
Now that customer information is available, there will almost certainly be a rash of LastPass phishing campaigns taking place. These campaigns will most likely target companies and C-Levels of these companies in spear phishing attacks. All LastPass users should be highly skeptical of any LastPass communications they receive. They should also never share their master password with anyone.