LastPass Breach Update

DotNetRussell

2022-12-23

SquidSec Impact Report

Breached data includes

  • Backup of customer vault data from encrypted storage which contains both unencrypted data such as website URLs as well as encrypted data
  • Customer Account Information
    • Company Names
    • End Usernames
    • Billing Addresses
    • Email Addresses
    • Telephone Numbers
    • Ip Addresses

SquidSec Recommended Action Items

  • Reset passwords contained in LastPass storage system (should only be done out of precaution)
  • Be highly skeptical of any communications about your LastPass account
  • Never give your master password to anyone
  • Never reuse your master password for anything

Click here to see the official LastPass Breach Update Release

Breach Summary

In early August of 2022 an unknown threat actor was able to breach the LastPass cloud storage system. LastPass issued a noticed announcing the breach around two weeks later. On November 30th and December 22nd LastPass CEO released an update to the breach. This is what we know so far.

In August they were addiment that the breached data was limited to their development environment. However, this information was then leveraged to target an employee. That employee had their credentials and keys compromised which was then used to access and decrypt cloud storage volumes.

“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

LastPass CEO, Karim toubba

SquidSec is recommending out of an abundance of caution that any Business LastPass customers have their employees reset passwords stored in LastPass. All LastPass passwords should have been stored using zero knowledge security

However, now that the threat actors have the encrypted data, it’s inevitable that they will attempt to brute force master passwords.

Here’s an example of an attack vector:

  1. Threat actor gains access to customer emails and have them correlated to encrypted data
  2. Threat actor checks customer emails against past data breaches and aggregates known breached passwords
  3. Threat actor then runs a brute force attack against encrypted volumes with breached password list

Now that customer information is available, there will almost certainly be a rash of LastPass phishing campaigns taking place. These campaigns will most likely target companies and C-Levels of these companies in spear phishing attacks. All LastPass users should be highly skeptical of any LastPass communications they receive. They should also never share their master password with anyone.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.