LastPass was hacked twice last year by the same actor. One incident was reported in late August 2022 and the other on November 30, 2022. The global password management company released a report on Wednesday with new findings from its security incident investigation, along with recommended actions for affected users and businesses.
How the LastPass attacks happened and what was compromised
As reported by LastPass, the hacker first breached a software engineer’s corporate laptop in August. The first attack was critical, as the hacker was able to leverage the information the threat actor stole during the initial security incident. Exploiting a third-party media software package vulnerability, the bad actor then launched the second coordinated attack. The second attack targeted a DevOps engineer’s home computer.
“The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault,” the company’s recent security incident report details.
LastPass confirmed that during the second incident, the attacker had access to the company’s data vault, cloud-based backup storage — containing configuration data, API secrets, third-party integration secrets, customer metadata — and all backups customer inbox data security. The LastPass vault also includes access to the shared cloud storage environment that contains the encryption keys for customer vault backups stored in Amazon S3 buckets where users store data in the Amazon Web Services cloud environment.
The second attack was highly focused and well-researched, targeting one of only four LastPass employees with access to the corporate vault. Once the hacker had the decrypted vault, the cybercriminal extracted the entries, including the decryption keys needed to access AWS S3 LastPass production backups, other cloud-based storage resources, and related critical database backups.
Security recommendations from LastPass
LastPass issued recommendations for affected users and businesses in two security bulletins. Here are the key details from these bulletins.
The Security Bulletin: LastPass Free, Premium, and Family Recommended Actions includes best practices that focus primarily on master passwords, guides to creating strong passwords, and enabling additional layers of security such as multi-factor authentication. The company also urged users to reset their passwords.
LastPass master passwords should ideally be 16 to 20 characters long, contain at least one uppercase, lowercase, number, symbol, and special character, and be unique — that is, not used on another site. To reset LastPass master passwords, users can follow the official LastPass guide.
LastPass also asked users to use the Security Dashboard to check the security score of their current password strength, enable and review the dark web tracking feature, and enable MFA by default. Dark web monitoring alerts users when their email addresses appear on dark web forums and sites.
The Security Bulletin: Recommended Actions for LastPass Business Administrators was prepared exclusively after the event to help businesses using LastPass. The most comprehensive guide includes 10 points:
- Password master length and complexity.
- Repetition counts for master passwords.
- Super Admin Best Practices.
- The State Department shared secrets.
- Splunk SIEM integration.
- Exposure due to unencrypted data.
- Remove password applications (Push Sites to Users).
- Reset your SCIM, Enterprise API and SAML keys.
- Federated customer issues.
- Additional considerations.
Super admin LastPass users have additional privileges beyond the average admin. Given their extensive powers, the company issued special recommendations for super admin users following the attacks. LastPass super admin suggestions include the following.
- Follow master password and repeat best practices: Make sure your super-admins have strong master passwords and strong retries.
- Check superadmins with “Allow superadmins to reset master passwords” policy permissions: If the policy that allows superadmins to reset master passwords is enabled and users identify superadmins with a weak master password and/or low repetitions, the LastPass tenant may be at risk. These need to be reviewed.
- Perform a security check: Businesses should conduct extensive security checks to determine further actions on a LastPass business account.
- Actions after assessment: Identify high-risk super admin accounts and determine that super admins who have a weak master password or number of repetitions should take the following actions:
- Federated customers: Consider disassociating and reassociating all users and requiring users to exchange all vault credentials.
- Non-federated connection clients: Consider resetting master user passwords and require users to rotate all vault credentials.
- Switch Credentials: LastPass recommends using a risk-based approach to prioritize switching critical credentials in end-user vaults.
- Check super admins with “Allow super admins to access shared folders” permissions: Reset the master password if the super admin password is found to be weak. Switch credentials on shared folders.
- Ministry of Foreign Affairs investigation: Generate the Multi-Factor Authentication Enabled report to show users who have enabled an MFA option, including the MFA solutions they are using.
- Reset MFA secrets: For LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or Grid, reset all MFA secrets.
- Send email to users: Resetting shared MFA secrets destroys all LastPass sessions and trusted devices. Users must sign in again, go through location verification, and re-enable their respective MFA apps to continue using the service. LastPass recommends sending an email that will provide information about the re-enrollment process.
- COMMUNICATE: Share security incident reports and actions to take. Alert users about phishing and social engineering techniques.
LastPass alternatives and impact of hacks
LastPass has expressed confidence that it has taken the necessary steps to limit and eliminate future access to the service. However, according to Wired, LastPass’ latest revelation was so alarming that security professionals “quickly began asking users to switch to other services.” Top competitors to LastPass include 1Password and Dashlane.
SEE: Bitwarden vs 1Password | Keeper vs LastPass (TechRepublic)
Experts have also questioned the transparency of LastPass, which fails to report security incident reports and has yet to record exactly when the second attack occurred, nor how long the hacker was inside the system. the amount of time a hacker has inside a system greatly affects the amount of data and systems that can be exploited. (I reached out to LastPass for comment, but did not hear back by the time of publication.)
For LastPass users, the implications of these recent security incidents are obvious. While the company assures that there is no indication that the compromised data is being sold or marketed on the dark web, business managers are left to deal with the extensive recommendations issued by LastPass.
A password-free future
Unfortunately, the trend of hacking password managers is not new. LastPass has experienced security incidents every year since 2016, and other leading password managers such as Norton LifeLock, Passwordstate, Dashlane, Keeper, 1Password, and RoboForm have either been targeted, hacked, or found to be vulnerable, as reported by Best Reviews.
Cybercriminals are increasingly targeting password management companies because they hold sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted. In this highly competitive landscape, cybersecurity practices, transparency, data breaches and penetration can affect the future of these password management companies.
Despite the fact that the password management market is expected to reach $7.09 billion by 2028, SkyQuest reports, it’s no surprise that a password-free future continues to gain momentum, led by Apple, the Microsoft and Google as part of the FIDO alliance. Read TechRepublic’s recent interview with 1Password about its plans for a password-free future.