Get in Touch
Update 14th February
The password manager organisation, LastPass, has published a statement on a related security incident pertaining to a data breach. The company detected unusual activity in a third-party cloud storage service, shared by both LastPass and its affiliate, GoTo.
In August 2022, a compromised developer account was used to access source code and proprietary LastPass technical data. The threat actor obtained internal access for a four-day period prior to being ejected from the network.
LastPass has stressed that sensitive vault data, such as usernames, passwords, secure notes, attachments, and form-fill fields remain encrypted and so cannot be accessed due to the implementation of their zero-knowledge architecture.
The threat actor did not attain the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure and they were not included in the back-up copies that were obtained, which contained customer vaults.
The threat actor was able to gain access to specific elements of customer data. However, details pertaining to passwords specifically were unaffected.
– GoTo (formerly LogMeIn)
Containment, Mitigations & Remediations
LastPass outlined the recommended configuration of the following default master password settings and associated best practices:
- LastPass currently requires a twelve-character minimum for master passwords, which minimises the potential success of brute force password attempts
- LastPass has implemented 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2). This is a password-strengthening algorithm that makes it difficult to guess the master password of a LastPass account. The current number of PBKDF2 iterations for a LastPass account can be determined at the relevant LastPass support page.
- LastPass also recommends that the master password is never to be used for account access on alternative websites. If a master password is reused and that password was ever compromised, a threat actor may obtain dumps of compromised credentials, on the internet, to attempt to access the relevant account. This is known as a “credential stuffing” attack.
If the above default settings are applied, LastPass reiterated that it would theoretically take many years for a threat actor to crack the master password whilst operating current password-cracking technology.
However, if the above recommended settings are not applied, it would significantly reduce the number of attempts required to crack the password. In such a case, LastPass emphasised that to minimise the associated risk, passwords of stored websites should be changed.
The above applies to both personal and business users. Moreover, due to the threat actor not having access to the key fragments (as noted in the Impact section of this bulletin), business users of LastPass that have implemented the Federated Login Services do not need to take any additional actions.
In response to the security incident, LastPass eradicated any further potential access to their development environment by pursuing the following security posture alterations:
- Decommissioning of the environment in its entirety and rebuilding a new environment
- Replacement and further hardening of developer machines, processes, and authentication mechanisms
- Addition of extra logging and alerting capabilities to help detect any further unauthorised activity, including a second line of defence with a leading managed endpoint detection and response vendor to supplement our own team
- Continuation of plans to execute a new set of development and production environments
- Rotation of all relevant credentials and certificates that may have been affected and supplementing existing endpoint security.
- Analysis of every account with signs of any suspicious activity within the cloud storage service.
Indicators of Compromise
No specific Indicators of Compromise (IoC) are available at this time.
Password managers and other secret stores are high-value targets as their compromise could allow a threat actor to pivot to other systems.
In the case of the security incident reported on, the architectural design of LastPass means that even direct access to their customer data would not grant access to the secrets. The attack in August did involve code repositories and if undetected could have led to code tampering. However, their incident response ruled out that possibility.
No attribution to specific threat actors or groups have been identified at the time of writing.
T1078.004 – Valid Accounts: Cloud Accounts
T1110 – Brute Force
T1555 – Credentials from Password Stores
1st December 2022
Password manager company LastPass has published a statement on a recent security incident. The company detected unusual activity in a third-party cloud storage service, shared by both LastPass and its affiliate, GoTo.
In August a compromised developer account was used to access source code and some proprietary LastPass technical information. The attackers had internal access for four days before being expelled from the network.
The company stresses that password information cannot be accessed due to their zero-knowledge architecture.
An unauthorised party was able to gain access to certain elements of customer information but passwords are unaffected.
- GoTo (formerly LogMeIn)
Password managers and other secret stores are high-value targets as their compromise could allow a threat actor to pivot to other systems. In this case the architectural design of LastPass means that even direct access to their customer data does not grant access to the secrets. The attack in August did involve code repositories and if undetected could have led to code tampering but their incident response ruled out that possibility.
Unknown at this time.
T1078.004 – Valid Accounts: Cloud Accounts