CyberSecOp.com

View Original

Password Manager LastPass Breach Update

LastPass Breach Update

As the months pass, more and more information is becoming apparent regarding the LastPass breach that surfaced last August. What at first was thought to be some source code and technical data theft has turned into a rather sophisticated advanced persistent threat (APT) that affects nearly every user of LastPass. Here are some more details:

Back in August of 2022, a threat actor/s got a hold of some source code and internal technical details about LastPass. The actor/group then used that information to hack a LastPass employee (via social engineering or other means) and attain their credentials and security keys to access a cloud-based storage service. While this cloud-based storage service was logically and physically separated from LastPass's central infrastructure and network, it turns out it stored internal and customer-based information, which the threat actor was able to attain and download.

What kind of data are we talking about exactly? According to LastPass, they could download a backup of customer vault data from the encrypted storage container, which is stored in a proprietary format. This included unencrypted data such as website URLs as well as fully-encrypted data such as usernames and passwords and form-filled data.  

 So, in other words, they have the kitchen sink. They have everything.

 It is important to know that the encrypted data is encrypted with the latest 256-bit AES encryption and does require the customer's master password to decrypt. LastPass does not have knowledge of any customer master password, as stated in their 'zero knowledge' architecture. However, if your master password is weak and does not enforce MFA, you must consider your password compromised. You 

must change your master password and enforce MFA immediately. 

If you have a strong password, you may still be the target of social engineering devised to get your master password. LastPass will never ask for your master password.

If anything, this latest security breach of a significant company is more empirical proof that even the biggest and most secure/compliant organizations are not immune to cyber incidents. Vigilance against social engineering, strong passwords and MFA are some of the layers of defense that can protect against this specific incident.

To Do:

  • Change LastPass Master Password to a very strong password or passphrase IMMEDIATELY.

  • Enable MFA IMMEDIATELY

  • Inventory all the applications and passwords you have in your last pass vault and change those. Start with the most sensitive and work your way down.

  • Enable MFA on any application that stores sensitive information- even if it sits behind LastPass

  • Change your mindset to be super extra cautious of social engineering emails -but especially any emails that detail this LastPass breach.

 

Written By: Carlos Neto     12/27/2022