Ride the Lightning

LastPass Admits Customer Data Breach Caused by Previous Breach

December 6, 2022

Naked Security reported on December 2 that LastPass admitted to a data breach caused by a previous breach. Yes, you read that right.

Here’s what happened. In August 2022, password manager company LastPass acknowledged that it suffered a data breach.

The company, owned by software-as-a-service business GoTo, which used to be LogMeIn, published a brief but useful report about that incident a month later.

After investigating, LastPass concluded that the attackers managed to implant malware on a developer’s computer.

With a beachhead on that computer, the attackers waited until the developer had gone through LastPass’s authentication process, including presenting any necessary multi-factor authentication credentials, and then “tailgated” them into the company’s development systems.

LastPass said that the developer’s account hadn’t given the criminals access to any customer data or to anyone’s encrypted password vaults.

The company admitted that the criminals had made off with LastPass proprietary information, notably including “some of our source code and technical information”, and that they were in the network for four days before they were identified and booted out.

LastPass said that customer passwords backed up on the company’s servers never exist in decrypted form in the cloud. The master password used to unscramble your saved passwords is only requested and used in memory on your own devices. Therefore, any passwords stored in the cloud are encrypted before they’re uploaded, and only decrypted again after they’ve been downloaded. In other words, even if password vault data had been stolen, it would have been unintelligible to the criminals.

At the end of November 2022, LastPass admitted that there was more to the story.

According to a security bulletin dated 2022-11-30, the company was recently breached again by attackers “using information obtained in the August 2022 incident”, and this time customer data was stolen.

It appears that, even though the criminals couldn’t snoop around in customer records directly from the account of the developer who got infected by malware in August, the criminals nonetheless made off with internal details that indirectly gave them, or someone to whom they sold the data, access to customer information later on.

LastPass isn’t yet giving out any information about what sort of customer data was stolen, reporting simply that it is “working diligently to understand the scope of the incident and identify what specific information has been accessed”.

All that LastPass has said right now is that “[o]ur customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

It appears to me that, even if it ultimately turns out that the criminals made off with personal information such as home addresses, phone numbers and payment card details (hoping that’s not the case), customer passwords are still as safe as the master password you originally chose for yourself, which LastPass’s cloud services never ask for or have copies of.

If you’re a LastPass customer, you should keep your eye on the company’s security incident report for updates and be wary until LastPass makes it clear what customer data was compromised.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson