Password manager company LastPass gave an update of its security incident from August, which prompted security researchers to tell admins that they really need to take steps to protect their environments.
“This is certainly a worrying hack,” said Casey Ellis, founder and CTO at Bugcrowd. “Users of LastPass are encouraged to change their master passwords, as well as any 2FA keys they may have saved in their database, and then, ideally, work back and rotate passwords beginning with the most important services, such as email, banking account, code repos, and company passwords.
Ellis added while attribution to the same or a different threat actor isn't part of the notification, it struck him as noteworthy that LastPass drew attention to the use of information from the August 2022 incident in this one.
“Secondary breaches, and the use of harvested credentials purchased through Initial Access Brokers (as in, for example, the recent Uber breach), are on the rise and should be taken into account by defenders,” said Ellis.
In a Dec. 22 blog post to customers, LastPass said that based on its investigation to date, it learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident LastPass first disclosed in August.
“While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” LastPass wrote in the blog.
Dan Benjamin, co-founder and CEO at Dig Security, said the series of LastPass breaches point to the critical need to prioritize cloud data security and implement stronger security measures to protect customer data. Benjamin said the legacy approach to data security has proven ineffective in modern IT environments time and time again.
“The latest LastPass breach originated in the cloud — no endpoint or on-prem device could have detected the incident,” Benjamin said. “What’s more is that LastPass reported its most recent breach nearly a month ago, but at the time of the attack, could not tell whether customer data was breached. Visibility into data — what is included, where it is located, if it was impacted, and who accessed it — is critical for swift and effective breach response and to prevent further damage.
John Bambenek, principal threat hunter at Netenrich, added that the loss of the source code didn’t concern him. Bambenek said if anything, having the source essentially public let’s their claims of zero knowledge vetted in a similar way that encryption algorithms should be made public for assurance purposes.
“Capturing the encrypted databases is more problematic as this means all the attacker needs now is to send targeted phishes to people to get that password,” said Bambenek. “Password managers are essentially the single point of compromise for an individual and an attacker being able to walk with some of the databases, and it not being known and public for months, concerns me greatly.”