Tada
Images/Adobe
Stock
LastPass
was
hacked
twice
last
year
by
the
same
actor;
one
incident
was
reported
in
late
August
2022
and
the
other
on
November
30,
2022.
The
global
password
manager
company
released
a
report
on
Wednesday
with
new
findings
from
its
security
incident
investigation,
along
with
recommended
actions
for
users
and
businesses
affected.
Jump
to:
How
the
LastPass
attacks
happened
and
what
was
compromised
As
reported
by
LastPass,
the
hacker
initially
breached
a
software
engineer’s
corporate
laptop
in
August.
The
first
attack
was
critical,
as
the
hacker
was
able
to
leverage
information
the
threat
actor
stole
during
the
initial
security
incident.
Exploiting
a
third-party
media
software
package
vulnerability,
the
bad
actor
then
launched
the
second
coordinated
attack.
The
second
attack
targeted
a
DevOps
engineer’s
home
computer.
“The
threat
actor
was
able
to
capture
the
employee’s
master
password
as
it
was
entered
after
the
employee
authenticated
with
MFA
and
gained
access
to
the
DevOps
engineer’s
LastPass
corporate
vault,”
detailed
the
company´s
recent
security
incident
report.
LastPass
has
confirmed
that
during
the
second
incident,
the
attacker
accessed
the
company´s
data
vault,
cloud-based
backup
storage
—
containing
configuration
data,
API
secrets,
third-party
integration
secrets,
customer
metadata
—
and
all
customer
vault
data
backups.
The
LastPass
vault
also
includes
access
to
the
shared
cloud-storage
environment
that
contains
the
encryption
keys
for
customer
vault
backups
stored
in
Amazon
S3
buckets
where
users
store
data
in
their
Amazon
Web
Services
cloud
environment.
The
second
attack
was
highly
focused
and
well-researched,
as
it
targeted
one
of
only
four
LastPass
employees
who
have
access
to
the
corporate
vault.
After
the
hacker
had
the
decrypted
vault,
the
cybercriminal
exported
the
entries,
including
the
decryption
keys
needed
to
access
the
AWS
S3
LastPass
production
backups,
other
cloud-based
storage
resources
and
related
critical
database
backups.
Security
recommendations
from
LastPass
LastPass
issued
recommendations
for
affected
users
and
businesses
in
two
security
bulletins.
Here
are
the
key
details
from
those
bulletins.
The
Security
Bulletin:
Recommended
actions
for
LastPass
free,
premium,
and
families
includes
best
practices
primarily
centered
on
master
passwords,
guides
to
creating
strong
passwords
and
enabling
extra
layers
of
security
such
as
multifactor
authentication.
The
company
also
urged
users
to
reset
their
passwords.
LastPass
master
passwords
should
be
ideally
16
to
20
characters
long,
contain
at
least
one
upper
case,
lower
case,
numeric,
symbols,
and
special
characters,
and
be
unique
—
that
is,
not
used
on
another
site.
To
reset
LastPass
master
passwords,
users
can
follow
the
official
LastPass
guide.
LastPass
also
asked
users
to
use
the
Security
Dashboard
to
check
the
security
score
of
their
current
password
strength,
to
turn
on
and
check
the
dark
web
monitoring
feature,
and
to
enable
default
MFA.
Dark
web
monitoring
alerts
users
when
their
email
addresses
appear
in
dark
web
forums
and
sites.
The
Security
Bulletin:
Recommended
Actions
for
LastPass
Business
Administrators
was
prepared
exclusively
after
the
event
to
help
businesses
that
use
LastPass.
The
more
comprehensive
guide
includes
10
points:
-
Master
password
length
and
complexity. -
The
iteration
counts
for
master
passwords. -
Super
admin
best
practices. -
MFA
shared
secrets. -
SIEM
Splunk
integration. -
Exposure
due
to
unencrypted
data. -
Deprecation
of
Password
apps
(Push
Sites
to
Users). -
Reset
SCIM,
Enterprise
API
and
SAML
keys. -
Federated
customer
considerations. -
Additional
considerations.
Super
admin
LastPass
users
have
additional
privileges
that
go
beyond
the
average
administrator.
Given
their
extensive
powers,
the
company
issued
special
recommendations
for
super
admin
users
after
the
attacks.
LastPass
super
admin
recommendations
include
the
following.
-
Follow
master
password
and
iterations
best
practices:
Ensure
that
your
super
admin
users
have
strong
master
passwords
and
strong
iteration
counts. -
Review
super
admins
with
“Permit
super
admins
to
reset
master
passwords”
policy
rights:
If
the
policy
to
permit
super
admins
to
reset
master
passwords
is
enabled,
and
users
identify
super
admins
with
a
weak
master
password
and/or
low
iterations,
their
LastPass
tenant
may
be
at
risk.
These
must
be
reviewed. -
Conduct
security
review:
Businesses
should
conduct
comprehensive
security
reviews
to
determine
further
actions
to
a
LastPass
Business
account. -
Post-review
actions:
Identify
at-risk
super
admin
accounts
and
determine
super
admins
that
have
a
weak
master
password
or
iteration
count
should
take
the
following
actions:-
Federated
login
customers:
Consider
de-federating
and
re-federating
all
users
and
request
users
to
rotate
all
vault
credentials. -
Non-federated
login
customers:
Consider
resetting
user
master
passwords
and
request
users
to
rotate
all
vault
credentials.
-
-
Rotation
of
credentials:
LastPass
suggests
using
a
risk-based
approach
to
prioritize
the
rotation
of
critical
credentials
in
end-user
vaults. -
Review
super
admins
with
“Permit
super
admins
to
access
shared
folders”
rights:
Reset
the
master
password
if
the
super
admin
password
is
determined
to
be
weak.
Rotate
credentials
in
shared
folders. -
Investigate
MFA:
Generate
the
enabled
multifactor
authentication
report
to
show
users
who
have
enabled
an
MFA
option,
including
the
MFA
solutions
they
are
using. -
Reset
MFA
secrets:
For
LastPass
Authenticator,
Google
Authenticator,
Microsoft
Authenticator
or
Grid,
reset
all
MFA
secrets. -
Send
email
to
users:
Resetting
MFA
shared
secrets
destroys
all
LastPass
sessions
and
trusted
devices.
Users
must
log
back
in,
go
through
location
verification
and
re-enable
their
respective
MFA
apps
to
continue
using
the
service.
LastPass
recommends
sending
an
email
providing
information
on
the
re-enrollment
process. -
Communicate:
Communicate
security
incident
reports
and
actions
to
take.
Alert
users
on
phishing
and
social
engineering
techniques.
LastPass
alternatives
and
impact
of
the
hacks
LastPass
has
expressed
confidence
that
it
has
taken
the
necessary
actions
to
contain
and
eradicate
future
access
to
the
service;
however,
according
to
Wired,
the
last
disclosure
of
LastPass
was
so
concerning
that
security
professionals
rapidly
“started
calling
for
users
to
switch
to
other
services.”
Top
competitors
to
LastPass
include
1Password
and
Dashlane.
SEE:
Bitwarden
vs
1Password
|
Keeper
vs
LastPass
(TechRepublic)
Experts
have
also
questioned
the
transparency
of
LastPass,
which
fails
to
date
security
incident
statements
and
has
still
not
set
the
record
straight
on
exactly
when
the
second
attack
happened,
nor
how
much
time
the
hacker
was
inside
the
system;
the
time
a
hacker
has
inside
a
system
significantly
impacts
the
amount
of
data
and
systems
that
can
be
exploited.
(I
contacted
LastPass
for
a
comment,
but
I
did
not
receive
a
reply
by
the
time
of
publication.)
For
LastPass
users,
the
consequences
of
these
recent
security
incidents
are
evident.
While
the
company
assures
that
there
is
no
indication
that
the
data
compromised
is
being
sold
or
marketed
on
the
dark
web,
business
administrators
are
left
to
deal
with
the
extensive
recommendations
issued
by
LastPass.
A
passwordless
future
Unfortunately,
the
trend
of
hacking
password
managers
is
not
new.
LastPass
has
experienced
security
incidents
every
year
since
2016,
and
other
top
password
managers
like
Norton
LifeLock,
Passwordstate,
Dashlane,
Keeper,
1Password
and
RoboForm
have
been
either
targeted,
breached
or
proved
to
be
vulnerable,
as
reported
by
Best
Reviews.
Cybercriminals
are
increasingly
targeting
password
manager
companies
because
they
hold
the
sensitive
data
that
can
be
used
to
access
millions
of
accounts,
including
cloud
accounts
where
business-critical
systems
and
digital
assets
are
hosted.
In
this
highly
competitive
landscape,
cybersecurity
practices,
transparency,
breaches
and
data
exfiltration
can
influence
the
future
of
these
password
manager
companies.
Despite
the
fact
that
the
password
manager
market
is
expected
to
reach
$7.09
billion
by
2028,
according
to
SkyQuest
reports,
it’s
not
a
surprise
that
a
passwordless
future
continues
to
gain
momentum,
driven
by
Apple,
Microsoft,
and
Google
under
the
FIDO
alliance.
Read
TechRepublic’s
recent
interview
with
1Password
about
its
plans
for
a
password-free
future.
About Author
