LastPass Announces All Data Was Stolen In New Security Breach
The popular password management solution LastPass, has announced another in a series of security breaches that began in August 2022 when an employee responded to a phishing attack, giving malicious actors access to the LastPass network. In previous incidents LastPass maintained that only source code was accessed and no customer data was stolen. In this latest incident however, they have announced that ALL of the data they store was stolen, including user data stores.
According to the December 22nd 2022 BLOG post, information gained during the first attack in August was used to craft another successful phishing campaign that resulted in the latest attack. In this security breach attackers were able to access cloud based data backups and steal the complete LastPass data store which contained all data possessed by LastPass.
While LastPass has portrayed the latest incident as a separate attack, this appears to be merely the latest version of an on-going attack. The mis-characterization of the incident is one of a number of questionable behaviors by LastPass in response to this incident. Rather than responding in a way that would best serve their user base and the cyber community, LastPass appears to be handling this from a PR perspective. Thus, many critical details around the event such as when it happened have not been provided.
Based on what we know about this and previous events though, we can surmise the following things:
- Malicious actors have a full copy of all data stored by LastPass including user data
- Malicious actors have copies of LastPass source code
- Malicious actors have privileged access into the LastPass network
- LastPass employees have repeatedly allowed malicious entry into the network by responding to phishing campaigns
- LastPass has handled these situations in the worst ways and with questionable tactics
I Thought LastPass Encrypts My Data So They Have Zero Knowledge?
LastPass has long promoted the idea that all user data is stored encrypted so they don’t have access to user credentials. This is misleading however, as only the password and notes fields are encrypted, all other data is clear text. This means that the malicious actors know exactly what websites you visit, exactly what your usernames are, how often your passwords are reset, and possibly token and certificate strings that can grant single click sign-on.
What Should I Do?
If you are a current LastPass user, at a minimum you should immediately reset your master password and ALL passwords and credentials that were stored in LastPass. You have to assume that your encrypted password can be brute forced based on the information that was stolen.
If you use the LastPass Authenticator application, We recommend immediately moving to another authenticator application such as Google, Microsoft or DUO.
Long term Rocky Mountain Cybersecurity recommends moving to another password solution as soon as possible, and we would be happy to help you with your migration to a more secure password solution.
Contact Rocky Mountain Cybersecurity today! 307-288-0222 – firstname.lastname@example.org