The world’s most popular password manager, LastPass, has provided more information on its August 2022 cyberattack and data breach. The forensic investigation has confirmed that an unauthorized individual gained access to its internal systems for a period of four days; however, no evidence was found to indicate that an individual or individuals had access to any parts of its network before or after that timeline.
LastPass CEO, Karim Toubba, issued a statement about the cyberattack around 2 weeks after the intrusion was detected and said that the intrusion did not appear to have involved access to customers’ encrypted password vaults and that position has not changed. The investigation has progressed and no evidence has been found that indicates any customer data was accessed or exfiltrated in the attack; however, access was gained to some of the LastPass password manager source code and technical documentation.
The investigation was conducted by the LastPass internal security team and cybersecurity firm Mandiant. It has been reconfirmed that access was only gained to the developer environment, which is logically separated from the production and other environments, so it would not have been possible to access customer data or encrypted vaults. Further, LastPass operates under the zero-knowledge model, which means LastPass employees cannot access the master passwords that are set by its users to protect their encrypted password vaults. Without those master passwords, the passwords in customers’ vaults cannot be decrypted.
The investigation confirmed that access was gained through the compromised device of one of its developers. What is unclear is exactly how that device was compromised. Mandiant said the evidence of how the device was compromised was inconclusive.
LastPass has confirmed that after gaining access to the device, the threat actor managed to gain persistent access which allowed access to continue for four days, with the threat actor successfully impersonating the developer once the developer had authenticated using multifactor authentication. While the source code was accessed, LastPass has confirmed that no changes were made and the source code remains intact, and no evidence was found of code tampering or malicious code injection.
Even if that were the case, developers do not have the authority to push code from the development area to production. Before newly developed code can be moved to production, it must be signed off by the build release team, which is separate from the developers. The build release team scrutinizes the code, which is tested and subjected to a rigorous validation process, before it is released to production.
While the hacking incident appears to have been limited and was quickly contained, it will be an embarrassment to LastPass. This is not the first data breach to hit the password manager, with an earlier breach occurring in 2015. That first breach was more serious and required the company to perform a reset of users’ master passwords.
LastPass has confirmed that the company has been working with another unnamed cybersecurity firm to enhance the safety practices in place to protect its source code and enhancements have been made to its monitoring capabilities. In the event of another intrusion, it should be detected much more promptly.
LastPass has also made changes to its secure software development life cycle processes, vulnerability management, threat modelling, and its bug bounty program. Threat intelligence capabilities have also been enhanced, as has its endpoint security controls, and upgrades have been made to its prevention technologies for both the development and production environments.
While the breach is a concern, it should not deter people from using a password manager. Data breaches are rare and numerous safeguards are in place to protect customer data, and using a password manager has been demonstrated to greatly improve security by helping to eradicate bad password practices, such as password reuse and the setting of weak, easily brute forced passwords.
It is, however, vital for users to set a very strong password for their master password, which should ideally be a passphrase of more than 12 characters. Multi-factor authentication should also be enabled. The best authentication method to add for multifactor authentication is a physical device such as a Yubikey or equivalent, rather than a one-time passcode sent to a mobile device.
In the event of a security breach, users of password managers should act quickly on any security alerts and if a recommendation is made to change master passwords, to make that change a priority.