LastPass Breach, What we know

I have used LastPass for years, so this hits closer to home as a breach to me.

Overall, my thoughts:

• LastPass took a long time to say what happened and how bad it was.?While we know that incident response can take a while based on how complex the attack was and how many systems were involved, more than four months is a bit excessive. Since their first notification on September 15th, 2022, the implications have continued to change. The initial notification said they just got access to the development environment, and the customer vaults were safe and not accessed. On November 30th, 2022, they said they could access certain parts of customer information, but the passwords were secure. ?On December 22nd, they could access customer vaults and gain customer information along with the Master Account Email Address and URLs that were not encrypted, which is a worst-case scenario even with their zero-knowledge architecture.
• The breach data has not been published yet - There hasn’t been any breach information published on some Raid Forums and other places on the internet where this data would typically go (that I could find, or others have said they have found).?Whoever has the data hasn’t shared it in the usual paths, which is important to note.?This was also related to a Twilio hack a couple of months before, where they took over some particular phone numbers for their MFA bypass attacks to gain access to some companies and some possible cryptocurrency-related activity. Still, now this Twilio attack is linking back to this LastPass attack too.?The identities of either attack have not been disclosed, which is vital to note as what they have accomplished has been eye-opening in the cyber security world.?They took over phone numbers to enable them to bypass MFA, attacked many other companies with those bypasses, did some potential crypto-currency fraud with it, then took down one of the most prominent password managers out there.?These attackers got to the crown jewels, the customer vaults, along with gaining information on the customers too that can be weaponized without cracking anything.??Could there be separate attackers and or teams, countries, or agencies? Yes, but it’s impressive nonetheless, based on the scope of these attacks. https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
• They know your Master Account Email -?This will allow them to do all kinds of social engineering attacks, and they know this is where you keep your things.
• They also know your “basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
• They know the URLs you use since this field wasn’t encrypted (bad design and has been noted in the past). This will allow potential attackers to phish you for the specific sites you have defined, along with knowing who or what you work with.?This could help make their next targets based on who or what gets cracked first.
• They have the customer vaults (Passwords, Usernames, and Notes), and if they crack your Master Password, they can decrypt the fields. ?They say that the AES256 encryption is protecting it, but with a weak Master Password, the possibilities increase exponentially that they could get in.?We know overall, with cyber security, if you have access to the thing, the likelihood of getting into that thing goes up drastically, and our computing advances have shortened the time window to break something.

What to do if you were a LastPass user?

1. If you have a weak Master Password, change it to something larger and make sure it’s unique.?Keep it memorable.?
2. I recommend changing it yearly with any password manager.?Changing it will not prevent these attackers from getting into whatever they can in the customer vaults in LastPass since they accessing a backup file, but it will re-encrypt your data going forward with that new password. If your master account password is cracked, everything in LastPass should be considered compromised.
3. If you don’t have MFA enabled on your account, ensure it’s enabled. Any password manager should have this enabled. You don’t want just a username and password to protect all your other usernames and passwords.
4. We recommend checking your password iterations settings to ensure it’s 100,100 or higher and not at the default of 5,000, depending on how long your account has been active. https://support.lastpass.com/help/how-do-i-change-my-password-iterations-for-lastpass

Other Actions some LastPass users are taking:

1. Some people are changing their passwords to all the items within their vault (Passwords, MFA Seeds, Secure Notes, Personal Information, and other items stored within your vault).?There will be some things you cannot change, like identity-based items.
2. Some are changing their master account email address and ensuring a backup email is configured.?If you were [email protected] you could change it to something nondescript that you can remember, like [email protected],?Then if your data gets broken into as a whole because of a weak password, or you’re just the unlucky few, they cannot attack your current account as the email and possibly take it over.?If you protect your account with the steps above and the stored passwords in the items listed above, you are safer spot.
3. Some are recreating their account with LastPass with a new master email and then changing all their passwords.
4. I have heard of many people changing to other solutions like BitWarden (the only one with a large footprint that hasn’t been hacked), and others based on their preferences.?If you choose this path, I wouldn’t do anything in LastPass but work on migrating to the other solution and resetting all passwords and data you can. https://password-managers.bestreviews.net/faq/which-password-managers-have-been-hacked/

Overall, the impact of this on you as an individual or company will vary, and you will ultimately need to decide what to do.?These are my security ramblings with some references that may help you decide what to do next and know what we know thus far. This is still an ever-changing situation, and I will do my best to update this as we learn more.

Raw Main LastPass Risk Summaries:

• https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
• September 15th, 2022 - Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.??
• November 30, 2022 - We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.?
• December 22, 2022?- To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.??The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

#LastPass #Breach #Attack #CyberSecurity #Security #Password #PasswordManager #BitWarden #LogMeIn #Twilio #Attack #Cyber #CEH #CISSP #InformationSecurity #CIO #CISO