Project Hyphae

The lightly salted and hashed saga of the LastPass compromise.

Share This Post

As you may have heard, LastPass and it’s parent company GoTo, have found themselves in a less than optimal situation. Rather than start with their latest announcement concerning what was taken, let’s go back in time, to August 2022, when it all began…

August 25th, 2022– LastPass publishes a blog post informing it’s users that 2 weeks prior they had detected unusual activity in their development environment. A single user account had been compromised, giving an unauthorized party access to portions of the LastPass development environment. Their investigation showed the unauthorized party had “took portions of source code and some proprietary LastPass technical information“. They ensured users that no customer data or encrypted password vaults had been compromised and that customers didn’t need to take any action because they had no indications that user data had been accessed.

September 15, 2022– LastPass publishes an update to their original blog post stating it had completed it’s investigation. Their dev environment had been accessed through a compromised endpoint and the compromise only lasted for 4 days. During this time the unauthorized party was only able to access the LastPass dev environment because their production environment is physically separate and not accessible from the dev environment. Since no customer data or vaults are stored in the dev environment, then all users were safe from their data being taken. It also included a reminder that their Zero Knowledge security model protects the contents of vaults since only the customer knows the Master Password to their encrypted vaults. A code comparison from prior to the compromise was completed to rule out the addition of any changes, code poisoning, or malicious code injection. Enhanced security controls and monitoring were deployed to both their Production and Development environments to improve security to both environments.

November 30, 2022– LastPass publishes another update that unusual activity had been detected again, but this time in a third-party hosted cloud storage service. The unauthorized party had used information taken in the August 2022 compromise of the LastPass development environment to access the third-party cloud storage service. This cloud storage is a shared storage with their parent company GoTo, and the data accessed included “certain elements of our customers’ information“. Additional security measures and monitoring were deployed as they continued to investigate. This blog post finishes with a note to remember that their Zero Knowledge security model means their customers’ data remains securely encrypted and that LastPass products and services were still fully functional, a link to their best practices for creating a LastPass vault, and a note thanking their customers for their patience.

December 22, 2022– LastPass updates their updated post to include some findings from their continued investigation. The shared third-party cloud storage service that was compromised was used to store archived backups of their production environment. Source code and technical information taken in during the August 2022 incident were used to target another employee, obtaining credentials and keys(cloud storage access and dual storage container decryption) to access and decrypt storage volumes in the third-party cloud storage service. Using these the threat actor(upgraded name from “unauthorized party” in previous posts) copied data from the archived backups that included basic customer account information and related metadata: company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

A backup of customer vault data was also taken. These backups included both unencrypted and encrypted data. Unencrypted data includes website URLs while the encrypted data includes the important stuff: secure notes, form filled data, and usernames/passwords. Because of this LastPass warned that the threat actor would likely use offline Brute Force attempts to obtain the master password of the encrypted vaults, but noted success would be unlikely due to their encryption algorithms, assuming customers followed their password best practices guidelines. They recommended no actions be taken for customers that were already following their best practices, and notified a small number of business customers based on their specific account configurations.

Go here to read the full blog post from LastPass:

What do you do now? For good measure, the optimal strategy would be to reset your LastPass master password and any passwords stored in your vault. As is noted in the post, it is “unlikely” that the threat-actor will be able to crack strong passwords to gain access to the vault, but there’s absolutely nothing wrong with going the extra mile here. If organizations are using LastPass for shared accounts (think IT management systems, firewalls, and other tools utilized by multiple users that only have/allow a single credential set) then it only takes one of your users in that shared group to have a weak password that would allow easier cracking.

If you are a Central, Pro, Join.Me, Hamachi, or Remotely Anywhere customer/user, click the following link to GoTo’s blog post regarding how you may be affected:

Reach out to our incident response team for help

More To Explore

Information Security News 2-26-2024

United Health Confirms Optum Hack Behind US Healthcare Billing Outage Article Link: Privacy Beats Ransomware as Top Insurance Concern for Some Article Link:

Information Security News 2-19-2024

U.S. Internet Leaked Years of Internal, Customer Emails Article Link: Prudential Files Voluntary Breach Notice With SEC Article Link: U.S. State Government Network

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.