Loading table of contents...
In December 2022, LastPass password management service detailed new findings related to its August 2022 data breach. The company notified customers who may have been affected and provided some mitigation measures to prevent the exploitation of affected systems. We recommend following the mitigation steps below to reduce the threat posed by this issue.
Details
LastPass announced that an "unauthorized party" leveraged data obtained in an August 2022 data breach to subsequently copy a backup of customer vault data from an encrypted storage container.
The container has both encrypted and unencrypted data. The encrypted data includes sensitive fields, such as usernames and passwords, secure notes, and form-filled data. The unencrypted fields appear to include data such as:
- billing and subscription details that may include invoices with data including company names, end-user names, billing addresses, email addresses, and telephone numbers
- IP addresses from which customers were accessing the LastPass service
- website URLs of services used for LastPass
- password creation time
- last password modification time
- last password access time
- accounts added to Favorites
- whether or not the password was auto-generated
Based on the information available on 22 December 2022, LastPass reported that the incident did not compromise master passwords that manage access to encrypted vaults in its password manager software. According to LastPass, the sensitive data is encrypted based on LastPass’ Zero Knowledge architecture. The master password is never known to LastPass, it is not stored on LastPass' systems, and LastPass does not maintain it.
LastPass advised their customers who may have been affected and provided instructions for verifying that a strong master password and related settings were in use.
As an additional precaution for users with weak master passwords, LastPass recommends renewing secrets and changing all the passwords for the accounts used in LastPass, prioritizing sensitive accounts such as corporate portals, email, financial and phone providers.
Security impact
Field Effect has completed an internal review and confirmed that LastPass is not used within our environment. Our security team continues to monitor for any event developments and other compromises associated with this threat.
Covalence customers who are LastPass users received an ARO on 24 December 2022.
Recommendations
- We recommend resetting master passwords for LastPass customers reusing their master passwords or using weak passwords.
- For users with weak master passwords, we also recommend renewing secrets and changing all the passwords for the accounts used in LastPass, prioritizing sensitive accounts such as corporate portals, email, financial and phone providers.
- Threat actors may also use the unencrypted data from this breach to launch effective phishing and social engineering campaigns. Please advise your users on the potential for phishing, and social engineering attempts using LastPass breach information.
- Refer to NIST Digital Identity Guidelines references below for password management best practices.
References
- LastPass Advisory
- Data Fields in LastPass Vault
- NIST Digital Identity Guidelines
