On Thursday, December 22, 2022, LastPass updated their security incident notice to include additional details around the data breach they began investigating in November 2022. According to their notice, the threat actor used information obtained in an earlier, August 2022, data breach to target an employee and obtain credentials and keys used to decrypt storage volumes within their cloud-based storage service.
The threat actor was able to copy information from the storage volumes, which contained “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
Furthermore, the threat actor was able to copy a backup of customer vault data, which contained both unencrypted and encrypted data.
According to LastPass, the encrypted data remains secured and can only be decrypted with a unique encryption key derived from a user’s master password. Encrypted data includes usernames and passwords, secure notes, and form-filled data; however, unencrypted data includes website URLs, which are likely the URLs tied to the stored usernames and passwords.
LastPass also claimed the threat actor had access to a limited number of authentication keys contained in the backups. The compromised keys are used by some business customers who have enabled API-based integrations with LastPass, including SCIM, Enterprise, and SAML API applications. If a customer leveraged one of these API integrations, LastPass notified them via email.
Impact of LastPass Data Breach
Although brute forcing passwords is a common tactic threat actors leverage, it is extremely unlikely that the threat actor will be successful cracking the master password due to computational limitations, if users followed the recommended password requirements provided by LastPass. According to Hive Systems’ 2022 Password Table, it would take approximately 34,000 years to crack the master password if users followed the recommended requirements.
Based on the unencrypted data that was copied, including customer account information and website URLs, it is more likely impacted organizations will receive targeted phishing emails. Phishing emails may contain “password reset” or “update your password” themes and include references to the LastPass data breach to add credibility.
Recommendation #1: Delete Existing SAML Integration
If you received an email from LastPass stating that your organization leverages an impacted API-based integration, we strongly recommend following LastPass’ recommendation to delete existing SAML integrations.
To view your existing SAML integrations and delete them follow this support guide provided by LastPass: https://support.lastpass.com/help/how-do-i-delete-an-existing-saml-integration
Recommendation #2: Provide User Awareness Training
Provide tailored user awareness training to all employees around the LastPass data breach. Ensure users know how to identify a phishing email and where to report it. Furthermore, provide examples on what users could expect and to remind users to remain vigilant when receiving an email from an unknown or external source.
Recommendation #3: Consider Resetting Master Password
If a user’s master password is reused or does not meet the minimum password requirements provided by LastPass, reset the user’s master password to prevent potential future impacts if the master password is brute forced or leaked in a credential list.