Note: This is not a new breach of LastPass’ systems, but rather sharing of additional details from their investigation into the incident they publicly disclosed on December 22, 2022.
On February 27, 2023, LastPass updated their security incident notice to include additional details around the data breach they began investigating in November 2022. According to their notice, the threat actor used information obtained in an earlier, August 2022, data breach to target an employee and obtain credentials and keys used to decrypt storage volumes within their cloud-based storage service.
LastPass has now disclosed that the threat actor used the information stolen in their first breach to target a senior DevOps engineer at the company with malware, which ultimately allowed them to access their corporate vault. This access allowed the threat actor to pivot and gain additional access to LastPass production backups, which included unencrypted and encrypted customer data.
According to LastPass, the encrypted data remains secured and can only be decrypted with a unique key derived from a user’s master password. Encrypted data includes usernames and passwords, secure notes, and form-filled data; however, unencrypted data includes website URLs, which are likely the URLs tied to the stored usernames and passwords.
LastPass has also now disclosed that the threat actor accessed copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 key) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
Recommendation #1: Federated Customer Key Rotation
If you are a LastPass federated business customer, it is important to note that the K2 component was exfiltrated by the threat actor as it was stored in the encrypted backups of the LastPass MFA/Federation Database for which the threat actor had decryption keys.
Arctic Wolf recommends rotating the K1 and K2 split knowledge components, which means you will need to de-federate and re-federate your users.
You can view more details on how to accomplish this via LastPass’ support article here: https://support.lastpass.com/help/how-do-i-de-federate-and-re-federate-users
Recommendation #2: Recommend Limiting Authentication to Enterprise-Managed Devices Only
In an effort to limit exposure, Arctic Wolf recommends LastPass federated customers consider limiting authentication to LastPass from Enterprise-managed devices only.
Recommendation #3: Recommended Actions for LastPass Business Administrators
Arctic Wolf recommends LastPass Business Administrators review the recommendations outlined by LastPass on their support article to assess what actions should be taken.
You can view these details on the LastPass support article here: https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators#topic_9