LastPass Keeps Breaking Our Heart

//From the desk of Colton Sumners


Edit 12/26/2022: Since the publication of this article, it has been conceded that customer data has been significantly compromised.

The unknown threat actor accessed and copied a cloud-based backup of customer vault data, including encrypted passwords, usernames and form-filled data, CEO Karim Toubba confirmed.

The backup of customer vault data also contains unencrypted data, such as the website URLs that customers access via the password manager, company names, billing addresses, email addresses, phone numbers, and the IP address customers use to access LastPass.

Yikes. If you are a LastPass customer, we strongly suggest you reach out to your IT provider to research and alternative vendor for your password management needs.

LastPass, can we not?

Long over are the days of ripping off the top sheet of a sticky note pad and jotting down the password you just created to a site you may or may not ever log in to again. Or memorizing the number of “!” you have at the end of your email password, because you add another every time that your company forces you to change your password every 60 days. Whether either forced due to a negative mark on a Cobaltix Compliance risk assessment or just wanting the convenience of not having to deal with the aforementioned headaches, you may have implemented a password manager. Today’s topic is LastPass, the leader (in regard to market share) of the password managers.

LastPass is a password manager that helps users store and manage their passwords, sensitive information, card details and more, behind a single super-strong ‘master’ password. Well, last month they disclosed yet another security breach. The threat actor gained access to customer data that was stored on a third-party cloud service. According to LastPass CEO Karim Toubba, attackers used information stolen from the previous breach to gain access to the cloud space that the company shared with its affiliate GoTo.

Previous breach? Seriously? How many have there been?

Quite a few.

Let’s dive into a few of those

In 2015, LastPass announced that it had discovered and fixed a security vulnerability that could potentially allow an attacker to access a user’s account. The company stated that there was no evidence that any user accounts had been accessed or compromised as a result of the vulnerability. In 2017, LastPass disclosed that it had discovered and fixed a security vulnerability that could potentially allow an attacker to access a user’s account if the user had visited a malicious website while logged into their LastPass account. Again, the company stated that there was no evidence that any user accounts had been accessed or compromised as a result of the vulnerability.

Then, In August 2022, LastPass confirmed that a threat actor had compromised the company’s development environment for four days using a developer account. Moreover, they gained access to source code and some proprietary technical information but did not access customer data or encrypted password vaults. LastPass now says that the attacker used the information obtained in the previous incident to facilitate the November 2022 data breach and access undisclosed elements of LastPass customers’ information.

For a company that’s supposed to keep your digital secrets safe, LastPass sure is having a hard time of it recently.

The security breach did not expose customer passwords or master passwords as the company does not store decryption keys online but on the password manager app on users’ devices. A representative from the company stated, “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

With that said, here at Cobaltix Compliance we believe this more recent security breach to be more severe than the previous incident because it exposed customer data.

The impact of the latest security breach remains speculative as LastPass has not disclosed the nature of customer data accessed or whether exfiltration occurred. With a customer base of 33 million users, including over 100,000 businesses, the LastPass security breach is likely to become a major incident.

So, what does that mean for you and yours? If you are a current Cobaltix or Cobaltix Compliance client, we are offering a free hour of consulting by our Sr. Director of Information Security and Compliance, Colton Sumners. If you are not a client, and would like to discuss your current information security posture and to see what we can do for you, please contact us directly at (415) 470-8839 or Email Us.

It’s important to note that password managers, like LastPass, are designed to help protect users’ sensitive information by using strong encryption and other security measures. If you’re concerned about the security of your LastPass account, you can enable two-factor authentication, which adds an extra layer of protection to your account by requiring you to provide a second form of authentication (such as a code sent to your phone) in addition to your password when logging in.

more insights