LastPass disclosed another security breach, with the threat actor gaining access to customer data stored on a third-party cloud service. According to LastPass CEO Karim Toubba, attackers used information stolen from the previous breach to gain access to the cloud space that the company shared with its affiliate GoTo.
In August 2022, LastPass confirmed that a threat actor had compromised the company’s development environment for four days using a developer account. Moreover, they gained access to source code and some proprietary technical information but did not access customer data or encrypted password vaults.
LastPass now says that the attacker used the information obtained in the previous incident to facilitate the November 2022 data breach and access undisclosed elements of LastPass customers’ information.
LastPass security breach leaked customer data
On November 30, 2022, LastPass informed customers that it detected unusual activity within a third-party cloud storage service shared with its affiliate, GoTo, formerly LogMeIn.
The password manager company has engaged cybersecurity firm Mandiant in an investigation that confirmed unauthorized access to customer data on the shared third-party cloud.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” LastPass said in a blog post.
The company also notified law enforcement and began working on determining the nature of the customer data stolen.
Customer passwords remain safe
The security breach did not expose customer passwords or master passwords as the company does not store decryption keys online but on the password manager app on users’ devices.
“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
Thus, decrypting password hashes would not be a trivial undertaking, given that LastPass allows users to generate strong passwords. Additionally, the company assured its customers that it would continue to enhance its defenses to prevent further threat actors’ activity on its infrastructure.
“As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.”
LastPass had notified its customers that hackers did not inject malicious code during the August 2022 security breach since developers could not directly push code into production. Additionally, the company explained that its development environment was physically separate from the production environment.
“Developers do not have the ability to push source code from the Development environment into Production. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing, and validation processes.”
Seemingly, hackers managed to create a backdoor that they later exploited to access customer data.
Chris Vaughan, VP of Technical Account Management, EME at Tanium, believes the November security breach was more severe than the previous incident because it exposed customer data.
“The new breach is more severe because customer information has been accessed, which wasn’t the case previously. The intruder has done this by leveraging data exposed in the previous incident to gain access to the LastPass IT environment,” he explained.
The impact of the latest security breach remains speculative as LastPass has not disclosed the nature of customer data accessed or whether exfiltration occurred. With a customer base of 33 million users, including over 100,000 businesses, the LastPass security breach is likely to become a major incident.
Meanwhile, Toubba advised LastPass customers to follow the company’s best practices while setting up their LastPass accounts as the company continues to assess the incident.
Vaughan believes that password managers are a target for threat actors targeting customer data, although the pros of using password vaults outweigh the risks.
“When layered with the other security recommendations, it’s still one of the best solutions to prevent credential theft and associated attacks. We just have to hope that customer confidence has not been impacted too much by these recent attacks.”
Michael White, Technical Director and Principal Architect at Synopsys Software Integrity Group compared the LastPass security breach to the ‘Sun Burst’ SolarWinds hack.
“Once compromised, access to a development or test system can give away the ‘keys to the kingdom’ which allow an attacker lateral movement towards critical sensitive information or permit an attacker to interfere in the software build process to introduce backdoors which make their way into production. Protecting software development environments, again and again, is proven to be of absolute importance to prevent these scenarios.”
White advised organizations to protect internal software delivery processes and infrastructure by implementing guidelines such as SLSA and NIST 800-161.
“Most organizations will already operate a secure development lifecycle, and so the topic of protecting the development environments themselves is a natural addition to the scope of that program if it is not already.”