Blog | LastPass Data Breach

• by Anthony Orjally
• Advent IM Blog

LastPass Data Breach

The 2022 data breach at LastPass was ultimately the result of one of its engineers failing to update their home computer, in what’s a sobering reminder of the dangers of failing to keep software up-to-date.

Incident 1 Summary: A LastPass software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets. No customer data or vault data was taken during this incident, as there is no customer or vault data in the development environment. LastPass declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.

Incident 2 Summary: The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.

In response LastPass took the following actions:

• Removed the development environment and rebuilt a new one to ensure full containment and eradication of the threat actor.
• Deployed additional security technologies and controls to supplement existing controls.
• Rotated all relevant cleartext secrets used by our teams and any exposed certificates.
• Analysed LastPass cloud-based storage resources and applied additional policies and controls.
• Analysed and changed existing privileged access controls.
• Rotated relevant secrets and certificates that were accessed by the threat actor.

It would be interesting to know how the threat actor knew which DevOps engineer to target and ultimately manage to hop onto their computer, but this kind of personal approach is not unheard of and could be more frequent than it’s publicly known. Find out more.

The company says that they still don’t know the identity of the attacker or their motivation: “There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.”

Of course, it’s possible that LastPass was just a stepping stone to another target – the interconnectedness of services and companies has reached such levels that third-party supply chain compromises have become practically ordinary. Find out more.