Back in August 2022, popular password manager company LastPass admitted to a data breach.
The company, which is owned by sofware-as-a-service business GoTo, which used to be LogMeIn, published a very brief but nevertheless useful report about that incident about a month later:
Briefly put, LastPass concluded that the attackers managed to implant malware on a developer’s computer.
With a beachhead on that computer, it seems that the attackers were then able to wait until the developer had gone through LastPass’s authentication process, including presenting any necessary multi-factor authentication credentials, and then “tailgate” them into the company’s development systems.
LastPass insisted that the developer’s account hadn’t given the criminals access to any customer data, or indeed to anyone’s encrypted password vaults.
The company did admit, however, that the crooks had made off with LastPass proprietary information, notably including “some of our source code and technical information”, and that the crooks were in the network for four days before they were spotted and kicked out.
According to LastPass, customer passwords backed up on the company’s servers never exist in decrypted form in the cloud. The master password used to unscramble your saved passwords is only ever requested and used in memory on your own devices. Therefore, any passwords stored into the cloud are encrypted before they’re uploaded, and only decrypted again after they’ve been downloaded. In other words, even if password vault data had been stolen, it would have been unintelligible anyway.
Right at the end of November 2022, however, LastPass further admitted that there was a bit more to the story than perhaps they’d hoped.
According to a security bulletin dated 2022-11-30, the company was recently breached again by attackers “using information obtained in the August 2022 incident”, and this time customer data was stolen.
In other words, even if the criminals weren’t able to dig around in customer records directly from the account of the developer who got infected by malware back in August, it seems that the crooks nevertheless made off with internal details that indirectly gave them, or someone to whom they sold on the data, access to customer information later on.
Unfortunately, LastPass isn’t yet giving out any information about what sort of customer data was stolen, reporting simply that it is “working diligently to understand the scope of the incident and identify what specific information has been accessed”.
All that LastPass can say for sure right now [2022-12-01-T23:30Z] is to reiterate that “[o]ur customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
(Zero knowledge is a jargon term that reflects the fact that although LastPass holds some sort of data in its customers’ password vaults, it has no knowledge of what that data actually refers to, or even if it actually consists of account names and passwords at all.)
In short, even if it ultimately turns out that the crooks could have made off with personal information such as home addresses, phone numbers and payment card details (though we hope that’s not the case, of course), your passwords are still as safe as the master password you originally chose for yourself, which LastPass’s cloud services never ask for, let alone keep copies of.
What to do?
- If you’re a LastPass customer, we suggest you keep your eye on the company’s security incident report for updates.
- If you’re a cybersecurity defender, why not listen to expert advice from Sophos cybersecurity researcher Chester Wisniewski on how to protect your own IT estate from this sort of get-a-beachhead-and-go-forth-from-there attack?
In the podcast below (there’s a full transcript if you prefer reading to listening), Chester discusses a similar sort of breach that happened in September 2022 at ride-hailing business Uber, and reminds you why “divide and conquer”, also known by the jargon term zero trust, is an important part of contemporary cyberdefence.
As Chester explains, even though all breaches cause some harm, either to your reputation or to your bottom line, the outcome will inevitably be a lot worse if crooks who get access to some of your network can roam around wherever they like until they get access to all of it.