LastPass Messed Up AGAIN!

In recent years, data breaches have become a major concern for individuals and companies alike. The latest breach to make headlines is the LastPass data breach, which occurred in December 2022. LastPass is a popular password management service that allows users to store their login credentials for various websites and applications in one secure location. In this blog post, I will provide a brief description of the LastPass data breach and highlight some new findings that have emerged.

The LastPass data breach was first reported on Decemer 22, 2022, when the company announced that it had detected suspicious activity on its network. According to LastPass, the attackers have obtained email addresses, password reminders, and other account information from a large number of users. The company immediately took steps to mitigate the attack, including resetting passwords for affected accounts and implementing additional security measures.

What's New

New findings from LastPass reveal that the attackers targeted a senior DevOps engineer by exploiting vulnerable third-party software. The attacker took advantage of a vulnerability in the software and delivered malware that bypassed existing security controls. The attacker then implanted a keylogger into the the employees home computer and gained access to even more internal infromation.

What New Data Was Accessed

• DevOps Secrets – restricted secrets that were used to gain access to their cloud-based backup storage.

• Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use casesinvolving email addresses, were encrypted using their Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password.

• Backup of LastPass MFA/Federation Database – contained copies of LastPass
Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

Communication About Recent Findings

LastPass reportedly requested that enterprise customers not go public with the email, which contained information about the attack and the new findings. This left consumers in the dark about the new information until LastPass put out a blog post about the findings. The decision to ask enterprise customers to keep the email confidential was seen by some as an attempt to downplay the severity of the breach and avoid negative publicity. Critics argued that transparency is crucial in such situations, and customers have a right to know about any potential risks to their data. Down below you can read the full email sent to enterprise customers down below

Dear Valued Customer,

We are writing to update you on our recent security incident. We are giving you advance notification because we recognize that, as LastPass Managed Service Providers, you may need additional time to prepare your organization. With that in mind, we are providing you with full visibility in advance of our general announcement.

Our announcement will include the following:

An important update on our investigation into the security incident disclosed on December 22 on our blog. The new blog post will share that we have now completed an exhaustive investigation and have not seen any threat actor activity since October 26. It will also provide additional detail as to what happened and the actions we have taken in response, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward. You can preview the blog post here.

A detailed Security Bulletin designed to help you assess what actions you should take to protect your business. This Security Bulletin outlines several areas of recently discovered potential risks related to the incident, including risks related to enterprise account configurations, user settings, third-party integrations, and multifactor authentication data. You should review this document and take the appropriate actions given your specific security posture and environment. You can preview the Security Bulletin here.
Given the sensitive nature of this information and to give you time to implement the Security Bulletin changes, we ask that you please treat this information as confidential until it becomes available to the public later this week. Thank you for your attention to this matter and for your on-going partnership.

Thank you,

The Team at LastPass

It's Time For Change

Given the recent data breach and the criticism surrounding LastPass's handling of the situation, it is reasonable to suggest that it is time for users to consider moving away from the service. The breach highlighted the company's apparent incompetence in security practices, which allowed an attacker to gain access to a senior DevOps engineer's home computer and implant a keylogger. Additionally, the lack of transparency and poor communication from LastPass's leadership has left many users feeling uneasy and distrustful. With so many other password management services available, it is time for users to weigh the risks and consider switching to a service that prioritizes security and transparency. While no service is entirely immune to breaches, users can take steps to minimize their risk and choose a service that aligns with their priorities and values.

Benfitis Of Bitwarden

For those who are concerned about the recent LastPass data breach and are considering a switch to a more secure password management service, Bitwarden is an excellent option. Unlike LastPass, Bitwarden is an open-source platform that allows users to store and manage their passwords securely. This means that the code behind Bitwarden is transparent and auditable, which can help to build trust and confidence among users. Bitwarden also supports two-factor authentication, biometric authentication, and offers a variety of security features, such as password generation, password sharing, and automatic form filling. Additionally, Bitwarden has received high marks for its user interface and ease of use, making it an attractive option for users who may be new to password management services. Overall, Bitwarden is a robust and secure option that offers users peace of mind and confidence that their passwords and sensitive information are safe and secure.

Conclusion

In conclusion, the recent LastPass data breach and its handling by the company's leadership has left many users concerned about the security of their passwords and sensitive information. As a result, it may be time for users to consider switching to a more secure and transparent password management service such as Bitwarden. With its open-source platform, robust security features, and ease of use, Bitwarden offers users a secure and reliable option for managing their passwords and sensitive information. If you are interested in trying Bitwarden, you can reach out to me at [email protected] to be added to my family plan free of charge. As cyber threats continue to evolve and become more sophisticated, it is crucial to take proactive steps to protect ourselves and our sensitive data. By using a secure password management service like Bitwarden, users can have peace of mind knowing that their passwords and sensitive information are safe and secure.