Timeline of the latest LastPass data breaches

On November 30, 2022, password manager LastPass informed customers of a cybersecurity incident following unusual activity within a third-party cloud storage service. While LastPass claims that users’ passwords remain safely encrypted, it admitted that certain elements of customers’ information have been exposed. The security incident was the latest to affect the service in recent times in the wake of unauthorized access to its development environment in August last year, serious vulnerabilities in 2017, a phishing attack in 2016, and a data breach in 2015.

Here is a timeline of the most recent LastPass data breaches from August to present.

[Editor’s note: This article, originally published on January 11, 2023, will be updated as new information becomes available.]

August 25, 2022: LastPass detects “unauthorized” access

LastPass CEO Karim Toubba wrote to inform LastPass users that the company had detected unusual activity within portions of the LastPass development environment. “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”

In response to the incident, LastPass deployed containment and mitigation measures and engaged a cybersecurity and forensics firm, Toubba added. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”

September 15, 2022: LastPass says no customer data or passwords compromised

LastPass announced that it had completed its investigation of the August breach and determined that the attacker did not access any customer data or password vaults. It also confirmed that the access point was a developer’s compromised computer and that the attacker was in the system for a total of four days.

November 30, 2022: LastPass notifies customers of new security incident

LastPass notified users of a new security incident that its team was investigating. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” Toubba wrote.

The company determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain customers’ information, Toubba said, while stating that passwords remained safely encrypted due to LastPass’s Zero Knowledge architecture. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” he added. Users were advised to follow best practices around the setup and configuration of LastPass.

December 1, 2022: Researcher urges LastPass customers to stay vigilant

Yoav Iellin, senior researcher at Silverfort, stated that given the vast number of passwords LastPass protects globally, it remains a big attack target. “The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically it’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.”

Iellin urged users to stay vigilant for updates from the company and to take time to verify these were legitimate before taking any action. “In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security,” Iellin added.

December 22, 2022: LastPass confirms theft of source code and technical information

In an update on the investigation, Toubba stated source code and technical information stolen from the LastPass development environment were used to target an employee and obtain credentials/keys, which were used to access and decrypt some storage volumes within a cloud-based storage service. “To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass services,” Toubba wrote.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data, he added. “There is no evidence that any unencrypted credit card data was accessed.”

Toubba warned that the threat actor may attempt to use brute force to guess master passwords and decrypt the copies of vault data they took, but because of the hashing and encryption methods used by LastPass it would be extremely difficult to attempt to brute-force guess master passwords for those customers who follow its password best practices, he continued.

“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault.” LastPass added additional logging and alerting capabilities to help detect any further unauthorized activity and is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security, Toubba stated. “We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed. This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”

January 3, 2023: Anonymous plaintiff files class action lawsuit against LastPass

An anonymous plaintiff filed a class action lawsuit against LastPass relating to the data breaches. “This is a class action for damages against Defendant for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach,” the lawsuit read. Highly sensitive data was exposed, it continued, impacting potentially millions of LastPass users, resulting in the unauthorized public release and subsequent misuse of their names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data. The lawsuit claimed that LastPass’ “best practices” were woefully insufficient to protect its users’ private information from compromise and misuse.

January 23, 2023: LastPass parent GoTo CEO says attacker exfiltrated encrypted backups

In an update on the ongoing investigation into the security incident, Paddy Srinivasan, CEO of LastPass parent company GoTo, stated that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” Srinivasan wrote.

At the time of writing, Srinivasan claimed there was no evidence of exfiltration affecting any other GoTo products other than those referenced or any of GoTo’s production systems. “We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts,” Srinivasan added. “Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable. In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options.”

February 27, 2023: LastPass reveals that one of its DevOps engineers was hacked

A LastPass update on its second breach confirmed that it was related to the initial incident that ended on August 12, 2022. The company claimed that the connection was not obvious because the attacker’s tactics, techniques, and procedures (TTPs) and the indicators of compromies (IOCs) “were not consistent with those of the first [breach].”

The second attack did make use of information exfiltrated during the initial incident: valid credentials of a senior DevOps engineer who had access to a shared cloud storage environment. This made it difficult to identify the attacker’s activity as it appeared to be legitimate. AWS GuardDuty Alerts did notify LastPass of anomalous behavior after the attacker to use cloud identity and access management roles for unauthorized activity.