Skip to content
All posts

LastPass Breach Leads to User Data Leakage

LastPass, the well-known password manager, has been breached; twice.

In a blog post back in August they notified LastPass customers of a security incident where an unauthorized party gained access and stole some code.  At the time they painted the picture that user data was not at risk.

However, in an update to that post recently, they indicated there was another incident.

Let’s dive into the details of these two incidents to understand what happened.

What happened?

On August 25th, LastPass notified users about the first breach incident.  In that notice Karim Toubba, the CEO indicated they noticed unusual activity in a development environment.  Upon investigation, they identified a single developer system which had been compromised.  The attacker was able to access and take portions of source code and other proprietary LastPass technical information.

Crucially, at the time of the original incident, LastPass let users know their data was not at risk.  The incident only resulted in some source code being stolen, no customer data or encrypted password vaults were impacted in the LastPass breach.

On September 15th, the article was updated to provide a conclusion to the investigation of the August incident.  In this initial update, they let users know that no customer data or encrypted password vaults was impacted.  They also provided more details about the investigation and what was found.  They also indicated the company was putting in enhancements to their security controls.

On November 30th, the article was updated again.  This time, LastPass indicated there is a new security incident the team is investigating.  In this update, they notified users that the attacker from the August breach was able to use data obtained to gain access to certain elements of customer data.

LastPass has not yet identified what customer data was taken, or which users are impacted.  However, customer passwords are not impacted due to LastPass’s Zero Knowledge architecture.

LastPass did not identify what cloud service was accessed.  However, a 2020 blog post by AWS indicated the company transitioned a billion customer records to AWS Cloud.

How did the LastPass breach happen?

LastPass does not indicate how the original data breach occurred.  Developer credentials obtained by an attacker is the extent of what is known.  This could have been through malware, phishing, or perhaps credentials were purchased online.

The second incident however, is where things get interesting.  The attacker clearly used data obtained from the development environment to access production.  While they have not yet said how this occurred, it’s clear that there must have been credentials in the development code.  These credentials were then used to access user data in the production environment.

How can I protect myself?

This is yet another in a long string of credential based breaches we have seen this year.  Every breach in recent memory starts as a credential breach.  So the first thing every company needs to do is ensure they are using good user credential practices:

  • Require strong passwords

  • Implement Multi-Factor Authentication

  • Train users to be aware of phishing attacks

  • Rotate passwords periodically

The second piece is a story best told by this breach.  The first breach, which seemed like an innocuous loss of some code led to user data being stolen.  How?  The only logical conclusion is the development team had credentials stored somewhere in the code that was stolen.  So using best practices in development is key:

  • Do not use hard coded credentials in code

  • Do not rely on the same credentials for both development and production

  • Use a security tool to store credentials

  • Use encryption on all data

Finally, do not rely on best practices alone.  Any security professional will tell you, security is about layering.  Having layers of security prevents a failure in one layer from impacting the outcome.

This is where Soteri can help by adding a data security layer.  If Soteri Scanning via REST API had been used, it would have detected credentials stored in code.  Soteri also offers integrations for Atlassian’s Bitbucket Data Center and Confluence Data Center and Cloud.  If any of these solutions had been used, they could have prevented user data leakage in this breach.  Check out all of Soteri’s integrations today!  You can find more details here.