- Following two security incidents in 2022, LastPass has now given customers more information.
- Importantly, the company has acknowledged that it’s communication during the incident was weak and it could’ve done better.
- Individuals and businesses are being being advised as to what measures to take via a series of detailed security bulletins.
Last year GoTo owned LastPass revealed not one but two security incidents. The more recent of those was declared on 22nd December and it was a big one.
Now, LastPass chief executive officer, Karim Toubba, has penned an exhaustive blog post detailing what happened and more importantly what the firm has done to secure itself, and its customers.
“Since our December 22nd post, I have spoken to many of our business and consumer customers. I acknowledge our customers’ frustration with our inability to communicate more immediately, more clearly, and more comprehensively throughout this event. I accept the criticism and take full responsibility. We have learned a great deal and are committed to communicating more effectively going forward. Today’s update is a demonstration of that commitment,” wrote Toubba.
In the incident highlighted in December, a threat actor alleged targeted a senior DevOps engineer by way of exploiting vulnerable third-party software on their home computer. This allowed the threat actor to deliver malware that ultimately granted them access to cloud backups. The data contained in the backups included:
- “DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
- Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
- Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.”
A more detailed list of exactly what each of these contains can be found at this link.
Following this incident LastPass took several actions to both secure its services and the home network of the engineer who had been compromised. The firm also deployed new security technologies across its environments.
“We have performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate. We completed a comprehensive analysis of existing controls and configurations, and we’ve made the necessary changes to harden existing environments. We have also begun the work to expand the use of encryption within our application and backup infrastructure. Finally, we have begun to scope out longer-term architectural initiatives to help drive our platform evolution across LastPass,” Toubba explained.
The CEO further points to two Security Bulletin customers should read through.
“We have heard and taken seriously the feedback that we should have communicated more frequently and comprehensively throughout this process. The length of the investigation left us with difficult trade-offs to make in that regard, but we understand and regret the frustration that our initial communications caused for both the businesses and consumers who rely on our products. In sharing these additional details today, and in our approach going forward, we are determined to do right by our customers and communicate more effectively,” Toubba said.
It remains to be seen just how badly these incidents impact LastPass’ reputation. The company was slammed to the ground by cybersecurity experts and firms alike at its woeful communication in the wake of these incidents.
The firm appears to have turned over a new leaf, but here’s hoping an incident such as this doesn’t happen again.