Another LastPass Data Breach?

Some context

LastPass, a password manager solution provider and leading security firm, has been involved in a security incident again, after a couple of recent events.

This isn't the first time LastPass announced that its data vault was breached by an unauthorized party.

Another incident occurred in 2021, when LastPass deployed enhanced security controls to protect the master passwords of its customers.

The company said that it had deployed additional security measures to further protect customer data and their encrypted passwords - however, with this new breach, it begs to question how thorough those measures were.

In August of this year, the company submitted a post on its official website indicating that a development environment had been compromised revealing part of the customer’s data. A month later, they uploaded a follow-up post with more details about the breach, like the fact that the password vaults weren’t affected and reassuring a strong security posture to prevent similar incidents from happening in the future.

What happens to your encrypted data when your company experiences a customer data breach?

You might think that customer data would be safe in the hands of leading security firms, but this isn't always the case.

What usually happens to customer data or encrypted data?

The company detects unusual activity on their source code, customer data or encrypted data and alerts law enforcement officials. They then notify customers by email that their information in the encrypted password vaults has been compromised.

What do do they do next? They increase their protection measures by validating all customer logins using two-factor authentication (2FA). This means that before accessing any customer accounts, users must provide additional proof of identity in addition to their password.

In addition to increasing security measures against future attacks from hackers, the company usually offers free credit monitoring services to all affected customers for 12 months after the incident occurred.

What happened this time?

During that last incident, LastPass added that some snippets of its source code and proprietary information were stolen. Then, on November 30th, Karim Toubba, CEO of the company, shared information claiming that the attackers were able to leverage that stolen information to gain access to certain elements of the user's data. Nevertheless, he stated that customer passwords remain safe thanks to the application’s Zero Knowledge architecture, part of the proprietary lastpass technical information.

What should I expect?

The company is still working to identify what specific information was part of the breach. In the meantime, they stated that their services remain fully functional.

Given the iterative nature of these incidents and the fact that they haven’t released a statement clarifying which exact information was part of the breach, it is expected that new updates should come in the following days.

Any mitigation plans for the future?

As part of that last update, they suggested keeping MFA enabled and following their best practices as described in this post. However, in a scenario where your credentials are exposed, the key point here is to determine what could attackers do once inside your systems. Sound scary? Don’t worry. At Red Sentry, we help you know if you’ve been part of a data breach and to keep your attack surface as minimal as possible. If you have any questions or fear your information may have been breached, contact us.