A lot of the time, security breaches are a matter of “when” and not “if”. The adversary is always sitting in wait, ready to exploit any tiny weakness that has found its way into the open. We get that. We know that even the best cybersecurity teams are sometimes going to be caught out. Sometimes, the best measure of a security team is their ability to mitigate an issue, as opposed to erecting an impenetrable fortress. If we think back, the Okta hack might be one of the best examples of this – even though there was a breach, the defense was well primed to reduce the damage.
In that way, we might view the “best” teams in terms of trust, openness, and responsiveness. Which leads us to a bit of a problem…
LastPass – water under the bridge?
Last year, password manager company LastPass was the victim of two crippling security breaches. We ran coverage at the time, but in case you missed it:
A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets. No customer data or vault data was taken during this incident, as there is no customer or vault data in the development environment. We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.
The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
As you can imagine, this is a bad situation for a company centered on security to be in. But what made it worse was the subsequent leaks about how LastPass was slow to disclose the incident (with some critics even accusing the company of dragging its feet with its responsibilities) and the troubling realisation that these kinds of events aren’t particularly uncommon within the world of password management. If you use one of these platforms – and we believe that the majority of cybersec pros do use a password manager – then this leads to some particularly uncomfortable questions: should I be using this? Is it making me an easier target? Who can I actually trust?
Wait, should I be worried about LastPass?
Finding out that something essential to your security posture is compromised is always a worrying prospect. In the interest of balance, _secpro has never waded into the murky waters of “you should use this piece of software”. But there are some real concerns with LastPass and the general password management ecosystem which leads us to question using them at all.
What has LastPass said about the breaches?
In conjunction with LastPass’s advice for avoiding further problems due to these breaches, the LastPass team was pretty candid about what had been exposed.
- On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.
- Internal scripts from the repositories – these contained LastPass secrets and certificates.
- Internal documentation – technical information that described how the development environment operated.
- DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
- Cloud-based backup storage.
- Backup of LastPass MFA/Federation Database.
As part of the remediation, the LastPass team has implemented a number of measures: a prioritization of investment in security, privacy, and operations; a review of their security infrastructure; and a hardened environment. Excuse me for being the cynic, but a lot of these notions are pretty vague. Until we see how LastPass performs under another “stress test”, we may not be entirely sure what these changes are.
If you are a concerned user of the LastPass Free, Premium, or Families plans, check out the Security Bulletin here. If you are using LastPass at an organization level, you’ll need to concern this second Security Bulletin instead.
What hasn’t LastPass said about the breaches?
As noted at the time in our initial investigation, there is a stunning lack of information about exactly what happened during the breach. While you might say “well, companies don’t want to completely expose their hand, especially in the wake of an attack” (and we agree!), the bigger problem is something we mentioned right at the start: trust and openness.
Nowhere in this press release deals with the problem of LastPass’s selective encryption. Like much password management software, LastPass didn’t (and possibly doesn’t – this has not been denied or confirmed by the organization) encrypt URLs that were stored in the vault. Although passwords themselves were never leaked, according to LastPass, there is a distinct question about what customer-related data did find itself in the ether. Similarly, no solid information has been offered about the eye-popping admission that MFA databases and the associated keys were leaked.
As always, _secpro understands that cybersecurity isn’t easy. But we think a healthy dose of skepticism is necessary for LastPass users right now. Are the questions answered? Are we sure we won’t see this again in the near future? We’d love to hear your thoughts – leave a comment and tell us all about your opinion on LastPass and the growing concerns around password managers.