Advisory Group member Darren Chapman of CyberScale has some advice following the LastPass Security Incident

Are you aware of the recent LastPass security incident? That your password “vault” may have been in the hand of attackers? Have you seen some of the news but aren’t quite clear on what it all means, or importantly, what you should do now? Are you looking for some clear advice? Read on.

If you’re reading this article, I’m sure you’re aware of the recent LastPass data breach. In addition to the information publicly released around this incident from LastPass themselves, there is some really good additional information available based on analysis from a number of security experts, many of whom have a detailed understanding of encryption, as well as the specific architecture and process is used by LastPass. A number of these security professionals have also conducted their own testing and documented their findings.

A lot of this information is very technical in nature. This article seeks to utilise the information available to provide concerned LastPass customers with some practical, balanced guidance on what you can do to minimise the risks associated with this incident. If you want to understand the finer detail around what feeds into this advice, I’ll reference and credit the relevant sources at the end of this article.

The purpose of this article is not to pass comment or judgement on the LastPass product, processes or how they have dealt with the incident, or to recommend alternative products which may or may not be better (there’s always multiple factors to consider here). The over-riding aim is to clearly present the potential risks associated with this incident and to provide you with some easy-to-follow advice on how to analyse your level of risk, and sensible next steps to take.

The official line from LastPass

So firstly, let’s recap briefly what’s happened, as per the information released by LastPass:

• In August 2022, LastPass advised that an unauthorised party gained access to some parts of a development environment and extracted some code and technical information. At this point, LastPass indicated that they could see no evidence of access to any customer data or password vaults
• In September 2022, LastPass issued an update on the above incident following conclusion of their investigations, and again stated that they saw no evidence of access to customer data or encrypted password vaults
• At the end of November 2022, LastPass issued a new communication informing customers that using information obtained in the earlier incident, an unauthorised party was able to gain access to “certain elements” of customers information
• On 22nd of December 2022, LastPass issued an update to the above communication. In this communication, they stated that they had determined that the unauthorised party was able to obtain a backup of customer vault data. This communication contained a great deal more information than the previous statements by LastPass.

You can read all of the communications from LastPass outlined above in the LastPass blog, here:

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Key points to know about the LastPass Incident

Based on reviewing and interpreting all of that, along with detailed analysis from other sources, here’s a few key things to know.

• LastPass haven’t specifically stated whether all customer LastPass vaults have been compromised or whether a subset of customers vaults were affected. We have to therefore assume that is all of them.
• The data that has been compromised is referred to by LastPass as “password vaults”. Vaults contain a whole host of information. Usernames and passwords, along with some other data is encrypted, however not all of the data within these vaults is encrypted.
• The data that is not encrypted, which includes information such as URL’s for websites you visit, can be used straight away to determine which sites and apps you use, and what you have passwords stored for in your vault
• The data which IS encrypted may be temporarily or permanently inaccessible to the attackers. Their ability to decrypt this, and how quickly they might be able to do so depends on a number of factors, a critical one being the strength of your Master Password at the time the vault data was obtained
• The attackers have an offline copy of the data that’s been compromised. This means a few things:
  • Changing your LastPass password now will not affect their ability to access the information that they’ve obtained (although it does prevent them accessing your data online in the future)
  • You, and LastPass have no control over the data that’s been extracted
  • The attackers have as long as they need to utilise the unencrypted data, and decrypt the encrypted data
  • Whether or not you have Multifactor Authentication setup for your LastPass account (and you absolutely should have) actually makes no difference to the ability to use the offline data. It does however limit the ability to access your data online if the password is obtained.

How at risk am I from the LastPass incident?

As with most security tools, the overall level of security they provide is a combination of the tool itself, and the decision you make. If anything demonstrates that point, this incident does. The level of risk therefore is different for each LastPass user.

The key questions you need to consider are (answer these as of August, i.e. the point the data was obtained):

• How strong is your Master Password?
• Have you used your Master Password for anything else?
• Is your Master Password similar to other passwords you might have (e.g. do you have a word which you commonly use as part of your password with slight variations across different accounts)?

The questions above all have a bearing on how long it might take to obtain your Master Password (using various different methods) and use it to decrypt your data.

Then you need to consider the data itself stored within your vault. This is mainly sites/apps along with their usernames and passwords, but could also include bank account and card details, notes, PIN numbers, names, addresses, personal/sensitive information that you stored in LastPass to “keep safe”. Key questions here are:

• Are the site passwords stored within my vault strong, unique passwords, or are there weak and/or reused passwords?
• Which sites/apps stored in my LastPass vault have MFA configured and which do not?
• What sensitive data (apart from usernames/passwords) do I have stored in LastPass and what could an attacker do with it?

As you can see, there a number of questions to ask yourself which will help determine how at risk you are. This list is not exhaustive. You can probably determine largely how these fit together. For example:

If your Master Password is the same as you use on other sites, and is weak, and you don’t have MFA on your Gmail account (with the password stored in LastPass) – HIGH RISK

Strong, unique Master Password, no weak of reused passwords in the vault, MFA setup on anything containing important data – LOWER RISK

You get the idea, but there are a lot of inter-relating factors to consider.

Action Plan & Priorities

So, this is the piece that you’re probably here for – what do I need to do and in what order – what are the priorities?

This will vary depending on your risk, so I’ve tried to create a list which helps you both assess the risk and act accordingly. I’m not going to attempt to explain in detail the rationale behind the order, but if enough people are interested, I may do a follow up video to explain it.

Here’s the process.

Note that this process has been written specifically for stored passwords. For other items such as secure notes, follow the same priority order depending on what information was contained in the notes. If you stored bank card information such as PIN numbers or CVV codes, particularly if you did not have a strong Master Password, it would be wise to change PIN’s or order new cards (in the case of CVV codes).

Additional actions

• Be extremely vigilant and on the lookout for phishing emails for ANY accounts that you had stored in LastPass. This is because URL’s (website addresses) of the accounts stored in your vault were NOT encrypted. Over the coming weeks and months, it is highly likely that targeted phishing attempts for sites which may well include reference to the LastPass breach or attempts to gain access to your account will be common.
• You may wish to consider changing your password manager or changing how you authenticate applications and websites by using Single Sign on or newer passwordless technologies. If you do decide to move to a different password manager, do your research and/or take some advice on this – don’t just move to “another” password manager as it may or may not be better for you depending on a whole bunch of factors.
• When implementing MFA, consider more secure mechanisms such as hardware tokens
• If you are using websites or apps that don’t support MFA, consider how seriously these providers take the security of your data, and whether you should continue using them
• If you have One Time or recovery passwords setup for accounts in order to gain access if you forget your password or lost access to your MFA token, I would advise updating these when you change your passwords
• Remove any accounts/password that you are no longer using (make sure your accounts for the sites are de-activated and data deleted)
• Educate yourself further. No matter how much we might know about security, we can always learn more, and things change constantly. There are lots of resources out there, and lots of people and organisations who can help, much of it free. Visit the National Cyber Security Centre website. Join your local Cyber Resilience Centre. Reach out to a security professional. Above all, take responsibility. You can’t just leave it to someone else – however “secure” their solution might appear to be on the surface – as this incident has highlighted.

References/Credit

The following people and articles were most helpful in putting this article together, through either direct assistance/review or just posting/sharing their knowledge which was useful for researching, and I would like to thank them all.

Daniel Card Greg Ford The CyberScale team https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/ https://infosec.exchange/@epixoip/109585049354200263