LastPass: Security Incident Update and Recommended Actions (1st March 2023)

Recommended Actions: find a better place to store your passwords

&gt; This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.<p>Your corporate vault, with all of your database keys, was stored and accessed from someone&#x27;s personal computer?<p>&gt; We assisted the DevOps Engineer with hardening the security of their home network and personal resources.<p>And even after this incident, you <i>let them keep using a personal computer</i>???<p>This really just reflects incredibly poorly on LastPass&#x27;s internal security team. I was under considerably more robust endpoint protection policies as a random intern at a legacy Fortune 500.<p>Edit: I&#x27;m quoting from a separate linked blog post here: <a href="https:&#x2F;&#x2F;support.lastpass.com&#x2F;help&#x2F;incident-2-additional-details-of-the-attack" rel="nofollow">https:&#x2F;&#x2F;support.lastpass.com&#x2F;help&#x2F;incident-2-additional-deta...</a>

I asked about the totp seeds in a previous thread a few months back since those were not being mentioned (though I fully expected them to have been a part of the backups that were accessed).<p>Looks like they were a part of it but even worse the attacker also got the decryption key (yikes!)<p>&quot;Backup of LastPass MFA&#x2F;Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.&quot;

So glad to be done with LastPass. Anyone who thinks this won’t happen again is lying to theirselves.

Still no details on how far those stolen vault backups went. I&#x27;d like to know which of my vault passwords over the years was included.<p>I&#x27;ve since switched to 1password and rotated every (damn) password. That was an entire weekend burned.

Their “Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families” linked on this page is not available. Outage&#x2F;overloaded? As a premium user, I got a popup in their app as well leading to this information page, but the actual information on suggested actions is not retrievable.<p>How unacceptable.

Oh my !<p>A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.

I&#x27;m finally leaving this abusive relationship.<p>Hello 1password

tl;dr - LastPass&#x27;s infrastructure was completely insecure. Oops, but please keep trusting us with your passwords and hopefully pay us. By the way, if you want to stay safe, go read our Security Bulletins.