To surprise of almost no one, LastPass was once again hacked[1]. Regarding the data that was accessed:
"Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment," LastPass said, adding the engineer "had access to the decryption keys needed to access the cloud storage service."
This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.
Not only is this another breach of their users private information (it doesn't matter if that information is encrypted or not), they had the lack of respect to only notify some users first and ask them to keep quiet about this hack[2]:
Dear Valued Customer,
We are writing to update you on our recent security incident. We are giving you advance notification because we recognize that, as LastPass Managed Service Providers, you may need additional time to prepare your organization. With that in mind, we are providing you with full visibility in advance of our general announcement.
Our announcement will include the following:
An important update on our investigation into the security incident disclosed on December 22 on our blog. The new blog post will share that we have now completed an exhaustive investigation and have not seen any threat actor activity since October 26. It will also provide additional detail as to what happened and the actions we have taken in response, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward. You can preview the blog post here.
A detailed Security Bulletin designed to help you assess what actions you should take to protect your business. This Security Bulletin outlines several areas of recently discovered potential risks related to the incident, including risks related to enterprise account configurations, user settings, third-party integrations, and multifactor authentication data. You should review this document and take the appropriate actions given your specific security posture and environment. You can preview the Security Bulletin here.
Given the sensitive nature of this information and to give you time to implement the Security Bulletin changes, we ask that you please treat this information as confidential until it becomes available to the public later this week. Thank you for your attention to this matter and for your on-going partnership.
Thank you,
The Team at LastPass
If after all this mess anyone reading this message is still a customer of this company, I highly advice you to switch to another provider and update all your credentials that you had stored there. If you're unsure where you start, I highly recommend Bitwarden[3] (just now they've released a blog post detailing how commuted they are with annual third-party audits (you can also check their previous security assessments).
[1]
https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html[2]
https://libreddit.spike.codes/r/Lastpass/comments/11dijpn/comment/ja9wosu/[3]
https://github.com/bitwarden[4]
https://bitwarden.com/blog/third-party-security-audit/
