Editor’s note: This story has been updated with additional timeline details and comments from LastPass.
The hits keep coming for LastPass and its customers.
A breach in August, which the company said was contained weeks later, continued to unravel and confound investigators for months.
The threat actor gained more access following the initial compromise and evaded detection by blending in with legitimate activity, LastPass concluded in recent updates.
The details of the cyberattack targeting LastPass got more concerning and specific over recent months, culminating with an apology CEO Karim Toubba released Wednesday.
The blog post and recommended actions were shared with business administrators days prior so they could prepare for broader notifications and triage within their companies.
The breach and widespread theft of sensitive data impacts almost every LastPass user. “Any LastPass user that created an account after Sept. 16 or had deleted their account prior to June 21, would not have had their vault data taken,” a spokesperson said.
Incident response firm Mandiant, which assisted LastPass on back-to-back investigations, declined a request for comment.
How the cyberattack at LastPass unfolded
Aug. 8, 2022
A threat actor compromised a LastPass software engineer's corporate laptop to gain access to a cloud-based development environment. The adversary stole source code, proprietary technical documentation and some of the company’s internal system secrets.
The threat actor used technical documentation and source code to exfiltrate 14 of approximately 200 source-code repositories related to components of the LastPass service.
The source-code repositories included cleartext embedded credentials, stored digital certificates for the company’s development infrastructure and encrypted credentials used for production.
Aug. 12, 2022
The LastPass security team was alerted to the malicious activity. The company refers to this as the “first incident,” which was immediately followed by a “second incident” the company says began Aug. 12.
In the follow-on compromise, the threat actor used information exfiltrated from the initial breach to initiate a more widespread and damaging attack.
Aug. 13, 2022
LastPass engaged with incident response firm Mandiant.
Aug. 14, 2022
The threat actor copied a backup of LastPass’ customer database containing unencrypted account information, related metadata and application configuration options such as multifactor authentication.
Aug. 25, 2022
Toubba said the breach was contained and LastPass saw no further evidence of unauthorized activity.
LastPass made a distinction between its production and development infrastructure at this stage, and said the unauthorized access occurred in its development environment, which is physically and logically separated and doesn’t hold personal data.
Sept. 8, 2022
The threat actor started to copy five binary large objects database shards. The backups were dated: Aug. 20, Aug. 30, Aug. 31, Sept. 8 and Sept. 16. The exfiltration of database backups occurred between Sept. 8 and Sept. 22.
Sept. 15, 2022
LastPass completed its investigation into the first incident with assistance from Mandiant.
The company said the threat actor was inside its development system for four days and it contained the breach.
“There is no evidence of any threat actor activity beyond the established timeline,” Toubba said in the updated blog post. “We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”
Third-party VPN services allowed the threat actor to obscure their location, impersonate the software engineer and access and maintain a dedicated connection to the cloud-based development environment via corporate VPN.
LastPass describes this as a “tailgate” approach that relied on the software engineer’s successful authentication with domain credentials and MFA.
“No privilege escalation was identified or required,” the company said in its incident report.
The threat actor also performed anti-forensic activity, and an operating system upgrade on the software engineer’s corporate laptop scheduled during the four-day period overwrote logs and system artifacts.
The initial threat vector that the adversary used to gain access to the software engineer’s machine remains unknown, according to LastPass.
Oct. 26, 2022
The threat actor, still active in LastPass systems, “engaged in a new series of reconnaissance, enumeration and exfiltration activities” involving the company’s AWS S3 storage buckets, a subsequent investigation found.
The threat actor operated undetected by LastPass for almost three months as part of the second incident, which LastPass said spanned from Aug. 12 to Oct. 26.
“We cannot confirm with certainty that it was one or more threat actors,” a LastPass spokesperson told Cybersecurity Dive.
“There were no further exfiltration activities after Sept. 22, 2022. Since Oct. 26, 2022, we have not seen any threat actor activity.”
Nov. 30, 2022
The password manager, for the first time, acknowledged customer data was compromised as a result of the cyberattack.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba said in an updated blog post.
LastPass did not say when it discovered the subsequent breach. The company notified law enforcement and reengaged with Mandiant to determine the scope of compromise and identify what information was exposed.
Dec. 22, 2022
LastPass said customer data was significantly compromised after the threat actor copied a cloud-based backup of customer vault data.
The trove of stolen data included encrypted passwords, usernames and form-filled data. The customer data vault also contained unencrypted data, such as the website URLs customers access via the password manager, company names, billing addresses, email addresses, phone numbers and the IP addresses customers use to access the platform.
LastPass warned customers to be on the lookout for brute force, phishing and credential stuffing attacks.
Most of the highly sensitive customer account data held by the password manager, with the exception of users’ master passwords, are now compromised.
“This is about as bad as it gets,” Chester Wisniewski, field CTO of applied research at Sophos, said via email at the time.
Jan. 23, 2023
GoTo, the parent company of LastPass, revealed a threat actor exfiltrated encrypted backups and an encryption key from the same storage vault it shares with LastPass.
Feb. 27, 2023
LastPass, more than six months after the initial incident, linked the threat actor from the August breach to the long- lasting subsequent attack.
The adversary used information stolen in the initial breach, information from a third-party breach and a remote code execution vulnerability on a DevOps engineer’s home computer to gain access to multiple LastPass resources and backups, the company said in an advisory on its support site.
“The threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,” LastPass said. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
The threat actor exploited a vulnerable third-party media software package to implant keylogger malware on the engineer’s device.
The intrusion allowed the threat actor to exfiltrate corporate vault entries and shared folders, which contained encrypted notes with access and decryption keys needed to access the company’s AWS production backups, resources and some critical database backups, the company said.
The observed tactics, techniques and procedures, as well as the indicators of compromise, were not consistent between the first and second incident, the company said. “While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related.”
Because the threat actor used valid credentials stolen from a senior DevOps engineer, investigators were unable to “differentiate between threat actor activity and ongoing legitimate activity,” the company said.
AWS GuardDuty Alerts ultimately informed LastPass of anomalous behavior it detected when the threat actor attempted to use Cloud Identity and Access Management roles to perform unauthorized activity, according to the company’s update.
The monthslong campaign resulted in widespread theft of customers’ data.
LastPass listed multiple actions it’s taken in response to the incident as part of its ongoing containment, eradication and recovery efforts. The company also posted a security bulletin that encourages business administrators to take additional measures to further protection.
March 1, 2023
Toubba released his fifth and most detailed blog post to date related to the cyberattack. After six months of confusion and turmoil, Toubba acknowledged customers’ frustration and pledged greater communication and transparency.
“I accept the criticism and take full responsibility,” he said.
Toubba blamed the long but now complete investigation for the company’s “inability to communicate more immediately, more clearly and more comprehensively throughout this event.”
During the attack, the threat actor accessed DevOps secrets, cloud-based backup storage and a backup of LastPass’ MFA database.
“End-user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data,” Toubba said.
The AWS storage backup contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data.
The MFA database included copies of customers’ LastPass authenticator seeds, phone numbers used for MFA backup and a split knowledge component, or K2 keys, used by business customers.
The MFA database was encrypted, but the threat actor stole the separately-stored decryption key during the attack.
“The identity of the threat actor and their motivation remains unknown,” Toubba said. “There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.”