It gets worse for lastpass...hacked again!

It sounds like the sort of thing that Multi Factor Auth would have prevented

I particularly like how their own press release tries to shift blame on to third-parties...

'Neither incident was caused by any LastPass product defect or unauthorized access to – or abuse of – production systems. Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.'

But this happened in YOUR environment LastPass you should have controls in place.

StuF
Full Member

It sounds like the sort of thing that Multi Factor Auth would have prevented
Posted 10 seconds ago

Actually they were using MFA, but that was captured by the keylogger as well. I can only guess the attacker used it immediately?

Rather, the threat actor exploited a vulnerability in

... your poor control of software installation on your machines.

I can't quite believe how this was ever allowed to happen. We run a small development agency and all required apps are installed remotely by an admin. Nobody (without access to admin rights) could even install something like Plex onto their laptop. How on earth were LastPass even in a position where an employee was able and/or allowed to install Plex on a work machine?

Not great for Plex either or anyone using it - apparently they have no idea what the vulnerability is so can’t patch it! And LastPass not being helpful 😂

I assume this will only effect users of Plex that have downloaded a media server to their machine, not people using a browser to access a Plex server?

<div class="bbp-reply-content">

Actually they were using MFA, but that was captured by the keylogger as well. I can only guess the attacker used it immediately?

</div>

I beleive like most of the password managers you can store the MFA key in the lastpass wallet. So once thats been compromised thats game over for MFA!

They need YubiKeys (that's what we are enforcing next).

So what to do as a Lastpass account holder?
Will deleting the account protect anything now?

I can’t quite believe how this was ever allowed to happen. We run a small development agency and all required apps are installed remotely by an admin. Nobody (without access to admin rights) could even install something like Plex onto their laptop. How on earth were LastPass even in a position where an employee was able and/or allowed to install Plex on a work machine?

Indeed. Incredible.

kayak23
Full Member

So what to do as a Lastpass account holder?
Will deleting the account protect anything now?

Change all your passwords (ideally).

However it depends on a few things how vulnerable you are.

If your account was old, it may have been set up incorrectly (by lastpass). Basically they defaulted to a weak encryption setting (low iterations) and never upgraded people once they realised.

So if your account is more than a few years old, it is potentially more vulnerable.

It also depends how strong your password was.

Thirdly, I've read that the sites you had saved were leaked in plain text. Therefore it is easy for the hacker to know what your passwords were for. If you had banking/crypto/anything with immediate access to money stored, I would think you are likely to be more of a target.

Not great for Plex either or anyone using it – apparently they have no idea what the vulnerability is so can’t patch it! And LastPass not being helpful 😂

Their blame detection and prevention isn't good enough?

Happy enough to accept their might be a plex issue but the hurry to pass the buck coupled with LastPass not being overly helpful does pang very much of "Wtaf has happened? We don't know but incidentally plex has been installed on that machine and shouldn't have. Yep that'll do, all plex's fault"

all required apps are installed remotely by an admin

Maybe the hacked employee was an admin.

Maybe the hacked employee was an admin.

Then their own security measures were dreadful and they clearly weren't listening during the internet safety training / online security sessions that LastPass must have undertaken (and officially logged) in order to get the ISO27001 certification that they got on 27 July 2022.

Happy enough to accept their might be a plex issue but the hurry to pass the buck

It also mentions Plex themselves were breached soon after, whether it's linked or not no-one knows but a lot of customer data was taken. I had been using Plex since the Xbox Media Centre days but binned them off some time ago, didn't like the direction it was headed in (trying to become some kind of international media conglomerate!)

Maybe the hacked employee was an admin.

Any installations here are rolled out to the user via AD Groups/Group Policy. No-one actually logs into a machine and installs software, Admin or not.

They need YubiKeys (that’s what we are enforcing next).

It’s extremely trivial to steal the certificate and use using Mimikatz btw.

Ouch! DevOps = 50% Dev + 50% Ops + 0% SecOps. Why is a senior developer using their home computer to access company files?

Why is a senior developer using their home computer to access company files?

Or installing unauthorised software onto a company device.

But for a well known security software company of the scale and public awareness of LastPass to fail even this basic level of security, let alone one of their senior devops engineers is honestly mind blowing.

Yikes.  There are some people I would understand doing this but if your senior devops stuff don't automatically know that this is wrong then you have an issue.  Time to jump ship I think

The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

1 of only four.  Absolutely no excuse for not being aware of the possibilities

Sure, although the article relates that the hack involved the compromise of the employee’s home computer.
(Reply to JohnDoh)

Lol, some major reading fail by some of the posters here...

They need YubiKeys (that’s what we are enforcing next).

It’s extremely trivial to steal the certificate and use using Mimikatz btw.

The private keys of the key pair are held only on the yubikey for FIDO authentication so would be tricky to get to those with Mimikatz unless Mimikatz just gets the authorization token once authentication has taken place

Sure, although the article relates that the hack involved the compromise of the employee’s home computer.

Ahh right - I missed that bit. Either way it was a pretty major screw-up though.

So where would the liability be if this led to a fraudulent transaction. Would you have been deemed to have shared a personal password with a 3rd party (lastpass) or is it a given that you stored the password safely (like writing it down and locking it in a drawer)

Ok well as this seems that the breach was to be from last August, hopefully i don't need to change my passwords again.
Might look at changing provider though, any suggestions?

1Password would be my preferred app for a replacement. It's not going to be fun if you've lots of passwords though!

1Password does everything with no added extras required. You may need to check that your preferred cloud storage will allow the vault to be stored online.

I tend to go with the theory that they are probably safer than most now as they will be super vigilant. But despite reading this thread and the various statements from LastPass I still can’t tell if my passwords are actually at risk from any of this or not. I’ve changed the master one to something so random I had to write it down somewhere😀 changed the number of iterations to 600000 and changed the passwords for anything with financial information. Hopefully that is enough.

Oh joy, that's a good chunk of tomorrow taken care of 🙁

FWIW my job is supplier assurance with a Bank, we use LastPass but as the assurance is 'owned' at Group level it's not me that's missed anything 🙂

For the record, I don't use password vaults myself, neither professional nor privately.

As per @grahamt1980 looks like I don't need to change all my passwords again. At least.

Already done that for anything important after the first announcement and also switched on MFA for any service that offered it.

When I heard about the first breach I took a look at 1Password - looked a pain to use, particularly on mobile.

Was giving LastPass the benefit of the doubt but think I will probably be moving elsewhere. You might think they would be more vigilant but unfortunately problems like this are often culture related (rushing/cutting corners) and/or they've dug themselves a hole of technical debt and are struggling to keep up with.

Failing to adequately secure your backups, when those backups contain all the Crown Jewels, and also your whole business is as an infosec company, is very very shoddy

I can’t quite believe how this was ever allowed to happen. We run a small development agency and all required apps are installed remotely by an admin.

I think that's pretty uncommon outside of Windows shops.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

Hmm... that doesn't make much sense though.

They know what the vault's password is, after the employee has auth'd with MFA - but so what? MFA should still prevent the attacker from accessing the vault, that's... the point of MFA. Just because the employee has auth'd with MFA doesn't mean someone else gets to login without MFA.

This doesn't feel like the whole story.

Password would be my preferred app for a replacement. It’s not going to be fun if you’ve lots of passwords though!

you can export a password file from LastPass and import it directly into 1Password - that’s what we did. It only takes a couple of minutes.

Dashlane any good as a password manager?

Keeping the same passwords as the possible compromised ones?

Keeping the same passwords as the possible compromised ones?

That's up to the user, but it is very easy to then go through and change individual passwords with a couple of clicks in 1Password.

I'm fighting that i changed mine last month after the previous thread, and the issue in this one was last year so i shouldn't need to change them again.
Have done all the other recommended actions so will export at some point. Just need to decide which one to move to

That reminds me, I'm going to stop that annoying hacker who keeps editing my STW posts.

EDIT: No you won't

you can export a password file from LastPass and import it directly into 1Password – that’s what we did. It only takes a couple of minutes.

Just to make it entirely clear to everyone, moving password manager does not protect you from the breach if you are/were using LastPass. YOU STILL NEED TO GO AND CHANGE ALL YOUR PASSWORDS!!!

I don't agree with the official LastPass stance that you don't need to. Although they say your passwords will still be encrypted in what the hacker got access to, you are assuming the encryption won't be cracked /taking last pass at their word that it was in fact encrypted.

Just to make it entirely clear to everyone, moving password manager does not protect you from the breach if you are/were using LastPass. YOU STILL NEED TO GO AND CHANGE ALL YOUR PASSWORDS!!!

Yeah I did say in a later post that once the passwords are in 1Password, it is easy to update them to new secure passwords.

Aidy
Free Member

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

Hmm… that doesn’t make much sense though.

They know what the vault’s password is, after the employee has auth’d with MFA – but so what? MFA should still prevent the attacker from accessing the vault, that’s… the point of MFA. Just because the employee has auth’d with MFA doesn’t mean someone else gets to login without MFA.

This doesn’t feel like the whole story.

See xora's post, apparently you can use Lastpass to backup your MFA seed keys, therefore those were compromised also. From the LastPass PDF:

Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

natrix
Free Member

That reminds me, I’m going to stop that annoying hacker who keeps editing my STW posts.

EDIT: No you won’t

🙂

The password vaults are individually encrypted, so it's not just a matter of cracking encryption for all users, they would have crack each users encryption separately. That is a massive undertaking.

However I am hugely disappointed by lastpass's communication around this issue, I don't think they have been honest with there user base, and left us trying to work out exacvtly what this hack has meant for our security, for that alone I am looking for an alternative.

How do others find alternatives handle passwords on iphones in plugging in with the system api?