LastPass suffered two large-scale and public data breaches last year, the first in August to steal source code, and the second in November where partially encrypted password vault data and customer information was stolen. Information from the first breach was used to carry out the second attack, and a keylogger was installed on a senior DevOp’s engineer’s home computer, which was key to the success of the November attack.  

Initial Attack – August 2022 

A developer account was compromised that allowed attackers to gain access to technical information about LastPass and resulted in the exfiltration of some portions of LastPass source code. Although the attacker was able to access the development environment, proper segregation of the network including physical separation from the production environment protected customer’s data and vaults from being accessed at this time. Although not a lot of information was revealed by the company at the time of the attack, they did confirm that the attackers were able to access internal systems for four days before being evicted.  

Gaining Credentials 

New details have been revealed about how the keylogger was installed on a senior employee’s computer, including that the point of failure was a vulnerability in Plex Media Server software running on the employee’s home network. This software vulnerability was patched in May 2020, with a spokesperson for the company explaining “The version that addressed this exploit was roughly 75 versions ago”.  

The exploited vulnerability CVE-2020-5741 causes the deserialisation of untrusted data in Plex Media Server on Windows. This allows for a remote authenticated attacker to execute arbitrary Python code by uploading a malicious file to the Camera Upload feature of the vulnerable software. The location of the server data directory is overlapped with the library that allows camera uploads, so the media server can be tricked into executing the code in the file. This is a high severity flaw with a CVSS base score of 7.2/10, however it was also patched immediately after disclosure, in Plex Media Server v1.19.3 published in May 2020.  

The keylogger malware that was installed through this attack captured the employee’s master password to their LastPass corporate vault. It is suspected that this particular employee was targeted specifically, as in order to have carried out this attack successfully, the attacker already had to have established admin access to the Plex Media Server account that was exploited. The severity of the attack that was carried out due to this unpatched vulnerability not only highlights the need to keep all software up to date at home as well as at work, but also the need to restrict access to work data from personal devices.   

Second Attack – November 2022 

The second attack was made possible using the credential captured by the keylogger on the DevOps engineers home network. After the engineer had authenticated to the LastPass systems with MFA, the attackers were able to use the stolen credentials to access all the data stored in their LastPass vault – which included the credentials needed to access the LastPass corporate network. This gave the attackers access to areas of the LastPass environment where customer data was stored. The customer data accessed and stolen in this attack was from an archived cloud backup which included a mix of plain-text website URLs, encrypted usernames and passwords, secure notes, and form-filled data. Cloud storage was accessed using stolen cloud storage access keys and dual storage container decryption keys that were obtained from the developer environment.  

The master password to each vault is not stored by LastPass, hence the need to obtain the employee’s master password through other means before this attack could be carried out. This also means that any customer’s master passwords have not been exposed. However, any customers using LastPass at the time of the breach should assume that all passwords and other sensitive data within their vaults have been compromised and should change all passwords for all logins stored in their LastPass vault immediately if they haven’t done so already. 

Other unencrypted data that has been obtained from customer’s vaults through this attack includes: 

• Company names  
• End-user names  
• Billing addresses  
• Email addresses  
• Telephone numbers  
• IP addresses from which the LastPass service was accessed. 

Consequences for Customer’s Data 

At the time of the first attack in August users were advised that although no customer data had been revealed in this breach, they should continue to follow the LastPass best practices for setup and configuration. However, for older customers configurations from when they first set up their vault would be kept rather than improved over time, which left users who joined prior to February 2018 in a more vulnerable position. This is because the PBKDF algorithm used to encrypt passwords within the customer’s vault used to be considered secure when only run a small number of times, but as available computing horsepower increased, LastPass increased the number of iterations of the algorithm used to protect customer data.   

In 2012 LastPass increased the number of times the data was hashed from 1 to 500, then in 2013 this was increased to 5000, and in 2018 it was changed again to 100,100 iterations. However, these changes only applied to new customers, and existing customers vaults instead kept using the number of iterations that were implemented at the time they signed up. This means customers who signed up in 2012 had their passwords in their LastPass vault hashed only 500 times, which is 0.005% as strong as the current recommendations by LastPass themselves. Even the 100,100 iterations LastPass now use as standard is less than OWASP recommend, which is 300,000.  

Customer data that was obtained during the November attack includes unencrypted fields, such as website URLs and company names, and encrypted data, such as usernames and passwords. Cyber criminals can easily locate high value targets such as bank details, crypto wallets, or business logins to try and brute force the hashing algorithm to try and obtain a matching hash to the encrypted password. The less times the password has been through the algorithm in the first place means the more vulnerable that customer’s data is not that the hashed versions of the passwords have been exposed. Customers can configure the number of iterations of the hash algorithm in their LastPass Vault by going to Settings – Advanced Settings – Password Iterations.  

Lessons Learned from this attack 

The attack against LastPass was a highly organised enterprise – specifically targeting the handful of people who had access to the company crown jewels and eventually gaining access by compromising the home network of one employee and leveraging that access to compromise their personal computer and so capture their LastPass master password with a keylogger. 

Security Managers may need to reconsider the way employees use company computers on home networks and educate all employees as to the risks posed by devices on home networks which are not kept patched and up to date.