Starting Over After the Recent LastPass Breach
By now you’ve probably heard about the latest breach at LastPass. (Yes, I said “latest” – as in “not the first.”)
Here’s a quick recap of the latest incident:
Leading password manager LastPass, has announced that an unknown threat actor breached an employee's home computer and obtained a decrypted vault that was only accessible to a few developers in the company. The same threat actor had already breached LastPass previously, and the company believed that the attacker was engaged in a new series of activities from August 12 to August 26.
During this time, the attacker was able to steal valid credentials from a senior DevOps engineer, access the contents of a LastPass data vault, and steal the encryption keys for customer vault backups stored in Amazon S3 buckets.
The breach was accomplished by exploiting a vulnerable third-party media software package installed on the engineer's home computer, allowing the attacker to implant keylogger malware and capture the employee's master password after authenticating with MFA. Once the threat actor had access to the decrypted vault, they exported the entries, including the decryption keys required to access the AWS S3 LastPass production backups and other cloud-based storage resources.
LastPass had previously issued an update stating that the attackers had obtained customer vault data containing both encrypted and plaintext data, including website URLs, usernames, passwords, secure notes, and form-filled data with an additional layer of encryption using 256-bit AES.
The new details explain how the threat actor obtained the S3 encryption keys.
The tactics, techniques, and procedures used in the first incident were different from those used in the second one, which initially made it difficult for investigators to realize that the two incidents were directly related. The threat actor used information obtained during the first incident to enumerate and exfiltrate the data stored in the S3 buckets.
So. Where does that leave you?
We’ve got a few tips to help you get back on track. if you were caught up in the mayhem. And even if you weren’t, some good ideas for a security health check-up:
1 - Delete accounts you’re not currently using or no longer need.
2 - Change passwords and make sure 2FA is enabled on all accounts.
3 - Change the way you make memorable passwords (don’t make them too easy to guess) and be especially careful with passwords you need to key in over TV remote.
Interested in a free 14-day trial of our comprehensive Linux server security suite? Click here to sign up.