LastPass had another data breach! LastPass disclosed that attackers gained access to customer information through a compromise of a third-party vendor called Klue, a market-intelligence platform integrated with LastPass’s Salesforce environment. Attackers reportedly stole OAuth tokens from Klue and used them to access LastPass customer data.
What Data Was Exposed?
According to LastPass, the exposed information may include:
- Customer names
- Email addresses
- Phone numbers
- Postal addresses
- Customer support case information and related records
The company says customer password vaults, master passwords, and stored credentials were not affected in this incident.
Why Is It Important?
Even though vault contents were not reportedly accessed, stolen contact and support case data can be valuable for phishing and social engineering attacks. Attackers may impersonate LastPass support or send convincing emails designed to trick users into revealing credentials or MFA codes.
LastPass Has A Long History Of Incidents
2011 Security Incident
On May 3, 2011, LastPass discovered an anomaly in its incoming and outgoing traffic networks. Data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. LastPass rebuilt the servers and requested all users to change their master passwords.
2015 Security Breach
On June 15, 2015, LastPass account email addresses, password reminders, server-per-user salts, and authentication hashes were compromised; however, encrypted user vault data was not affected.
2016 Security Incident
In July 2016, due to poorly written URL parsing code in the LastPass extension, a method was found for reading plain text passwords for arbitrary domains from a LastPass user’s vault when that user visited a malicious website. LastPass was notified privately and fixed its browser extension.
2017 Security Incidents
On March 20, 2017, a vulnerability in the LastPass Chrome extension was discovered. The exploit applies to all LastPass clients, including Chrome, Firefox, and Edge. These vulnerabilities were patched.
On March 25, an additional security flaw was discovered, allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.
2019 Security Incident
On August 30, 2019, a vulnerability was found in the LastPass browser extension where websites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site. By September, LastPass publicly announced the vulnerability, acknowledged the issue, and patched all platforms.
2021 Third-Party Trackers And Security Incident
In 2021, it was discovered that the LastPass Android app contained third-party trackers. Also, at the end of 2021, an article in Bleeping Computer reported that LastPass users were warned that their master passwords were compromised.
2022 Data Breach
Two related security incidents were disclosed by the password manager LastPass in 2022. In the first incident, an attacker accessed parts of LastPass’s development environment and exfiltrated source code repositories and technical documentation, including an encrypted copy of the key used to protect backups of customer data. I wrote about them here and here.
In a second incident, a senior DevOps engineer’s personal computer was compromised, and the attacker used a keystroke logger to obtain the employee’s credentials and access an internal vault holding further keys. Jim Hillier wrote about this
Bottom Line
LastPass has a long history of security incidents. The newest LastPass incident appears to be a supply-chain breach involving a third-party vendor that exposed customer contact and support data, but not users’ password vaults or master passwords. Concerned LastPass customers may want to consider an alternative password manager.
Even though recent changes at Bitwarden are concerning, it is still a solid value-oriented password manager. Two good cloud-based password managers are Bitwarden and 1Password. I have used 1Password in the past, and I currently have a premium Bitwarden subscription. Jim Hillier recommends Bitwarden’s free version if you do not need the premium features.
—
