LastPass: The breach that keeps on giving Permalink

1 minute read

LastPass was breached in August, and has since updated their breach disclosure several times, each update just a little bit worse and more concerning than the last. Unfortunately, for a business with a large consumer customer base, it’s almost impossible to use these disclosures to determine whether LastPass should be trusted. For security practitioners, it’s much eeasier:

The cloud storage service accessed by the threat actor is physically separate from our production environment.

Unless there are zero employees or systems having access to both cloud storage and production, and there are never zero employees or systems with access to both, this statement may be technically accurate but is a clear lie of ommission.

And then there’s these two statements, which are together terrifying:

[T]he threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Set aside the fact that the threat actor has everyone’s vault to sort, prioritize, and attack at their leisure. They also have each customer’s email address, mailing address, telephone number, and a convenient list of services used. Combine this with data and information from unrelated breaches, and this is a targeting bonanza.

No one’s perfect, but this is lucky number seven for LastPass as of this writing. It’s time to suggest to those who trust you that they should no longer trust LastPass.