There are very few security services I pay for, especially subscription services. But even while open-source and self-hosting is my jam, one of the few I do pay for is LastPass, a leading password management product. After using it in a corporate setting, I fell in love with the LastPass and even got my whole family onboard with it. If nothing else, this allows me to sleep better at night as the officially designated CISO of the Martin family.
Unfortunately, LastPass suffered a breach in late November 2022. This follows hot on the tail of a previous security incident in August 2022. In both instances, LastPass displayed extraordinary transparency and excellent communication with its customers. Both times I received a prompt email from LastPass leadership detailing what happened and how the breach occurred, plus deep technical explanations ensuring that customer data was still secure. This rapid response lies in stark contrast to the many recent incidents in which the top names in tech have waited months to disclose breaches, told different stories internally and externally, and failed to own up to mistakes.
The Post-Breach Fallout: Fool Me Once, Shame on You
Breaches happen and will continue to happen; criticism comes when organizations do not communicate effectively or refuse to disclose incidents externally because “they’re not legally required to.” What is rare to see is a company with the notoriety of LastPass breached multiple times in quick succession, and the resulting uproar is caused not by communication issues but rather by accusations of what the breached company did not to.
When a company is breached for the first time, what undoubtedly follows is weeks or even months of round-the-clock engineering work to remediate and patch any vulnerabilities. One of the most critical steps in a security incident investigation is forensic analysis, which reveals the intricacies of the attack and what data may have been viewed or stolen. On the public-facing side, media scrutiny may be intense at first but will eventually subside.
The first LastPass breach in August was caused by the compromise of a single, privileged developer account. Development resources typically have access to a company’s most critical assets, including customer data, financial records, and personally identifiable information (PII). In this case, the developer in question had access to LastPass source code. This is likely where the second LastPass breach began its life.
The Secrets are in the Source Code
When source code is stolen, most people probably assume that the purpose was to try and gain pieces of the victim’s platform to implement in a competitive product. But in reality, attackers are usually after the hard-coded credentials that lie within code.
Legacy code, especially for homegrown applications, is often riddled with username and password combinations or API key credentials in cleartext for anyone to grab and use as needed. Why? Because it is usually a lot less work than integrating a credential vault solution or using a credentials file that a developer must maintain indefinitely. Though it pains us security folks to hear it, in the dev world speed to release tends to be a priority over proper security.
If the LastPass attacker was able to steal source code, this means they had access to inject a malicious payload into the software supply chain as well. There have been no confirmations from LastPass on whether this happened, but it is a possibility. The infamous SolarWinds hack was caused by their software development cycle being breached; malware infected the code that was shipped to customers globally, ultimately infecting those customers as well.
Data Breach Post-Mortem: Did LastPass Respond Appropriately?
As someone who has worked in the security industry for several years and covered many data breaches, I have no doubt that LastPass’ security engineers and analysts had the correct plan of action in place following the August 2022 incident.
That plan likely included credential rotation of potentially compromised accounts and a review of the source code that was stolen. And let’s remember, three months to undertake a complete investigation and remediation plan is not a lot of time for a company of LastPass’ magnitude.
The official release from LastPass for the November 2022 breach states that it was the same unauthorized party used information obtained during the earlier attack to conduct the second breach. This statement reveals that the first attack had not yet been fully remediated, though it’s impossible to know whether certain fixes weren’t implemented or if time was simply a limiting factor.
As we approach 2023, it is clearer than ever that data breaches will continue to take place – and even organizations with many security solutions enabled are not exempt. In fact, layering more and more security tools over your tech stack or adopting supposedly all-in-one solutions can leave exactly the kinds of gaps attackers are looking to exploit.
What the most recent LastPass breach demonstrates best is the importance of having a strong and frequently updated incident response plan in place. It is crucial to not only create such a plan but also to test it regularly. Running data breach simulations will strengthen external brand response as well as speed up internal response and remediation processes. As LastPass now knows better than anyone, both are critical following a data breach.