Latest LastPass security breach highlights developers as a high-value target

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However – while source code and technical information was stolen, no user data was compromised and no services were interrupted. This specific statement about user data was reiterated many times.

However – a few days ago (December 22nd) LastPass issued an update to this security incident, claiming that more information was compromised.

What exactly was breached this time?

As claimed in this latest update, the attackers were able to use the previously-leaked technical data to target another LastPass employee which had more credentials and keys. These credentials allowed the attackers to copy a backup of customer vault data.

This vault data contains a few items –

• Unencrypted website URLs – URLs saved by the LastPass browser extension, which provide a partial history of the website that the LastPass user has visited. These URLs may contain extremely sensitive information, such as parameters that are used for logging in, resetting passwords etc.
• Encrypted Website usernames and passwords – The actual usernames and passwords saved by LastPass, encrypted with the user’s master password (which is not stored on LastPass’ cloud servers)

This is a very severe leak, since it means that immediately attackers have access to the website URLs, which can be used in some cases for performing privileged operations in the name of the victim or for phishing and blackmail purposes.

Other than that, attackers can now perform offline brute-forcing on the user’s master password. If the attackers manage to brute force a user’s master password (which is definitely feasible on some weaker passwords), all of the user’s website usernames and passwords will be available to the attackers.

Why are developers being targeted?

Up until a few years ago, threat actor campaigns that targeted developers were few and far between (most threat actors were targeting IT administrators or specific servers). However – with the advent of DevOps, the company’s developers and DevOps engineers are holding “the keys to the kingdom” – namely credentials to the company’s cloud environment, IaC provisioning and more. Developers are now the ones that control how a company’s entire production environment behaves.

This is exactly the reason why we are seeing new attack vectors being targeted directly at developers, such as the massive amount of malicious packages seen in open source repositories such as PyPI and npm. These packages are simply there, waiting for a developer to make a mistype or to use the wrong dependency so that they can be installed on the developers machine.

What should developers do after this breach?

Always Use Multi-Factor Authentication

For users that enabled MFA on their services (most importantly – their email provider), even if the master password is breached, attackers cannot bypass the MFA without an additional vulnerability being exploited (or – with a successful phishing attack against the user).

Change your LastPass passwords

Users should assume their master passwords were brute-forced, and therefore all of their website usernames and passwords were now leaked. It is highly advised to visit each website (that LastPass stored credentials for) and change the password to one that doesn’t resemble the old (possibly leaked) password.

Consider migrating to other password managers

The recent security incident illuminated a spotlight on some bad practices LastPass did not take care of, and unfortunately these bad practices have now caused unnecessary damage to their users –

• Better password handling – While LastPass iteratively increased their password complexity and hash iteration count requirements for new users, these rules were never enforced for existing users. This means that a veteran user of the platform may have been using a very weak password that is hashed with a minimal amount of iterations, at the time of the security incident. These security failures mean that attackers can brute force this user’s master password much more easily.
• Metadata encryption – LastPass failed to encrypt sensitive user metadata, such as website URLs. This security incident means that this metadata is immediately available to the attackers
• Password saved on the cloud – LastPass chose to save user passwords on the cloud, which makes password syncing between computers much easier, but comes with the massive disadvantage of the passwords being leaked in a security incident.

All of these shortcomings are addressed by other password managers such as 1Password, Bitwarden and more.

JFrog Security Research always recommends using a password manager that saves all data locally.

Be wary of phishing campaigns

Since attackers now have access to LastPass users website URLs (and other metadata), the attackers may use this information to mount a Spear-Phishing attack against those users. For example a user that frequently visits facebook.com may now receive a phishing email from facebook, asking to renew their password, which in reality will leak their password to the attackers.

Stay up-to-date with JFrog Security Research

Follow the latest discoveries and technical updates from the JFrog Security Research team in our security research blog posts and on Twitter at @JFrogSecurity.