LastPass: The lessons we learnt from our devastating breach

(Image credit: LastPass)

It's been over half a year since LastPass suffered its catastrophic breach, but still the memory lingers, and for good reason. Despite handling the most sensitive of user information, the company succumbed to the worst possible fate for such a service: backups of users' entire vaults stolen from right under the company's nose. 

The saving grace is that fortunately, users' passwords remained encrypted, and there has been no evidence so far to suggest the thief has managed to crack them. However, other personal data, such as billing addresses and email addresses, were not encrypted by LastPass, so are out in the open.

Again, though, no one appears to have leaked this data on the dark web or used it against the victims in identity theft attacks. But despite the lack of material damage, many are still reluctant to trust LastPass again.  

CEO Karim Toubba hopes to change that, as he told us how LastPass has taken certain steps and put in place various policies to prevent lightning striking twice. 

The breach

Data Breach

(Image credit: Shutterstock)

In his own words, Toubba explains the central cause of the data theft:

"The ultimate compromise that led to the encrypted data and the specific user information [being stolen] was a direct result of an attack that was manifested on a senior DevOps engineer’s laptop." This information was then used to access backups of users' vaults, stored within an AWS S3 bucket instance.

"There were a bunch of security controls In place at the time - it's actually how we ultimately determined the details with the data - but the real weakness ultimately was driven by the fact that the attacker was able to get legitimate credentials to the AWS [S3] bucket as we described in a lot of detail within the blog that ultimately led to the compromise of the encrypted data."

Toubba also says that there was nothing unusual about the activity that would have alerted LastPass or their AWS client to the fact that a threat actor was accessing and copying data within the S3 bucket:

"It was the credentials ultimately that were compromised that enabled access, and those credentials, coupled with the key that was taken from the first incident, effectively mimicked legitimate access, and so as a result, while we were able to ultimately put the pieces together as part of the investigation, there was really nothing at that particular moment in time that would have led to information that told us it was unauthorized access."  

Toubba was keen to point out, though, that, "we do employ a zero knowledge model, which effectively means that the encryption keys that are used to access the information such as usernames and passwords that are stored - the mass of which is effectively the cryptographic elements - are never stored on any device or in our infrastructure. They're derived from the master password and the master password, of course, is never kept within our infrastructure."

As aforementioned, Toubba notes that LastPass hasn't seen any activity on the dark web to suggest the the threat actor managed to crack any of the users' master passwords:

"We had a bunch of dark web monitoring in place [and] we've expanded that… we built out a pretty advanced threat intelligence team that we leveraged in addition to third-parties that we brought in, such as Mandiant, to help us with the investigation and the forensics, and we've seen no data that suggests any of the vaults were compromised."


password manager security

(Image credit: Passwork)

In trying to ensure that this breach doesn't happen again, Toubba says that, "we've reevaluated policy, infrastructure and procedures. I’ll direct you back to the blog - there's a number of things that we've made from a change perspective and additional capabilities that we've deployed."

Since it was a personal computer belonging to the DevOps engineer that was compromised - via a malicious media player that they had downloaded - Toubba mentions that one of the changes is that employees are only allowed to use LastPass provided computers now for their work.

LastPass is also making changes to what information it encrypts. Since unencrypted customer data was stolen - although, as mentioned, it doesn't appear to have been exploited by the threat actor - Toubba said that, "while we are not yet complete with this end-to-end transformation work, we are still actively working towards our goal of expanding the use of encryption across both our production and backup environments."

He also mentions the importance of communicating thoroughly with users on the steps LastPass has taken, again referring to the blog post:

"The blog is about four or five pages and then there's an additional 19 to 20 pages of details behind that because we wanted to be very detailed and thorough and transparent about the information we shared."

When it comes to technology, Toubba says that LastPass takes a thoughtful approach:

"I've been in cyber the better part of 25 years - it's a constantly evolving category… in cyber, you're never done, you're always evaluating policy changes based on what you see, you're always evaluating adoption of new technologies that you believe will make you more secure and drive more efficacy."

"We're still using [the buckets] - there's nothing inherently insecure about AWS buckets. It's a matter of making sure that you have the right technologies, policies and enforcement in place."

"We, like many others, have a strong degree of confidence in leveraging the cloud to provide not only scalable services but scalable services securely. I think that model is very proven."

"Companies like ours… are going to have a perpetual target on our backs by virtue of the fact that we store sensitive information, so whether it's LastPass or potentially others… we think that security is a critical part of our offering, not just to our customers but securing the data itself and that requires not just the investments that we've been making over the course of the last 12 months but investments that will continue to the future." 

"It’s clearly important, even this incident aside, to make sure organizations like us have a significant and sustained investment in security, which as I mentioned earlier, is a space that continuously evolves, both on the attacker and the protection side." 

Winning back trust


(Image credit: Shutterstock)

In terms of winning back trust from customers, Toubba outlined the company's strategy:

"There's a number of things that we've done. Obviously, it started with the blog around posting a lot of the technical details and information of the incident itself… secondly, how we responded to the incident, what we did, and what the timeline looks like. And then thirdly, what the roadmap, if you will, is to the future, both in terms of ensuring the product is secure, but also the infrastructure and the associated policies. 

"We we also posted a lot of information on trust center, which is the place where we put information about our policies, the work that we're doing in security, any changes that we made and any incremental investment that we make within security." 

"We've also spent a fair bit of time doing customer outreach, having conversations with customers, spending a fair bit of time with them, reevaluating and ensuring that the configuration of the platform meets both our and their security standards and policies." 

"And then lastly, the other way obviously to gain confidence is to lean back forward into making a series of investments in the platform itself, not just from a security perspective but from functionality perspective."

"So, developing new capabilities and features, in addition to the investments were making security, are both critical parts of signaling to the broader market but also to our existing customer base about the investment that we're making in the future of the company and for them." 

"There's [also] a number of things that we will be announcing through the balance of the year."

Lessons learnt

Password Security

(Image credit: Shutterstock)

It seems that for Toubba, one of the most regrettable aspects of the incident was the way in which LastPass handled its communication with both its customers and the media:

"In the moment, we really sort of focused on the incident itself and the technicalities of the incident and ensuring that we could quickly respond." 

"I think in retrospect, one of the things we didn't do a good job at was consistent communications; we waited quite a while - I've had many conversations and probably spent time speaking to well over 200 customers by now - and I heard directly from customers that they would have liked to have seen more consistent updates, even if the update was, ‘we don't have an update right now’, just to stay in touch with the market, so that's certainly less to learnt." 

"I've talked to others in the press much like yourselves and and I know at the moment in time we were not ready to have any comments… it may have been perceived a particular way - it was not a disrespect at the time; we were really focused largely on not just the technicalities of the incident, but really maniacally focused on one thing and one thing only, and that's: ‘how do we ensure that we communicate both internally and to our customers?’" 

"And so [the] press was not a priority for us at the time; candidly, it’s one of the reasons we're doing outreach now to ensure that we give [the press] the opportunity to ask questions."

"We… made some changes to the communication structure and the communication leadership within the team, brought in people to the organization that were better prepared, generally speaking, relative to how we do communication strategy at scale." 

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.