Two weeks ago, password management giant LastPass announced that its systems had been compromised for the second time this year.
Back in August, LastPass discovered that an employee’s work account had been compromised in order to gain unauthorized access to the company’s development environment, which houses some LastPass source code. LastPass CEO Karim Toubba said the hacker’s activities were limited and contained, and told customers they didn’t need to take any action.
Fast forward to late November, and LastPass confirmed a second compromise it said was related to its first. This time, LastPass wasn’t so lucky. The intruder had gained access to customer data.
In a brief blog post, Toubba said the information obtained in August was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.
But we’ve heard nothing since then from LastPass or GoTo, whose CEO Paddy Srinivasan released an even more vague statement, saying only that they were investigating the incident but neglected to indicate whether their customers were also affected.
GoTo spokeswoman Nikolett Bacso-Albaum declined to comment.
Over the years, Eureka News Now has reported countless data breaches and what to look for when companies disclose security incidents. With that, Eureka News Now has flagged and commented on the LastPass 🖍️ data breach notice with our analysis of what it means and what LastPass left out – just as we did with Samsung’s still-unresolved breach earlier this year.
What LastPass said in its data breach notice
LastPass and GoTo share their cloud storage
A key reason why both LastPass and GoTo notify their respective customers is because the two companies share the same cloud storage 🖍️.
Neither company named the third-party cloud storage service, but it’s likely Amazon Web Services, Amazon’s cloud computing arm, since a 2020 Amazon blog post described how GoTo, then known as LogMeIn, has more than one Billions of records migrated from the Oracle cloud to AWS every year.
It is not uncommon for companies to store their data – even from different products – on the same cloud storage service. For this reason, it is important to put in place appropriate access controls and segment customer data so that if a set of access keys or credentials is stolen, an organization’s entire inventory of customer data cannot be accessed.
If the cloud storage account shared by LastPass and GoTo was compromised, chances are the unauthorized party obtained keys that allowed broad, if not unrestricted, access to the organization’s cloud data, encrypted or otherwise .
LastPass does not yet know what was accessed or if any data was extracted
In its blog post, LastPass said it was “working diligently” to understand what specific information 🖍️ was accessed by the unauthorized party. In other words, at the time of this blog post, LastPass does not yet know what customer data has been accessed or if any data has been exfiltrated from its cloud storage.
It’s a difficult situation for a company. Some are moving to announcing security incidents quickly, particularly in jurisdictions that require prompt disclosure, even when the organization has little or nothing to say about what actually happened.
LastPass will be in a much better position to investigate if it has logs to comb through, which can help responders learn what data was accessed and if anything was exfiltrated. It’s a question we companies often ask, and LastPass is no different. When organizations say they have “no evidence” of access or compromise, they may lack the technical means, such as logging, to know what was going on.
A malicious actor is probably behind the break-in
The wording of LastPass’ August blog post raised the possibility that the “unauthorized party” could not have acted in bad faith.
It is both possible to gain unauthorized access to a system (breaking the law in the process) and to act in good faith when the end goal is to report the problem to the company and fix it. It may not exonerate you from a hacking charge if the company (or the government) is not happy with the intrusion. But common sense often prevails when it’s clear that a bona fide hacker or security researcher is working to fix a security problem and isn’t causing one.
At this point, it’s fairly safe to assume that the unauthorized party 🖍️ behind the breach is a malicious actor at work, even if the hacker’s – or hackers’ – motive is not yet known.
LastPass’s blog post states that the unauthorized party used information 🖍️ obtained during the August security breach to compromise LastPass a second time. LastPass does not say what this information is. They could be access keys or credentials obtained by the unauthorized party during their August raid on LastPass’s development environment, but never revoked by LasPass.
What LastPass didn’t say in its data breach
We don’t know when the rupture actually happened
LastPass didn’t say when the second breach happened, just that it was “recently discovered” 🖍️, referring to the company’s discovery of the breach and not necessarily the intrusion itself.
There’s no reason LastPass or any other company would withhold the date of the intrusion if they knew when it was. If caught fast enough, you would expect it to be mentioned as a point of pride.
But companies sometimes use vague terms like “recent” (or “advanced”) instead, which don’t really mean anything without the necessary context. It could be that LastPass only discovered its second vulnerability after the intruder had gained access.
LastPass does not say what kind of customer information could be compromised
An obvious question is what customer information LastPass and GoTo store in their shared cloud storage. LastPass only says that “certain items” of customer data 🖍️ were accessed. This can be as comprehensive as the personal information customers gave LastPass during registration, such as name and email address, to customers’ sensitive financial or billing information and encrypted password vaults.
LastPass places great importance on keeping customers’ passwords secure as the company has developed its zero-knowledge architecture. Zero Knowledge is a security principle that allows companies to store their customers’ encrypted data in a way that only the customer can access it. In this case, LastPass stores each customer’s password vault in their cloud storage, but only the customer has the master password to unlock the data, not even LastPass.
LastPass blog post wording is ambiguous as to whether customers’ encrypted password vaults are stored on the same shared cloud storage that was compromised. LastPass only says that customer passwords “remain securely encrypted” 🖍️, which can still be true even if the unauthorized party has accessed or exfiltrated encrypted customer vaults, since the customer’s master password is still needed to unlock their passwords.
If it happens that encrypted password vaults are exposed by customers or subsequently exfiltrated, it would remove a significant barrier to accessing someone’s passwords, since all they need is a victim’s master password. An exposed or compromised password vault is only as strong as the encryption used to encrypt it.
LastPass did not say how many customers are affected
If the intruder accessed a shared cloud storage account storing customer data, it can be assumed that they had significant, if not unrestricted, access to the stored customer data.
A best-case scenario is that LastPass segments or subdivides customer information to prevent a scenario such as catastrophic data theft.
LastPass says its development environment, which was originally compromised in August, does not store customer data. LastPass also says its production environment — a term for servers actively used to handle and process user information — is physically separate from its development environment. Using this logic, it appears that the intruder may have gained access to LastPass’s production cloud environment, although LastPass said in its initial post-mortem survey in August that there was “no evidence” of unauthorized access to its production environment. Again, we ask for logs.
Assuming the worst, LastPass has about 33 million customers. GoTo has 66 million customers according to the latest earnings in June.
Why did GoTo hide its data breach?
If you thought LastPass’ blog post lacked detail, parent company GoTo said it was even lighter. Stranger was why if you searched for GoTo’s statement, you wouldn’t find it at first. That’s because GoTo used the “noindex” code in the blog post to tell search engine crawlers like Google to skip it and not catalog the page as part of their search results, to make sure nobody can find it unless you know their specific web address.
This week, LastPass and its parent company GoTo both published blog posts about their recent data breach:
But if you search GoTo’s blog post on Google, you won’t find it because GoTo hid its violation notice from search engines with the code “noindex.” pic.twitter.com/d83BZuOyR5
— Zack Whittaker (@zackwhittaker) December 2, 2022
Lydia Tsui, director of crisis communications firm Brunswick Group, which GoTo represents, told Eureka News Now that GoTo had removed the “noindex” code that blocks search engines from notifying privacy breaches, but declined to say why the post was initially blocked.
Some mysteries we may never solve.