On February 27, LastPass announced the conclusion of their internal investigation regarding a security incident they disclosed on December 22, 2022, and have provided specifics about the incident.
With this current information, we believe LastPass continues to be low risk for those using federated (NetID) login. Controls implemented in the UW–Madison instance of LastPass prior to the August breach, along with how NetID authentication is configured for LastPass, significantly reduce the likelihood that a threat actor will be able to decrypt UW–Madison’s compromised LastPass data.
Those who still use a master password (not NetID to log in) and have not changed it since LastPass’s initial breach notification in August should consider setting a new master password that meets updated requirements implemented in UW–Madison’s LastPass instance. Alternatively, users can convert from using a master password to NetID login.
Note: We use the term “primary” rather than “master.” However, LastPass uses “master.” Therefore, we have used it here, as well, to avoid confusion.
The Office of Cybersecurity continues to work with LastPass to assess the impact to UW–Madison and will send out further information as it is received. We are also reviewing whether LastPass remains the best password manager for UW–Madison.
Please reach out to the Office of Cybersecurity with any questions: peter.vandervelden@wisc.edu
Background
The Office of Cybersecurity was previously notified about a LastPass incident in August 2022. LastPass disclosed that an unauthorized threat actor gained access to a cloud-based development environment and stole source code, technical information and certain LastPass internal system secrets. No customer data or vault data was taken during this incident. LastPass declared this incident closed but later learned that information stolen in the 1st incident was used to identify targets and initiate the 2nd incident.
In November and December 2022, we received notifications of a 2nd incident from LastPass. The threat actor leveraged vulnerable third-party software to deliver malware, bypassed existing controls and ultimately gained unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted (website URLs) LastPass customer data. The most recent update from LastPass confirmed these incidents were linked.
Resources
https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/
https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
https://support.lastpass.com/help/what-data-was-accessed
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/