LastPass updated its security incident notice to provide new details about the data breach it has been investigating since November of 2022. The update revealed that the threat actor targeted an employee using information obtained from a data breach that occurred in August of 2022. Using credentials and keys obtained from the employee, the threat actor decrypted storage volumes within their cloud-based storage service. The storage volumes contained basic customer account information and related metadata. While the threat actor was able to copy a backup of customer vault data containing both encrypted and unencrypted data, the encrypted data can only be decrypted with a unique encryption key derived from a user’s master password. It’s believed to be extremely unlikely that the threat actor will successfully crack the master password due to computational limitations– if users followed the recommended password requirements given by LastPass.

In response to the LastPass update, Arctic Wolf issued the following recommendations:

Recommendation #1: Delete Existing SAML Integration If you received an email from LastPass stating that your organization leverages an impacted API-based integration, we strongly recommend following LastPass’ recommendation to delete existing SAML integrations. To view your existing SAML integrations and delete them follow this support guide provided by LastPass: https://support.lastpass.com/help/how-do-i-delete-an-existing-saml-integration

Recommendation #2: Provide User Awareness Training Provide tailored user awareness training to all employees around the LastPass data breach. Ensure users know how to identify a phishing email and where to report it. Furthermore, provide examples on what users could expect and to remind users to remain vigilant when receiving an email from an unknown or external source.

Recommendation #3: Consider Resetting Master Password If a user’s master password is reused or does not meet the minimum password requirements provided by LastPass, reset the user’s master password to prevent potential future impacts if the master password is brute forced or leaked in a credential list.