In August, LastPass announced that an unauthorized party had “gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” At the time LastPass said its systems had prevented the actor from accessing customer data or encrypted password vaults. That breach seems like it was related to a breach of Twilio which affected hundreds of companies.
On November 30, LastPass announced that using some of that information accessed in August, a second breach had happened, in which an unauthorized party gained access to some LastPass customer information stored on a third-party cloud service-- most likely AWS. LastPass said it was still investigating what was actually accessed in that container.
Thursday LastPass announced the results of that investigation. It said that an intruder used cloud storage keys stolen from a LastPass employee to access a backup of customer vault data. The vault was stored in a proprietary binary format and contained "both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data." LastPass emphasized that the encryption was strong enough that given current technology, they could only be unencrypted with the user's password. Whether the threat actors can access a vault would depend on how strong the password was against brute force attacks and whether the account was also protected by a second factor, and how difficult it would be to access that second factor. The attackers also accessed names, email addresses, phone numbers and some billing information, but not credit card numbers.
LastPass detailed several measures it has taken in response, including rebuilding the compromised development environment from scratch, engaging a managed endpoint detection and response service, and rotating all potentially affected credentials and certificates.
TechCrunch's Zack Whittaker, who has earned trust with me in reporting on security for many years, recommends that at minimum, Lastpass users should change their current LastPass password to something new and unique. And anyone concerned that their password might not be strong enough to protect the old vault-- such as if it was a short password or reused for other things-- should change all passwords stored in the vault, starting with the most critical. And finally, users who have had their account since 2018 or before may want to check to make sure their passwords are being hashed with the strongest Password-Based Key Derivation Function that LastPass offers, which is 100,100 password iterations. You can check that in account settings by choosing "show advanced settings." This is different than a separate section called Advanced Options.