One of the key takeaways from these disclosure statements is that this wasn’t a single hack that took place in August. This was a series of compromises that built off of each other ultimately resulting in the loss of significant customer data. We don’t know based on the disclosures what the initial access was to the developer environment, but one likely scenario is both phishing that resulted in malware on the developer system and providing command and control access to the developer tools and environment. Over time, the attacker was able to pivot and target a separate employee to gain two critical pieces of information: access keys to a cloud environment and decryption keys for that cloud environment. This means the attacker was able to easily download copies of those vaults and the other customer data there.
The data taken can be divided into two categories, account information and unencrypted vault data. The account information should be considered exposed and includes:
- Company names
- End user names
- Billing addresses
- Email addresses
- Telephone numbers
- IP addresses
The vaults are encrypted but also include unencrypted data such as website URLs. This has a number of implications for customers involved. If you were a LastPass user with a vault copied, the only thing preventing that vault from being fully exploited is your LastPass Master Password. Due to the fact the attacker has an offline copy of the vault the attacker can brute force the Master Password. If you have a strong Master Password and follow all of the posted minimum recommendations by LastPass, you are probably not under immediate threat of having the encryption cracked quickly or ever.