Additional information from LastPass regarding customer vault data has been shared in an updated blog entry published on 12/22/22. In summary, LastPass has acknowledged that their recent incident led to the exfiltration of customer vault data through a backup copy obtained by the threat actor. The vault data remains encrypted, but could potentially be brute-forced by an attacker in an attempt to guess the Master Password and gain access to the entire vault.
The UCLA Information Security Office (ISO) recommends changing all secrets that have been stored in LastPass, starting with your Master Password at the earliest possible convenience. This includes not only passwords, but also certificates, private keys, and other items stored as secure notes within LastPass. Complete rotation of all secrets should not be overlooked because if an attacker is able to brute force a vault's Master Password, they will gain full access to all of the contents stored within the vault. Updating everything is the only way to ensure completeness in mitigating this threat.
We also continue to recommend enabling multi-factor authentication (MFA) for all applications and services that support the feature. This additional layer of security will ensure that even if the username/password is exposed for a particular resource, the threat actor will still need to circumvent the second-factor authentication challenge to gain access.
As a result of this incident, the UCLA Information Security Office will be re-evaluating LastPass as the campus password management solution. Additional enrollment into the service will be paused until a decision has been made. For additional information, please visit our FAQ at https://ucla.service-now.com/support?id=kb_article&sys_id=df24b48e1b406d50b6d3639dee4bcb42.
UCLA Information Security is aware of the press release shared by LastPass on 08/25/2022 regarding a recent security incident that impacted one of LastPass’ development environments which led to the exfiltration of portions of their source code and proprietary LastPass technical information.
LastPass has published additional information regarding this incident at the blog post below, along with an FAQ with current guidance:
Per the FAQ, LastPass has indicated no end-user or customer action is required at this time as there is no indication that Master Passwords, personal information, and/or vault data have been compromised or exposed. UCLA Information Security is in contact with the campus LastPass account representatives to continue monitoring the situation, and will share any additional updates as they are released.
If you have any questions or concerns, please contact us at firstname.lastname@example.org.