product icon

Security Bulletin: Recommended Actions for LastPass Business Administrators

    Overview

    In response to the recent LastPass security incident, we have created this guide to help you assess and understand what actions you should take to protect your business.

    Note: To read the complete update on the security incident from our CEO, Karim Toubba, visit the LastPass blog.

    This document is for LastPass Business admins and security analysts. It outlines the reporting and remediation steps necessary to reduce the impact of unauthorized access to LastPass information associated with your organization.

    We suggest reviewing these topics in the order presented. Focus on items relevant to your specific LastPass deployment and configuration:

    1. Master password length and complexity
    2. Iteration counts for master passwords
    3. Super admin best practices
    4. MFA shared secrets
    5. SIEM Splunk integration
    6. Exposure due to unencrypted data
    7. Deprecation of Password apps (Push Sites to Users)
    8. Reset SCIM, Enterprise API, SAML keys
    9. Federated customer considerations
    10. Additional considerations

    Each section presents reporting options to help identify users or data that may be at risk, as well as remediation tasks that may be performed by either a LastPass admin and/or end users.

    Topic 1: Master password length and complexity

    LastPass uses the master password and username to create a unique encryption key that keeps sensitive data from being exposed. Without the encryption key, nobody has access to the encrypted data in a user’s vault.

    For all non-federated users in a LastPass Business account, it is important to enable policies that ensure each end user creates a strong and unique master password for their vault. The master password should be at least 12 characters long. Longer is better, and a computer-generated random password is best, particularly when using all available character sets (alphanumeric, special characters, and symbols).

    For businesses who make use of federation, policies controlling master passwords don’t apply since your users do not make use of a master password. Instead, federated users leverage a 256-bit “hidden master password” made up of two or three (depending on implementation model) unique cryptographically generated random 256-bit split knowledge components which are stored separately and then combined mathematically to create the key used to encrypt/decrypt data once passed through SHA256. Please see here for more information. Federation provides a significant defensive advantage against brute force attacks against a stolen vault. However, please see Topic 9: Federated customer considerations for an important update related to split knowledge component security.

    Task 1.1: Review master password policies and enforce strong master passwords

    The Admin Console offers numerous policies that help you force users to create and maintain strong master passwords.

    Enable these policies for non-federated users:
    • Length of master password – Set the value to at least 12. Ideally, consider using a 16- or 20-character minimum master password length. A computer-generated random password is best.
    • Require master password change when reuse detected – This forces users to change their master password if we detect that it matches the password for any site in their vault.
    • Prohibit reuse of old master passwords – Consider a high value to prevent reuse over time. For context, Microsoft suggests blocking the reuse of the last 24 Active Directory passwords.
    • Minimum character sets in master password – Set this to at least 2. Consider requiring master passwords from 3 character sets, but remember that length wins over complexity.
    This support article describes these policies in greater detail.

    Task 1.2: Review security reports related to master passwords

    After setting master password policies, generate reports that help identify additional remedial actions that may apply to some users.

    1. In the Admin Console, go to Reporting > Security reports.
    2. Look for these reports:

    Task 1.3 (OPTIONAL): Reset select master passwords

    Depending on the security profile of your users’ master password complexity and iteration count (Topic 2 below), you may want to force those users to reset their master passwords. You may also ask them to use a risk-based approach to prioritize the rotation of critical credentials saved in such vaults. To force a master password reset, follow these steps.

    Topic 2: Iteration counts for master password

    LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input – the master password – into a unique encryption key using hashing. This type of hashing can’t be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.

    Task 2.1: Review users' master password iteration count settings

    To maximize security for your users, review user iteration count settings and act as required. Here’s how to check iteration values for all users in your organization:

    1. In the Admin Console, go to Reporting > Security reports.
    2. Run the User iteration counts report. Read this support article for more information about running this report.

    In January 2023, OWASP updated the recommended number of PBKDF2 iterations to 600,000. In alignment to that revised guidance, we are increasing our default minimum iteration count to 600,000 iterations.

    Recommendations:
    • Our default setting since 2019 has been 100,100 iterations. Nonetheless, for a number of reasons, there may be users in your organization whose iteration count falls below this level. If you identify users with a value less than 100,100 iterations, take note of them as users with more relative risk and instruct them to set the “Password iterations” value in their LastPass vault account settings to 600,000 iterations, as documented in this support article.
    • Currently the only way to reset existing users’ PBKDF2 iterations is to manually configure it in the LastPass vault Account Settings. In the coming weeks we’ll provide the ability to set the iteration value for all users via policy in the Admin Console to the recommended minimum of 600,000. Individual users won't need to set this value manually. Additionally, at that time, all new users will have their minimum iterations set to 600,000.
    • If you have end users with linked personal accounts, instruct them to manually increase their iterations to 600,000 in their personal account's Account Settings, as documented in this support article.
    • In the coming months, we will be modifying this behavior and automatically upgrading all personal accounts to the revised minimum required iterations. We will notify Business admins before this takes place.

    Task 2.2: Review shared folders accessed by users with a low iteration count

    Generate the Shared folders accessed by low iteration count users report to view a list of shared folders that can be accessed by users with a low iteration count. Here's how:

    1. In the Admin Console, go to Reporting > Security reports.
    2. Run the Shared folders accessed by low iteration count users report.
    3. Use a risk-based approach to prioritize the rotation of critical credentials saved in these shared folders.
    4. Additionally, make sure these users increase their iteration count (Task 2.1 above).

    Topic 3: Super admin best practices

    A “super admin” is a LastPass user with additional privileges above those of a regular administrator. As the name implies, they have privileged access to your LastPass tenant, particularly for resolving emergency situations. They potentially can reset the master password of any user in your account, and they have extensive rights to deploy, configure, and manage LastPass. They also may have access to all shared folders in your account. This access level is based on two policy settings for your LastPass tenant

    Given their extensive powers, super admins should always have exceptionally strong master passwords and an appropriate iteration count. It is normally recommended that super admin accounts are only set up for “break glass” situations where special access is needed.

    Task 3.1: Ensure super admins follow master password and iterations best practices

    Whether or not you’re using federation, we recommend having at least one super admin who isn’t federated and who has set a master password for their vault. All master password strength and complexity policies apply to these users. As described above, ensure that your super admin users have strong master passwords and strong iteration counts.

    Task 3.2: Review super admins with “Permit super admins to reset master passwords” policy rights and weak master passwords/iterations

    If the policy Permit super admins to reset master passwords is enabled AND you identify super admins with a weak master password and/or low iterations, your LastPass tenant may be at risk. A comprehensive security review should be implemented to determine what further actions should be taken to secure your LastPass Business account.

    In the case where you’ve identified at-risk super admin accounts, you might consider the following remediation actions if best practices for highly privileged accounts have not been followed:

    [HIGH IMPACT/OPTIONAL] Task 3.2.1: Federated login customers only: Consider de-federating and re-federating all users and request users to rotate all vault credentials
    • ONLY consider doing this if you determine your super admin has a weak master password or iteration count, de-federate and re-federate your users, as documented in this support article.

      This resets the shared keys between end users and super admins and prevents compromised super admin accounts from being used for further wrongdoing.

    • We then suggest using a risk-based approach to prioritize the rotation of critical credentials in end user vaults. Again, this is only suggested if you determine your super admin has a weak master password or iteration count.
    [HIGH IMPACT/OPTIONAL] Task 3.2.2: Non-federated login customers only: Consider resetting user master passwords and request users to rotate all vault credentials
    • ONLY consider doing this if you determine your super admin has a weak master password or iteration count. Review your master password policies outlined above in Task 1.1. Once complete, reset your users’ master passwords. This process is documented in this support article. This resets the shared keys between end users and super admins and prevents compromised super admin accounts from being used for further wrongdoing.
    • We then suggest using a risk-based approach to prioritize the rotation of critical credentials in end user vaults. Again, this is only suggested if you determine your super admin has a weak master password or iteration count.

    Task 3.3: Review super admins with "Permit super admins to access shared folders" rights

    If the policy Permit super admins to access shared folders is enabled AND you identify super admins with a weak master password and/or low iterations, you should take the following steps:
    • Make sure you reset the master password of the super admin as discussed in Task 3.1 above.
    • Using a risk-based approach, you should rotate the credentials in your shared folders. The credential URLs for all shared folders can be reported in the Admin Console. Go to Reporting > Security reports and select the URLs in shared folders report.

    Topic 4: MFA shared secrets

    This topic applies only to non-federated users who have enabled MFA access to their vaults.

    Note: Since federated users are prompted with MFA access through their organization’s Identity Provider, they don’t need to take any action around MFA. However, break-glass super admins (which are required for federated login), and non-federated users should have MFA enforced. Admins should follow the steps below.

    Task 4.1: Reset shared secrets for non-federated customers

    1. In the Admin Console, go to Reporting > Security reports.
    2. Generate the Enabled multifactor report to show users who have enabled an MFA option, including the MFA solutions they are using, as documented here.
    3. For users of the LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or Grid, reset all MFA secrets as documented here.
      Important: Since resetting MFA shared secrets destroys all LastPass sessions and trusted devices for these users, these users will need to log back in, go through location verification, and re-enable their respective MFA apps to continue using the service. We recommend sending an email providing information on the re-enrollment process.

      Here's a sample email that helps them understand what to expect and what they need to do. Feel free to use it and adapt it to your organization's voice and needs.

      Subject:
Action required: Reset your authenticator app

Hello,
To help maintain the security of our organizational assets, we're resetting multifactor authentication for everyone using LastPass.

Here's what you'll notice shortly:
• You'll no longer be logged into LastPass anywhere you were using it
• Your current multifactor authentication option for LastPass will be invalidated and will no longer work

Here's what to do after you've been logged out of LastPass:
1. In your browser, log in to LastPass again. An error message is displayed asking you to verify your login 
attempt via email.
2. In the email from LastPass, click the red button to verify your device/location.
3. Log in to LastPass again. Since you verified yourself in the previous step, you shouldn’t be asked for 
additional verification.
4. When LastPass asks you to “meet company requirements and set up multifactor authentication”, follow 
the on-screen instructions. You should then see a page asking you to “Pair your authentication application 
app”.

Feel free to contact us with questions or concerns.
Thank you,
    4. For users of Duo Security, Symantec VIP, RSA SecurID, or SecureAuth, regenerate the shared secret for each respective MFA solution and paste the new shared secret into the respective MFA app configuration in the Admin Console. You can find instructions for each MFA solution here:
      Note: Once you regenerate the MFA shared secret, your users won’t be able to log in to LastPass until you paste the new shared secret in the LastPass MFA configuration. Once you’ve done this, your end users will be all set.
      Tip: We highly recommend you perform these actions (in Task 4.1 above) outside of your organization's standard business hours to minimize impact on your users.

    Topic 5: SIEM Splunk integration

    This topic applies only to customers using the SIEM Splunk integration. Customers with this integration need to reset their instance token. For those customers that do not take action, LastPass will invalidate those tokens on April 30, 2023.

    Task 5.1: Update Splunk instance token

    If the SIEM Splunk integration is configured in your environment, generate a new Splunk Instance Token and update/rotate it in the Admin Console under Advanced > Enterprise options > Splunk integration. Read this support article for additional information on generating a Splunk Instance Token.

    Topic 6: Exposure due to unencrypted data

    As indicated in our blog, the threat actor obtained both encrypted and unencrypted data stored in our customer and vault databases. To review this information, please refer to the section in our latest update titled “What Data Was Accessed?” as detailed information about the specific data accessed in each environment can be found there.

    Task 6.1: Generate URL reports to assess risk

    To see all URLs associated with your company’s users and shared folders, in the Admin Console, go to Reporting > Security reports and run the newly added URLs in vaults and URLs in shared folders reports.

    These reports give you an understanding to the risk of any exposed URLs and any associated session IDs or parameters stored with these URLs. Because these URLs are unencrypted in the vault, they could potentially introduce various threat models. These include the following:
    • Credential Stuffing – When a site username in a user’s vault is the same as their LastPass account email, a threat actor can use this to potentially launch credential stuffing attacks against websites to attempt login using lists of compromised website credentials obtained from various breaches.
    • Phishing – A threat actor could send targeted emails/texts asking your users to reset their LastPass master password or any other password saved in their LastPass vault.
    • Other Social Engineering – Combining the email address, physical address, or phone number of a user and/or business, a threat actor may be able to contact your users and attempt to extract information that guides them to additional targets.

    Task 6.2: (OPTIONAL) Communicate with users about risks

    Depending on your needs, you may want to communicate with your users about the risks discussed above. Here’s a sample email. Feel free to use it and adapt it to your organization's voice and needs. 
    Subject:
Security note: Phishing and Social Engineering warning

Hello,
To help maintain the security of our organizational assets, please review this information.

• Phishing – Be on the lookout for emails/texts asking you to reset your LastPass master password or any other password in your LastPass vault.
• Social Engineering – Bad actors may try use your personal information (such as your email address, physical 
address, or phone number) to lure you into providing information that could lead them to additional information or targets.

Remember to always stay vigilant as you work online. Contact us with questions or to report suspicious activity.
Thank you,

    Topic 7: Deprecation of Password apps (Push Sites to Users)

    This topic applies only to customers using the Password apps feature (also known as Push Sites to Users in the legacy Admin Console). This feature formerly facilitated the placement of sites or apps into users’ vaults. If you use this feature, please be aware that it is being retired and we are asking you to take our recommended action.

    As described in the product configuration section and documentation, this feature did not follow our Zero Knowledge model and allowed data to be stored in unencrypted form.

    Task 7.1: Stop using Push Sites/Apps to Users and take remedial action

    Read this support article for recommended protective measures and safer ways to share sites and apps.

    Topic 8: Reset SCIM, Enterprise API, and SAML Keys

    In December, we notified a subset of customers whose SCIM, Enterprise API, and SAML keys were stored in unencrypted form. This only affected customers who joined LastPass and used these services in 2019 or before.

    On February 16th, 2023, we invalided these SCIM, Enterprise API, and SAML keys for all affected customers who had not already reset their keys manually per the information we previously communicated.

    Topic 9: Federated customer considerations

    Federated login integrates an Identity Provider with a service provider (in this case, LastPass) so that when a user is authenticated into the Identity Provider, they will also be logged into the service provider. In terms of LastPass, this means the need for using a separate master password is eliminated for users with federated login.

    As discussed above, federated business customers do not make use of a user-created master password. Instead, they use a 256-bit “hidden master password” made up of two or three (depending on implementation model) unique cryptographically generated random 256-bit split knowledge components which are stored separately and then combined mathematically to create the key used to encrypt/decrypt data once passed through SHA256. Please see this support article for more information.

    In federated scenarios, the K1 split knowledge component is stored in the customer’s identity provider (IDP, such as Microsoft Azure, Okta, etc.) while the K2 split knowledge component is stored in LastPass production database servers. Without both components, it is infeasible that a threat actor would be able to either brute force or guess the resulting key needed to authenticate and decrypt entries in a vault.

    The K2 component was exfiltrated by the threat actor as it was stored in the encrypted backups of the LastPass MFA/Federation Database for which the threat actor had decryption keys. The security reference model we implemented for split knowledge was chosen to defend against this specific situation where knowledge of only one of the split knowledge components would give away nothing of the resulting key.

    In order to gain access to the elements needed to decrypt an offline vault or access an online vault via SSO, a threat actor would need to combine both the K1 and K2 components to derive the resulting key and then manipulate the SSO connection to initiate access. Access to both keys would represent a complicated set of actions.

    As a LastPass admin, you will need to weigh the risks of how you have secured your IDP environment to prevent access to the K1 components based on the security capabilities of your IDP.

    If, based on your security posture or risk tolerance, you decide to rotate the K1 and K2 split knowledge components, you will need to de-federate and re-federate your users. You can learn more about this process in this support article.

    Topic 10: Additional considerations

    In addition to the tasks above, these best practices provide additional protection to you and your users. Consider implementing each of these.

    Task 10.1: Review vault item password policies

    Long, strong, and unique website passwords are more difficult to brute force and reduce the likelihood of successful credential stuffing on websites exposed by URLs in the clear.

    1. Review the policies that are enabled/available for site password length and complexity.
    2. Consider enabling the Length of site passwords and Password expiration notification policies to help users generate long, strong & complex website passwords at the desired time interval.

    Task 10.2: Review user security scores and remediate as required

    1. In the Admin Console, go to Reporting > Security reports.
    2. Run the Weak security score report. This provides a list of users with a weak security score.

      For more information on how the security score is calculated, read this support article.

    3. For compromised, weak, and/or reused passwords, prompt users identified to change those passwords in their vault. LastPass Business offers over a dozen email notifications which can automatically notify users of what specific actions they need to take to improve their password hygiene.

    Task 10.3: (OPTIONAL) Enable dark web monitoring for your users

    Enable the Control dark web monitoring policy and set the value to 2. This forcibly enables dark web monitoring for every username saved in your users’ LastPass vaults. This triggers email notifications directly to users, and administrators can review at-risk users in the Admin Console’s security report under “Unresolved dark web monitoring alerts".

    Ideally, encourage users to familiarize themselves with dark web monitoring and other Security Dashboard features so they can track their password hygiene and take recommended actions to improve their online security.

    Task 10.4: Review security of shared folders

    The ongoing risk assessment and governance of shared folders in LastPass Business should always be considered by admins and security analysts. This is especially true when shared folders contain sensitive access information for outside third-party services. Here are some general guidelines for shared folder governance:
    • Folders should only be shared with those who require specific access on the principle of least privilege. Access can be administrated within LastPass using individual sharing invitations or through group-level access. The granularity of group-level access needs to be balanced with ongoing maintenance and least privilege governance.
    • All users with access to shared folders should have adequately strong master passwords and iteration counts. For guidance, please review Topic 1 and Topic 2 in this document.
    • We also encourage your admins or security analysts to leverage the URLs in vaults report to help govern the password items stored in shared folder (Admin Console > Reporting > Security reports > URLs in vaults).
    • Depending on the relative sensitivity of a given item in a shared folder, items should be regularly rotated to ensure ongoing security as employees leave the organization.

    For further information...

    We hope that this guide has helped you to understand how best to respond to the recent LastPass security incident in a way that meets your security posture and business needs.

    If you require additional information, please contact the LastPass Customer Success Manager assigned to your account. If you don’t have a dedicated LastPass Customer Success Manager, contact the LastPass Care organization to open a support ticket at https://link.lastpass.com/support-ticket.