What data was accessed?
Below is a more detailed description of the LastPass customer data affected by the two security incidents.
I. Customer Account Secrets, API Keys, and Third-Party Integration Information
Depending on a customer’s specific LastPass account configuration and integrations, data stored in the backups accessed by the threat actor may include LastPass-specific and/or third-party secrets, keys, and integration information. Many of these items only apply if a LastPass customer makes use of these specific features, integrations, or account configurations:
| Affected User Type |
Customer Secret |
Description |
|---|---|---|
| Consumers & Business Customers (non-federated) |
Multifactor Authentication (MFA) seeds |
MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault. |
| Hashes of temporary (One-Time) Passwords (OTP) and account Recovery One-Time Passwords (rOTP) |
Hashes of customer generated OTP and/or account rOTP. Out of an abundance of caution, LastPass proactively invalidated these hashes. |
|
| Business Customers (Federated only) |
Split knowledge component (“K2”) Key |
K2 keys stored within LastPass are combined with K1 keys stored within the customer’s identity provider (IdP) for configuration of a federated login deployment. This split knowledge model was chosen to defend against this specific situation. A threat actor would need access to both the K1 and K2 components to attempt to decrypt an offline vault. The security settings of third-party IdP factor directly into the availability and security of the K1 components. |
| Business Customers (non-federated) |
MFA API integration secrets |
Secrets used to integrate third-party MFA vendors (e.g., Duo Security, RSA SecurID, SecureAuth) with LastPass. |
| Business Customers (non-federated) |
Time-based One-time Password (TOTP) seeds |
Seeds used to generate TOTP authentication codes for Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Grid. |
| Business Customers |
Splunk Security Information & Event Management (SIEM) integration secrets |
Secrets used to enable LastPass event logs to be sent to a customer’s Splunk instance, providing auditing/monitoring of LastPass events. |
| Business Customers |
“Push” site credentials |
Credentials that may have been “pushed” to a LastPass user or group by a LastPass Business Administrator. |
| Business Customers |
SCIM, Enterprise API and SAML Keys |
API keys used by LastPass Business administrators and users to integrate with third-party directory services, manage and provision/de-provision users and make use of single sign-on (SSO). Users of these keys were previously contacted by LastPass in December 2022 with specific remediation instructions to reset them. |
Access to these API tokens, keys, and seeds poses various risks. The threat actor could potentially bypass a particular service, access a particular application, or manipulate data. Where possible, LastPass took steps to remediate these risks by invalidating certain keys and APIs. The Security Bulletins provided in connection with this blog update describe the actions that LastPass has already taken as well as the actions that customers may need to take to further remediate risks within their own environments.
II. LastPass Customer Database
The threat actor was able to copy a backup of our customer database dated as of August 14, 2022. Any accounts created after this date are not affected. The customer database contained unencrypted basic customer account information and related metadata including:
| LastPass User Type |
Data Field |
Description |
|---|---|---|
| Business & Teams Users |
Billing Address |
Business billing address |
| Company Name |
Name of Business |
|
| EIN/Tax ID |
EIN/Tax ID for company or business |
|
| Email Address |
Company email address of user (e.g., name@lastpass.com) |
|
| End User Name |
Name of End User (if provided) |
|
| IP Address |
IP addresses of trusted devices from which end users accessed the LastPass service |
|
| Telephone Number |
Mobile phone number used for SMS recovery (if enabled) |
|
| Mobile Device Unique Identifier |
Unique identifier of any mobile device used to access the LastPass service |
|
| PBKDF2 SHA256 Iterations |
The number of PBKDF2 iterations that a customer was configured to use |
|
| Free, Premium, and Families Users |
Billing Address |
Billing Address (if provided) |
| Email Address |
End user email address |
|
| End User Name |
Name of End User (if provided) |
|
| IP Address |
IP addresses of trusted devices from which end users accessed the LastPass service |
|
| Telephone Number |
Mobile phone number used for SMS recovery (if enabled) |
|
| Mobile Device Unique Identifier |
Unique identifier of any mobile device used to access the LastPass service |
|
| PBKDF2 SHA256 Iterations |
The number of PBKDF2 iterations that an end user was configured to use |
The Customer Database also contained various account entitlement information (e.g., Premium, Families, Teams, etc.) as well as service and application configuration items such as MFA options enabled.
III. LastPass Customer Vault Data
The threat actor was able to copy five of the Binary Large Objects (BLOBs) database shards that were dated: August 20, 2022, August 30, 2022, August 31, 2022, September 8, 2022, and September 16, 2022. This took place between September 8 - 22, 2022. LastPass accounts created after these dates are not affected.
Anatomy of a “Vault”
Customers would recognize “vault” data as items such as sites and secure notes and their various sub-component elements that they interact with when using a LastPass client (web browser, extension, mobile, etc.) on their device.
However, aggregated vault data is actually assembled from multiple backend data sources and transformed/packaged by our LastPass service before sharing with the requesting client. The data elements of a customer vault are stored in a serialized data format described as BLOBs consisting of collections of binary strings separated into designated sections. The BLOB structures themselves are not encrypted as a whole, but there are sections/fields within them that are encrypted.
The BLOBs that are stored within the LastPass service backend are not directly representative of the complete assembled “vaults” that are rendered as human-readable form within each customer’s LastPass client. Instead, the LastPass backend logic packages and transforms elements from BLOBs with data stored in this binary format, deserializes, and combines it with other data from other data sources. It is then transferred to the client and ultimately decoded and decrypted on the client side. The reverse occurs when updates are made to BLOBs.
Encrypted Fields in the Vault
Encrypted data fields within BLOBs are encrypted with 256-bit AES encryption. Decryption is performed on the end user’s local LastPass client using a unique encryption key derived from each user’s master password. Due to our Zero Knowledge architecture, end user master passwords are never known to LastPass and are not stored or maintained by LastPass. There are 23 encrypted data fields within BLOBs, 21 of which may be considered “sensitive” data:
- Within Sites, the following fields are encrypted:
- Site Name
- Site Folder
- Site Username (including change history log)
- Site password (including change history log)
- Site note content (including change history log)
- Encrypted TOTP secret used to generate per-site TOTP codes
- Custom fillable form-field
- Custom fillable form-field content
- Within Secure Notes, the following fields are encrypted:
- Name
- Folder
- Attachment file name
- Attachment
- Encrypted attachment encryption key
- Note content
- Additionally, the following non-categorized data fields are encrypted:
- Group names
- Encrypted sharing keys
- Encrypted Super Admin sharing key
Unencrypted Fields in the Vault
As of this writing, there are 12 unencrypted data fields which may contain sensitive information which reference specific users or devices. The majority of these items are URL-based or URL-related, and only apply if a LastPass user makes use of certain specific features, functions, or account configurations:
- Application file path for the LastPass Windows or macOS application
- Email address of the LastPass user who edits a shared vault item (recorded in change history)
- Site URLs, including various URL rules and “Never URL” account configurations. A more comprehensive list of the various unencrypted URL fields can be found below:
| Field Name |
Field Type |
Field Description |
LastPass Reference |
Applicable to Customers/Use Cases |
|
|---|---|---|---|---|---|
| 1 |
url |
URL |
URL of the vault item |
The URL of the website, what is captured by LastPass when a credential is saved and used during the credential fill for matching.
These are fully qualified domain names (FQDN) and anything in the URL can be added here. Examples: https://www.cnn.com or https://www.cnn.com/2023/01/09/sport/nfl-playoffs-set/index.html |
Universally available to all customers, used by all clients when saving a credential to LastPass and used for URL/domain matching when filling a credential. |
| 2 |
Rurl |
URL |
Duplicate of URL field |
<Deprecated functionality but duplicate of #1> |
Deprecated, may exist for old users |
| 3 |
url_rules |
List of domains/URLs |
When logging in to a site, LastPass shows login entries in your vault with a similar URL. Use URL Rules to control this matching process and create a smoother experience. |
Universally available to all customers but configured on-demand and only exists if this feature is implemented. |
|
| 4 |
Equiv_domains |
List of domains/URLs |
Add domains that use the same login service. We've already listed popular sites that use shared credentials across domains under their control. For example: amazon.com and its local variations, or gmail.com and other Google products |
Universally available to all customers and LastPass configures some example domains by default when explicitly configured to do so. These are fully qualified domain names (FQDN) and anything in the URL can be added here. |
|
| 5 |
accts_never |
List of URLs |
Used when customers disable LastPass actions on specific sites/URLs (denylist) |
Universally available to all customers but configured on-demand and only exists if this option is implemented. These are fully qualified domain names (FQDN) and anything in the URL can be added here. |
|
| 6 |
accts_never_excluded |
List of URLs |
Connected to #5 – this is the “allowlist” that overlaps with the (denylist) in #5 LastPass Business admins can add Global Never and Global Only URLs in the Admin Console to control whether you want LastPass to prompt your users for action. Additionally, a wildcard character (*) can be used for both a subdomain and subpath when adding Global Never URLs. |
Manage Global Never and Global Only URLs for users in the new Admin Console |
Available to all business customers but configured on-demand and only exists if this option is implemented for Global Only URLs. |
| 7 |
acs |
URL |
URLs for SAML SSO apps using LastPass Legacy SSO Service.
Note: This is a Service Provider URL, identifying the third party app that users are signing into (e.g., https://signin.aws.amazon.com/saml)
|
Business users using the LastPass Legacy SSO Service with applications assigned by an administrator. Allows a user to sign in to an SSO app from within their LastPass vault. These application URLs appear in the LastPass Client under the "Apps assigned to me” section and is preset by administrators to allow one-click SSO/SAML access to published applications.
|
|
| 8 |
launchurl |
URL |
URLs for SAML SSO apps using LastPass Legacy SSO Service.
Note: This can be either a LastPass internal URL (e.g., https://lastpass.com/saml/launch/cfg/XXXXXX) that does not explicitly identify the Service Provider or a third-party Service Provider URL (e.g., https://signin.aws.amazon.com/saml)
|
<Related to #7> Start of where the SSO/SAML authentication session begins |
Business users using the LastPass Legacy SSO Service with applications assigned by an administrator. Allows a user to sign in to an SSO app from within their LastPass vault. These application URLs appear in the LastPass Client under the "Apps assigned to me” section and is preset by administrators to allow one-click SSO/SAML access to published applications. |
| 9 |
Appaccts - appname |
Application path |
Path to the LastPass application in the Windows or macOS filesystem |
Contains the path to a native locally-hosted application for which you have set up desktop auto-filling |
Universally available to all customers but configured on-demand and only exists if this feature is implemented to make use of a LastPass native Windows or macOS application. Does not apply to website or browser extension use cases. |
| 10 |
Accts_notes |
Email address |
Email address of the user who edited the vault item’s note field |
Used for additional change history – View changes in item history |
Universally available to all customers but used only on-demand when a shared item is updated, by someone who is not the original sharer. |
| 11 |
Accts_username |
Email address |
Email address of the user who edited the vault item’s username field |
Used for additional change history – View changes in item history |
Universally available to all customers but used only on-demand when a shared item is updated, by someone who is not the original sharer. |
| 12 |
Accts_password |
Email address |
Email address of the user who edited the vault item’s password field |
Used for additional change history – View changes in item history |
Universally available to all customers but used only on-demand when a shared item is updated, by someone who is not the original sharer. |
Customer Security Bulletins
The threat actor may attempt to brute force and decrypt the copies of the vault data they took. Our Zero Knowledge encryption architecture is designed to protect customers’ sensitive information to defend against attempts to brute force encrypted data. The threat actor may also use some of this data to target customers with phishing attacks, credential stuffing, or other social engineering attacks against online accounts associated with their LastPass vault.
- Security Bulletin: Recommended Actions for Free, Premium, and Families Customers. This bulletin guides our Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their account by confirming best practices are being followed.
- Security Bulletin: Recommended Actions for LastPass Business Administrators. This bulletin walks administrators of our Business and Teams customers through an assessment of LastPass account configuration and third-party integrations, and includes information that is relevant to both non-federated and federated customers.
If you have any questions regarding the recommended actions, please contact technical support or your customer success team who are ready to help.