New Incident at LastPass: User Personal Data Exposed Again

LastPass has communicated a new data breach involving users' personal information, although the incident occurred indirectly, through the market intelligence company Klue, a partner of the well-known password management company. The digital vaults containing users' passwords were not compromised in this instance.

The intrusion allowed cybercriminals, identified as the Icarus group, to access Klue's systems, which integrate platforms like Salesforce and Gong. Specifically, the attackers exploited OAuth tokens obtained through old compromised credentials on June 12, to penetrate the Customer Relationship Management (CRM) system of Salesforce used by Klue. From here, they exfiltrated sensitive data from numerous clients, including those of LastPass.

LastPass specified that the stolen information is limited to standard business contact data and CRM data. This includes customer names, phone numbers, email addresses, and physical addresses. Information related to support cases and sales information was also exposed. Despite the indirect nature of the breach, the type of compromised data makes users vulnerable to phishing attacks and targeted social engineering attempts.

Following the discovery of the incident, LastPass responded by immediately revoking employee access to Klue, rotating exposed API tokens, notifying law enforcement, and initiating a thorough investigation into the extent of the event, in collaboration with Klue and Salesforce. Klue, in turn, revoked credentials and tokens, removed unauthorized code, and disabled integration with Salesforce instances.

The password management company recommends that users maintain heightened vigilance against potential phishing attacks or social engineering attempts that could exploit the acquired information. LastPass also provided a list of IP addresses and email domains associated with the attackers, which companies can use to search for related activity in their systems.

IP Addresses: 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, 159.183.181[.]239
Email Domains: baccarat.com[.]au, robinskitchen.com[.]au, house.com[.]au

This episode adds to a series of security incidents that have plagued LastPass over the years. In 2015, for example, hackers obtained email addresses of accounts, password hints, authentication hashes, and cryptographic salts, although at that time the data from the encrypted vaults was not compromised. The much more serious attack in 2022 saw an attacker compromise a developer account, stealing source code and technical information. This access was then used to access cloud backups containing customer logs and encrypted password vaults, along with unencrypted details such as names, billing addresses, email addresses, and phone numbers.

The repetitiveness of these events underscores the ongoing cyber threat and the need for robust security, even from third-party providers, to protect user data.