Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Submit a Peer Review for the AI Controls Matrix—a groundbreaking framework to address AI risks and strengthen security.

Unpacking the LastPass Hack: A Case Study from CSA’s Top Cloud Threats Report

Published 01/15/2025

Home
Industry Insights
Unpacking the LastPass Hack: A Case Study from CSA’s Top Cloud Threats Report

Originally published by InsiderSecurity.


This article kicks off a series that explores prominent cybersecurity incidents, using CSA’s Top Threats to Cloud Computing report as a foundation. In this installment, we analyze the LastPass hack, offering a user-friendly, illustrated breakdown of the attack and practical guidelines for detection and prevention.


What is LastPass?

LastPass is a Software-as-a-Service (SaaS) provider specializing in password vault solutions. These tools enable users to securely store complex secrets, such as passwords, and access them conveniently when needed. Key features of LastPass’s zero-knowledge architecture include:

  • Encrypted Storage: Data is stored encrypted within LastPass’s database.
  • Master Password Encryption: Only the customer’s master password can decrypt the data, ensuring it remains inaccessible to LastPass.
  • Transient Master Password Storage: The master password is never stored persistently in LastPass’s systems.


How Password Vaults Work

To understand the implications of the hack, let’s review the typical flow of a password vault system:

Step 1: The customer launches the password vault software and provides the master password. The master password might be salted or hashed further to ensure secrecy in transit before it is sent to the password vault’s server for authentication. Upon successful authentication, the password vault server sends the encrypted secrets to the customer.

Step 1


Step 2: The customer can now decrypt the encrypted secrets with the master password. These secrets can typically be copied into the clipboard for Just-in-time usage. In the illustration, the customer has decrypted and copied the ‘Secret A’ into the Clipboard. The customer can now login to another software or web portal which requires Secret A to access.

Step 2


In the incident of LastPass hack, the customer's encrypted password (X), as shown in the illustration, was stolen. Additionally, customer information, such as the company name and the URL where the decrypted password could be used, was also compromised.

One can imagine the impact this could have had on the industry if the attacker had been able to decrypt any password they had stolen. This would mean the attacker could access any password-protected systems easily accessible from the internet. Of course, this is only applicable if 2FA is not present in those accounts!


How possible is it to decrypt the secrets stolen from LastPass?

Since the secrets are stored encrypted, what are the possibilities that the attacker could recover the secrets? There are multiple ways these encrypted passwords can be decrypted, and we will be discussing two possible methods:


1. Password guessing:

As the secrets are stored encrypted with the customer’s master password, if a weak master password has been used, the attacker can easily guess the customer’s master password to access the data and reveal all the passwords stored by the customer.


2. Tampering with the backend code:

If the attacker compromises the backend server responsible for decrypting the encrypted data and plants malicious code, they could potentially log the customer’s master password and use it to decrypt the stolen data.


What happened?

August 2022

In early August 2022, attackers successfully accessed LastPass’s S3 bucket in a development environment and exfiltrated source code together with technical documents (4). A developer’s valid credentials, stolen from the developer’s compromised machine (1), were used to access the S3 bucket (3). It is interesting to note that the developer does not usually access those resources on S3; however, the access given to the developer has been overly permissive. It is also noted that the attackers obfuscated their original location by accessing the cloud resource over VPN (2).

In mid-August 2022, the LastPass security team discovered the hack and decommissioned the development environment, under the assumption that the attacker’s activity had been contained.


October 2022
In October 2022, a LastPass Senior DevOps engineer's machine was compromised (5) and used to access the DevOps engineer’s LastPass corporate vault. This allowed the attacker to access the corporate vault in the S3 bucket (6), which contains backups of LastPass customer data and encrypted vault data. Fortunately, the customers' secrets remain safe as they are encrypted in the customer’s master key due to the zero-knowledge architecture.

LastPass discovered the hacks after the attackers triggered an 'IAM unauthorized activity' alert generated by AWS GuardDuty, likely be caused by running reconnaissance and enumeration operations (4).


TTPs

We can map the attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.


Detection Opportunities

Mapping the attack timeline reveals multiple points where advanced detection strategies could have mitigated or prevented the breach:

  • Unusual Login Behavior (Steps 2-3):
    • Monitor logins from unusual or fast-changing locations.
    • Flag logins from VPN-associated IP ranges.
  • Sensitive Data Access (Steps 4 & 7):
    • Tag sensitive storage locations and monitor access.
    • Trigger alerts for unusual patterns of data access or privilege escalation.
  • Data Exfiltration (Step 6):
    • Detect high-volume data transfers from S3 buckets.
    • Set thresholds for data access intensity to reduce false positives.
  • Reconnaissance and Enumeration:
    • Compare privileged account activities to baseline behavior.
    • Use behavioral analytics to identify deviations, such as privilege checks or bulk data queries.


Prevention Strategies

This incident highlights critical lessons for securing cloud environments and SaaS infrastructures:

  1. Implement least privilege access for sensitive environments, ensuring minimal permissions for all accounts.
  2. Regularly monitor and review access logs for anomalies, including VPN usage or unusual locations.
  3. Deploy multi-factor authentication (MFA) to strengthen account security.
  4. Conduct behavioral analysis to detect and flag unusual data access patterns.
  5. Ensure sensitive audit logs are stored securely and cannot be tampered with.


Conclusion

The LastPass hack underscores the importance of vigilance, robust access controls, and advanced monitoring tools in cloud security. While LastPass’s zero-knowledge architecture helped protect customer secrets, the incident reveals how lapses in access management and monitoring can lead to breaches.

For more details on detecting and preventing similar attacks, explore our comprehensive guide:

Read the Full Guide Here

Identity and Access ManagementRisk ManagementSaaS Governance

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Participate in the State of SaaS Security 2025 Survey
Key Management for Public Cloud Migration
Cloud Security for Startups 2024
Enhance your cloud security skills with CSA's online training options.
Related Articles:
The EU AI Act: A New Era of AI Governance Began August 1st

Published: 01/15/2025

Secrets & Non-Human Identity Security in Hybrid Cloud Infrastructure: Strategies for Success

Published: 01/14/2025

The Trouble with Large Language Models and How to Address AI “Lying”

Published: 01/13/2025

How to Secure Cloud Environments and Minimize Data Breach Risks

Published: 01/10/2025