Over the last few months I have been following the updates LastPass issued around the security incidents they had in the second half of 2022. The story is a classic example of what happens when business risk is underestimated, and it is worth walking through what a proper threat model could have changed.
What happened
A brief summary of events. In August 2022, an unauthorised third party accessed LastPass's development environment through an improperly exposed endpoint. The attacker appeared not to have done anything malicious at that point, and because it was a development environment, no customer data was at risk. LastPass assured customers they had fully contained the attacker and strengthened their controls.
Then in November, LastPass revealed they had detected unusual activity in a third-party cloud storage service, traced back to access gained in the August incident. This time, customer data was accessed. The cloud storage held backups of production data.
As it turned out, this included basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers and IP addresses. The backups also contained an encrypted copy of customer vault data. The attacker does not immediately have all passwords from those vaults, but the risks are significant.
After the first incident, LastPass stated they had implemented threat modelling among other steps to enhance security. Given the second and more serious breach still happened, either the threat modelling was not done properly or it was not done fast enough.
What threat modelling would have revealed
A few things stand out from this story.
First, LastPass admits the second breach in production was a direct consequence of the first breach in the development environment. They clearly had not fully contained the attack in August as they had stated.
Many tech companies follow the practice of separating development and production environments. That is sensible. But it does not mean development environments can be treated as low-risk. A threat model done up front would have revealed that development accounts often pose more business risk than most teams realise.
Second, though the production environment was never directly impacted, the production backups were. They posed just as much risk as a production breach would have, and the headlines that followed reflect that.
This comes up regularly in threat modelling work. Without it, key risk areas get missed. Backups are frequently overlooked, and application logs, code repositories and credentials repositories pose similar dangers.
In these situations there are two options. You exhaustively try to secure everything, or you do an assessment that finds where the real risks are and prioritise based on those. The first approach does not work in practice. Businesses will always choose the second, because it is quicker, more cost-effective and still achieves the outcomes needed. Threat modelling is the most reliable way I have found to surface the important risks quickly.
Third, LastPass consistently underestimated the business risk of several parts of their infrastructure. A security incident on an exposed endpoint in a development environment led to the exposure of customers' encrypted password vaults. That is one step away from complete compromise as far as customers are concerned.
The risks to customers
Customers face two direct risks from this incident.
First, for each vault the attacker has, a single master password is the only protection against full compromise. LastPass has acknowledged this by highlighting how they have strengthened master password requirements over the years. But even a strong master password may eventually succumb to determined attackers who perceive enough value in the vaults to invest resources in cracking them.
If you are a LastPass customer, the right move is to immediately reset all passwords stored in your vault, particularly those that grant access to sensitive or important services.
Second, the personal customer data exposed in the breach makes customers significantly more vulnerable to phishing. This is already the subject of a class-action lawsuit filed against LastPass in early 2023.
What this means for your business
This is not a story about a security team that did not care. LastPass clearly cares about security and it is a significant operational investment for them.
The lesson is about where that investment is directed. A threat model driven by business risk rather than technical controls would have highlighted many of these risks up front: the risk in the development environment, the risk in the backup infrastructure, the potential blast radius if either was compromised.
With that view, the investment might have included mitigating those specific vulnerabilities before they were exploited.
Threat modelling is not a silver bullet. No single approach prevents every breach. But a business-risk-led threat model is the most direct path to understanding what actually matters and putting effort where it makes the biggest difference.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →