Four Preventable Failures in the LastPass Breach
TL;DR: Four upstream failures in the LastPass breach, each fixable with patterns that existed in 2022. Source code contained cleartext secrets instead of references to secrets fetched at runtime from a secrets manager. The decryption key for customer vault backups was stored in a LastPass vault instead of an HSM, and the rotation cost of that arrangement distorted the incident response in a dangerous direction. Engineers with privileged access were permitted to run non-current macOS versions, which Apple has been shown to delay patches for, if they release them at all. A browser-to-kernel exploit chain actively exploited in the wild during the LastPass compromise window was patched on the current macOS twenty-six days before being patched on the previous supported version. AWS credentials in the compromised vault had no IP, MFA, or VPC restrictions, so they worked from anywhere the moment the attacker had them. The detailed arguments and fixes are below. ...