LastPass tells world more about recent breach, researchers frustrated
LastPass, a password manager with over 25 million users, gave more details about the latest breach into the company’s systems. The firm claims users’ personal data or master passwords were not affected – yet researchers are worried.
In a blog post, Karim Touba, Chief Executive of LastPass, once again confirmed that a threat actor had recently gained access to a third-party cloud-based storage service, which LastPass uses to store backups of its production data.
The company had earlier said that the attacker used information obtained in the August 2022 incident, and now has decided to share what exactly was stolen or copied. Details are worrying.
What the company claims
Kouba once again said that in the August breach, no customer data was accessed. However, the threat actor stole “some source code and technical information from our development environment.”
This data was used to target another employee. After obtaining the needed credentials and keys, attackers accessed and decrypted “some storage volumes” within the cloud-based storage service where backups are held.
What’s concerning is the type of information that was copied. LastPass says the backup contained “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The attackers were also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Of course, LastPass stresses that the encrypted fields remain secure – they can only be decrypted with a unique key derived from each user’s master password. The latter is never known to LastPass and is not stored or maintained by the company.
What does it actually mean?
And yet, experts seem to be very frustrated. After all, when LastPass says that hackers were able to “copy a backup of customer vault data” – and that’s exactly what the firm says – it means that the threat actor theoretically now has access to all those passwords. Of course, if the attacker can crack the stolen vaults.
Yes, LastPass claims there’s nothing to worry about if your master password is strong: “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to brute force guess master passwords for those customers who follow our password best practices.”
“If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology,” the company adds.
But what if the “best practices” are by chance – and a fat one at that because it’s often hard to keep up with the most recent settings – not followed? What if the master password is weak or older?
LastPass has an answer: “In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.” Yes, that means password changes for every website you trusted LastPass to store – and that’s a lot of fuss.
There’s more, though. LastPass admits that some unencrypted data was stolen, and that includes website URLs (Uniform Resource Locators). This is important as hackers would actually know which websites users have accounts with and target them with phishing or other types of attacks.
According to John Scott-Railton, Senior Researcher at Citizen Lab at the University of Toronto, LastPass now “has a giant target on their back because of the juicy data $ password trove that they handle, and they are absolutely failing their customers.”
“Attackers didn’t just get encrypted passwords. They got unencrypted URLs. Think: URLs with account tokens, API keys & credentials, etc.,” the researcher wrote.
“Do your employees use LastPass? Or how about your users? Do you even know? The unencrypted URL breach is bad news for your security model, and you should be thinking about mitigations.”
Alison Gianotto, the founder of Snipe-IT, an open-source asset management firm, called the situation at LastPass a mess. She already told her LastPass-using employees to expect to get phishing emails, some of which might actually cite the LastPass breach as a reason to click on their links.