The August 2022 LastPass breach has resulted in potentially catastrophic consequences for the company and some of its users: attackers have made off with unencrypted customer data and copies of backups of customer vault data.
The information couldn’t come at a worst time, as businesses are winding down their activities and employees and users are thick in the midst of lastminute preparations for endofyear holidays.
The LastPass breach resulted in theft of customer vault backups
LastPass, the company behind the eponymous password manager, has suffered a breach earlier this year, which resulted in attackers accessing its third-party cloud based storage environment.
“While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud based storage service,” LastPass CEO Karim Toubba explained.
Once the attackers obtained cloud storage access key and dual storage container decryption keys, they copied information from backup that contained customer account info and related metadata, including:
- Company names
- Enduser names
- Billing addresses
- Email addresses
- Telephone numbers
- IP addresses from which customers were accessing the LastPass service
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form filled data,” Toubba noted. "These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture Again, the password master password is never known to LastPass and is not stored or maintained by LastPass Data encryption and decryption is performed only on the local LastPass client.
They did not specify how much customer vault information and backups were seized.
And now?
LastPass says that if users follow security best practices - have a master password longer than 12 characters and don't use it for other accounts - current password cracking technology will only make hackers The attack goes nowhere. However, if not, they need to change the passwords of the websites they have hosted.
Business customers who do not use LastPass' federated sign-in service are encouraged to do so.
Although it is difficult (but expensive) to quickly crack long and unique passwords, the greatest danger lies in social engineering attacks.
“Threat actors can also target customers with phishing attacks, credential stuffing, or other brute force attacks against your LastPass Vault-linked online accounts. . to click a link to verify your personal information. Except when logging into your vault from the LastPass client, LastPass will never prompt you for your master password,” Toubba said.
But this is not enough ! Because LastPass doesn't encrypt website URLs, attackers have enough data to launch phishing campaigns that target other services to impersonate. They know the user's name, email address, and phone number, as well as the online services they use. Therefore, users should watch out for various phishing attempts in the coming days and months.
These could be fake reset warnings, could potentially list a LastPass breach as a reason for the required action, and could potentially lead to similar sites on seemingly legitimate domains. So do not follow the links provided in the email and always visit the service's website independently.
If you’re a LastPass user:
- Change all of your passwords sooner rather than later (if not immediately)
- Enable twofactor authentication wherever you can
- People store all kinds of information in secure notes: bank account, cryptocurrency account, and crypto wallet data; account recovery phrases / codes; payment card PINs; and other sensitive data. Evaluate the content of your secure notes and data that LastPass automatically inserts in online forms, and change what can be changed. Change your master password (make it long, complex and unique)
“The painful thing for LastPass users who did unfortunately reuse their master password on other sites is that this case is now an *offline* attack – which means 2FA or changing one’s LastPass web password (or even master password) won’t help much – the attackers have a point in time snapshot of all the credentials in those stolen vaults. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you’re screwed,” noted security researcher Kenneth White.
I don’t doubt many users will be disappointed with LastPass and will be looking for an alternative password manager to store their passwords – perhaps even one that’s not cloud-based (though that comes with drawbacks, such as no password syncing capabilities, which makes life more difficult). LastPass says it's putting in a bunch of extra layers of protection, but many users' trust may be lost.
But I anticipate another problem: users are not technical and know very little about security. They may have a hard time adjusting to a different password manager AND are more likely to get scammed. This is not an easy problem to solve and a reminder that, for some people, less technical solutions can sometimes be a better alternative.
Organisations using LastPass are addressing this by alerting users to the potential for phishing attacks. Explains everything well and gives practical advice.