Last month, the company disclosed that threat actors had gained access to “certain elements” of customer information. Just as many US employees are leaving for the holidays, the company reveals that their encrypted passwords were compromised.
LastPass has issued an updated statement regarding a recent data breach: the company, which promises to keep all of your passwords in one secure location, is now claiming that hackers were able to “copy a backup of customer vault data,” which means they theoretically now have access to all of those passwords if they can crack the stolen vaults (via TechCrunch).
If you use LastPass to store passwords and login information, or if you used to have one and didn’t delete it before this fall, your password vault could be in the hands of hackers. Nonetheless, the company claims that if you have a strong master password and the most recent default settings, you may be safe. However, if you have a weak master password or less security, the company recommends that you “consider minimizing risk by changing passwords of websites you have stored as an extra security measure.”
That could imply changing the passwords for all of the websites you trusted LastPass to store.
While LastPass insists that passwords are still secured by the account’s master password, given how it’s handled these disclosures, it’s difficult to believe it.
When the company announced the breach in August, it stated that it did not believe any user data had been accessed. Then, in November, LastPass announced that it had detected an intrusion, which appeared to be based on information stolen in the August incident (it would have been nice to learn about that possibility between August and November). Because of this intrusion, someone was able to “gain access to certain elements” of customer information. It turns out that those “certain elements” were, you know, the most important and secret information stored by LastPass. According to the company, there is “no evidence that any unencrypted credit card data was accessed,” but that would have been preferable to what the hackers got away with. At the very least, canceling a card or two is simple.
Customers’ vault backups were copied from cloud storage
We’ll get to the details later, but here’s what LastPass CEO Karim Toubba has to say about the vaults being taken:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data like website URLs and fully-encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data.
According to Toubba, the only way a malicious actor could access that encrypted data, and thus your passwords, is through your master password. According to LastPass, it has never had access to master passwords.
That’s why, according to him, “it would be extremely difficult to attempt to brute force guess master passwords,” as long as you had a very good master password that you never reused (and there wasn’t some technical flaw in the way LastPass encrypted the data — though the company has made some pretty basic security mistakes in the past). However, whoever has this data could attempt to unlock it by guessing random passwords, also known as brute force.
LastPass claims that using its recommended defaults should protect you from such an attack, but it makes no mention of any feature that would prevent someone from repeatedly attempting to unlock a vault over days, months, or years. It’s also possible that people’s master passwords are accessible in other ways — if they re-use their master password for other logins, it could have leaked out during previous data breaches.
It’s also worth noting that if you have an older account (before a newer default setting was introduced after 2018), your master password may have been protected by a weaker password-strengthening process. LastPass currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link included in the company’s blog, it said their account was set to 5,000 iterations.
Perhaps the most concerning aspect is the unencrypted data, which includes URLs and could provide hackers with information about which websites you have accounts with. If they decide to target specific users, that information could be extremely useful when combined with phishing or other types of attacks.
If I were a LastPass customer, I would be dissatisfied with how the company has disclosed this information
While none of this is good news, it is all something that could happen to any company that stores secrets in the cloud. The name of the game in cybersecurity isn’t having a perfect track record; it’s how you respond to disasters when they occur.
And this is where I believe LastPass has fallen short.
Remember, this announcement is being made today, December 22nd — three days before Christmas, when many IT departments will be on vacation and people are unlikely to be paying attention to password manager updates.
(In addition, the announcement doesn’t get to the part about the vaults being copied until five paragraphs in. And, while some of the information is bolded, I believe it’s reasonable to expect such a major announcement to be near the top.)
According to LastPass, the vault backup was not initially compromised in August; rather, the threat actor used information from that breach to target an employee who had access to a third-party cloud storage service. The vaults were kept in and copied from one of the cloud storage volumes, along with backups containing “basic customer account information and related metadata.” That includes things like “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” according to LastPass.
Toubba claims that as a result of the initial breach and the second breach that exposed the backups, the company is taking numerous precautions, including increasing logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials, and more.
That’s all well and good, and it should accomplish those goals. But, if I were a LastPass user, I’d seriously consider leaving the company at this point, because we’re looking at one of two scenarios here: either the company didn’t know backups containing users’ vaults were on the cloud storage service when it’s announced that it had detected unusual activity there on November 30th, or it did know and chose not to notify customers about the possibility that hackers had gained access to them. Neither of these looks good.