A cyberattack has stolen personal user data, encrypted passwords, and various sensitive data stored in LastPass vaults. And other business departments were affected.
The bad news continues to rain on GoTo, the editor of the LastPass password manager, which was hacked twice last year! While an investigation is still ongoing, Paddy Srinivasan, the CEO of GoTo, announced on January 23, 2023 in a blog post that last November’s hack actually extends far beyond LastPass. In addition to the latter, five services were also affected: the Pro and Central remote access tools, the join.me online meeting service, the Hamachi VPN server and the Remotly Anywhere remote access tool.
And that’s not all ! The hackers managed to recover an encryption key for part of the backups stored with a cloud provider. They thus have access to several pieces of information, such as usernames, encrypted passwords – they are therefore unreadable –, details on product licenses, information on their configuration and on multi-factor identification. The parent company continues to speak “reassuringly” by saying that no banking information has been stolen and that the number of people who have seen their data compromised is very limited. Affected customers are being contacted and their account passwords reset, while their account passwords will be moved to a new, more secure platform with improved identity management and stronger authentication. In the meantime, the investigation continues.
LastPass: the contents of customer chests in the wild
After having stolen the source code of the application as well as information on its functioning, the hackers had again targeted L’astPass. If, at first, she had wanted to be reassuring, affirming that the passwords of her customers “remained securely encrypted”, it turns out that the damage was greater than expected. As a reminder, password managers allow you to store all your essential passwords, payment information and login information in a highly encrypted database or vault. The user can access all of these with a single master password. Suffice to say that LastPass contains data of great value to hackers, especially with its 33 million individuals and its 100,000 companies – including major American media like the New York Times, CNN and Mashable.
At the end of December 2022, LastPass had put online a new blog post in order to share the progress of its investigation with its users, as the firm had promised. And the news was pretty bad, because it turned out that the hackers had indeed gained access to personal information and associated metadata, including usernames, those of the companies using the service, but also billing addresses, customer emails, IP addresses and phone numbers. Worse still, they had also managed to gain access to customer vaults, which contained encrypted data, including all website IDs and passwords – and their URLs – entered by the company’s customers, as well as security notes and form data, and backing up content. Just that ! Only small consolation: “There is no evidence that unencrypted credit card data was accessed. LastPass does not store full credit card numbers and credit card information is not archived in this cloud storage environment.”
A priori, most of the information should not be able to be used. “These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” explained company boss Karim Toubba, referring to his security model which ensures that data is encrypted only on the user’s device, before it is synchronized with the service – in theory, if LastPass does not don’t know the data, neither do hackers. The company considered that there was therefore still no real risk for users. “It would take millions of years to guess your master password using common password cracking technology“, judged the company. The pirate “may attempt to use brute force to guess your master password and decrypt the copies of vault data it has taken“, but then again it would be difficult.
LastPass hack: what are the risks for users?
After this massive data leak, LastPass had decided to strengthen its security by decommissioning the ongoing developments that hackers had access to, to start all over again. The company had also replaced and hardened developer machines, processes, and authentication mechanisms. She was also conducting an analysis of all accounts showing signs of suspicious activity. Other protective measures had also been taken.
In order to avoid any risk of credential stuffing – a technique which consists in carrying out, using software or manually, massive authentication attempts on web sites and services from username/password pairs – , LastPass had recommended that users change their primary password and those used for each associated account. Of course, they had to be strong and long, with numbers, letters and special characters. It was also better – whether there was a cyberattack or not – to strengthen the security of your account by activating two-factor authentication – also called multi-factor authentication. To do this, just follow the firm’s tutorial.
But if the passwords feared nothing a priori, it was more annoying with regard to the theft of personal data on the other hand. Indeed, hackers could use it to carry out phishing operations (phishing), in particular by posing as LastPass so that their victims voluntarily give them their main password. This is why the company reminded that it will never call its customers, and will never send them e-mails or text messages asking them to click on a link in order to verify their personal information. Other than logging into their vault from a LastPass client, it will never ask them for their master password.
LastPass: two successive cyberattacks
Normally, using a password manager is a good way to protect personal accounts and information – and to remember them. But due to the sensitive data they contain, these tools are often targeted by hacking attempts. At the beginning of August, the editor of the LastPass password manager had detected traces “unauthorized activities,” as he announced in a press release. The intrusion occurred following the compromise of a developer account and allowed a hacker to gain access to the development environment. The latter had managed to steal portions of source code and proprietary technical information from the firm, which nevertheless wanted to be reassuring. “Our products and services are operating normally,” she had declared. A priori, the identifiers and passwords of users did not seem to have been compromised. LastPass explained that it had “contained the issue, implemented additional security measures”and not have “witnessed other attempts at unauthorized activity”.
We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
—LastPass (@LastPass) August 25, 2022
After opening an investigation, the firm had, as a precaution, called on the company specialist in cybersecurity and forensic science Mandiant. She had discovered that the intrusion had been “limited” to a period of four days, and that “Our system design and controls prevented the threat actor from gaining access to customer data or encrypted password vaults.” She added that anyway, “we never store or know your master password.”
On November 30, the firm revealed in a new blog post that it had been the victim of a second cyberattack and, this time, some “customer information items” could have been consulted by the authors of the attack – the firm had remained rather vague concerning their nature and the number of users affected. According to the first information, the hackers had used data that had been recovered during the previous attack. LastPass claimed that “we work diligently to understand the scope of the incident and identify the specific information that was accessed“. The company also indicated that it had again called on Mandiant as part of its risk management program – which had already been the case after the previous attack – and notified the police. “As always, we’ll let you know as soon as we know more.“, she had promised. Still, this story seriously tarnishes the image of the company, which claims to be the number one password manager in the world …