A few months after a major hack, the editor of the LastPass password manager is again the victim of an attack. If he assured that no password was in danger, the extent of the damage is not yet known.
It was to be expected, but the attack that the LastPass password manager suffered last August had consequences! After having stolen the source code of the application as well as information on its functioning, the hackers have again targeted the company, as its boss Karim Toubba has just revealed in a blog post dated November 30, 2022. As a reminder, password managers allow all essential passwords, payment information and login information to be stored in a highly encrypted database or vault. The user can access all of these with a single master password. Suffice to say that LastPass contains data of great value for hackers… However, LastPass detected on November 30 a “abnormal activity“level one”cloud storage service” that the firm shares with its partner GoTo. If the application is still functional, some “customer information items” could be consulted by the authors of the attack – the firm remains rather vague concerning their nature and the number of users affected. According to initial information, the hackers used data that had been recovered during the previous attack. LastPass asserts that “we work diligently to understand the scope of the incident and identify the specific information that was accessed“.
The company is reassuring, however, saying that “our customers’ passwords remain encrypted and secure thanks to the Zero Knowledge architecture“, referring to its security model which ensures that data is encrypted only on the user’s device, before it is synced with the service – in theory, if LastPass doesn’t know the data, hackers don’t. The company also says it used cybersecurity and forensics specialist Mandiant as part of its risk management program – which it did after the previous attack – and notified law enforcement.”As always, we’ll let you know as soon as we know more.“, she promises. Still, this second attack deals a big blow to her image …
LastPass: the consequence of an earlier hack
Normally, using a password manager is a good way to protect personal accounts and information – and to remember them. But due to the sensitive data they contain, these tools are often targeted by hacking attempts. At the beginning of August, the editor of the LastPass password manager had detected traces “unauthorized activities,” as he announced in a press release. The intrusion occurred following the compromise of a developer account and allowed a hacker to gain access to the development environment. The latter had managed to steal portions of source code and proprietary technical information from the firm, which nevertheless wanted to be reassuring. “Our products and services are operating normally,” she had declared. A priori, the identifiers and passwords of users did not seem to have been compromised. LastPass explained that it had “contained the issue, implemented additional security measures”and not have “witnessed other attempts at unauthorized activity”.
We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
—LastPass (@LastPass) August 25, 2022
After opening an investigation, the firm had, as a precaution, also called on Mandiant. She had discovered that the intrusion had been “limited” to a period of four days, and that “Our system design and controls prevented the threat actor from gaining access to customer data or encrypted password vaults.” She added that anyway, “we never store or know your master password.”
At this time, the company does not recommend any particular actions by users and administrators. However, as she reminds us, it is better – whether there has been a cyberattack or not – to strengthen the security of your account by activating double authentication – also called multi-factor authentication. To do this, just follow the firm’s tutorial.