Months after a cyberattack, LastPass admits that personal user data, encrypted passwords, and other data stored in customer vaults were indeed stolen by hackers.
It was to be expected: the attacks that the LastPass password manager suffered in August and November did indeed have consequences on user security! After having stolen the source code of the application as well as information on its functioning, the hackers had again targeted the company. If, at first, she had wanted to be reassuring, affirming that the passwords of her customers “remained securely encrypted”, it turns out that the damage is greater than expected. As a reminder, password managers allow you to store all your essential passwords, payment information and login information in a highly encrypted database or vault. The user can access all of these with a single master password. Suffice to say that LastPass contains data of great value to hackers, especially with its 33 million individuals and its 100,000 companies – including major American media like the New York Times, CNN and Mashable.
LastPass: the contents of customer chests in the wild
LastPass has uploaded a new blog post in order to share the progress of its investigation with its users, as the firm had promised. And the news is pretty bad, because it turns out that the hackers did have access to personal information and associated metadata, including usernames, those of the companies using the service, but also billing addresses, customer emails, IP addresses and phone numbers. Worse still, they also managed to gain access to customer vaults, which contained encrypted data, including all website IDs and passwords – and their URLs – entered by the company’s customers, as well as security notes and form data, and backing up content. Just that ! Only small consolation: “There is no evidence that unencrypted credit card data was accessed. LastPass does not store full credit card numbers and credit card information is not archived in this cloud storage environment.”
A priori, most of the information should not be able to be used. “These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” explains company boss Karim Toubba, referring to his security model which ensures that data is encrypted only on the user’s device, either before it is synchronized with the service – in theory, if LastPass does not don’t know the data, neither do hackers. The company considers that there is therefore still no real risk for users. “It would take millions of years to guess your master password using common password cracking technology“, judge the company. The pirate “may attempt to use brute force to guess your master password and decrypt the copies of vault data it has taken“, but then again it would be difficult.
LastPass hack: what are the risks for users?
After this massive data leak, LastPass decided to beef up its security by decommissioning ongoing developments that hackers had access to, and starting all over again. The company also replaced and hardened developer machines, processes, and authentication mechanisms. It also conducts an analysis of all accounts showing signs of suspicious activity. Other protective measures have also been taken.
In order to avoid any risk of credential stuffing – a technique which consists in carrying out, using software or manually, massive authentication attempts on web sites and services from username/password pairs – , LastPass recommends that users change their primary password and those used for each associated account. Of course, they must be strong and long, with numbers, letters and special characters. It is also better – whether there has been a cyberattack or not – to strengthen the security of your account by activating double authentication – also called multi-factor authentication. To do this, just follow the firm’s tutorial.
But if the passwords fear nothing a priori, it is more annoying with regard to the theft of personal data on the other hand. Indeed, hackers can use it to carry out phishing operations (phishing), in particular by posing as LastPass so that their victims voluntarily give them their master password. It is therefore important to remember that the company will never call its customers, and will never send them e-mails or text messages asking them to click on a link in order to verify their personal information. Other than logging into their vault from a LastPass client, it will never ask them for their master password.
LastPass: two successive cyberattacks
Normally, using a password manager is a good way to protect personal accounts and information – and to remember them. But due to the sensitive data they contain, these tools are often targeted by hacking attempts. At the beginning of August, the editor of the LastPass password manager had detected traces “unauthorized activities,” as he announced in a press release. The intrusion occurred following the compromise of a developer account and allowed a hacker to gain access to the development environment. The latter had managed to steal portions of source code and proprietary technical information from the firm, which nevertheless wanted to be reassuring. “Our products and services are operating normally,” she had declared. A priori, the identifiers and passwords of users did not seem to have been compromised. LastPass explained that it had “contained the issue, implemented additional security measures”and not have “witnessed other attempts at unauthorized activity”.
We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
—LastPass (@LastPass) August 25, 2022
After opening an investigation, the firm had, as a precaution, called on the company specialist in cybersecurity and forensic science Mandiant. She had discovered that the intrusion had been “limited” to a period of four days, and that “Our system design and controls prevented the threat actor from gaining access to customer data or encrypted password vaults.” She added that anyway, “we never store or know your master password.”
On November 30, the firm revealed in a new blog post that it had been the victim of a second cyberattack and, this time, some “customer information items” could have been consulted by the authors of the attack – the firm had remained rather vague concerning their nature and the number of users affected. According to the first information, the hackers had used data that had been recovered during the previous attack. LastPass claimed that “we work diligently to understand the scope of the incident and identify the specific information that was accessed“. The company also indicated that it called on Mandiant again as part of its risk management program – which had already been the case after the previous attack – and notified law enforcement. “As always, we’ll let you know as soon as we know more.“, she had promised. Still, this story seriously tarnishes the image of the company, which claims to be the number one password manager in the world …