LastPass Breach: Attacker Stole Encrypted Password VaultsWhile Unencrypted Data Also Stolen, Experts Urge Continued Use of Password Managers
The attack earlier this year that compromised systems and data at LastPass is much more extensive than the password management software provider previously revealed.
LastPass has issued an updated data breach notification, warning that in the multistage attack beginning in August, a hacker accessed its corporate cloud storage backup environment.
"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data," LastPass says.
"These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key," it says.
LastPass CEO Karim Toubba says the master password needed to unlock each stolen customer password vault would require "millions of years to guess … using generally available password-cracking technology."
The company says it has contacted a "small subset" of business customers, recommending "that they take certain actions based on their specific account configurations," which it didn't detail in its breach notification.
LastPass is one of the world's most popular password management services. The company says it is used by more than 33 million individuals and 100,000 businesses.
Despite LastPass' assurances, John Scott-Railton, a senior researcher at University of Toronto's Citizen Lab, which tracks nation-state surveillance efforts, says via Twitter that the breach may be "worse than you think." In particular, he says, any users that saved to LastPass a URL that contained an access token could see the associated service get hacked.
"The issue: *unencrypted* URLs that #LastPass users have saved may in some cases contain sensitive information that can be leveraged for account access," he says. "The entity that now has this trove of encrypted & unencrypted stuff is clearly well-resourced, capable and strategic."
In August, LastPass warned that for four days, an attacker had enjoyed unauthorized access to its systems, resulting in the theft of source code and proprietary technical information from the company's development environment.
At the time, LastPass spokeswoman Nikolett Bacso-Albaum told Information Security Media Group there was "no evidence" that the attacker gained access to customer data or encrypted password vaults.
Three months later, however, the company made a U-turn: Its CEO on Nov. 30 warned that in fact, investigators had found that the hacker later "was able to gain access to certain elements of our customers' information" (see: LastPass Breach Exposes Customer Data).
In the latest notification, LastPass says the attacker stole data from its development environment, used this to target another employee and steal their credentials and keys, and later used these to access and decrypt backups for the company's cloud-based storage service.
LastPass' Toubba says the stolen encrypted data is "secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our 'zero knowledge' architecture." He adds that the zero knowledge architecture means the master password of users is unknown to even LastPass as it is not stored or maintained on any of the company's systems.
LastPass says it has put a number of fresh measures in place to better block such attacks in the future, including continuously rotating all potentially affected credentials and certificates, as well as monitoring for suspicious activity within its cloud storage service.
As is typical in such breaches, LastPass says it has informed both law enforcement agencies and regulatory authorities about the breach and continues to assist their investigations.
Don't Stop Password Managing
This isn't the first time LastPass has been hit by hackers. Previous incidents include a 2015 hack in which attackers stole usernames and hashed master passwords (see: LastPass Sounds Breach Alert).
Clearly, password manager software vendors, as well as their software, remain a hacking target.
But one takeaway from the breach - counterintuitive though it might seem - is that everyone should continue to use some type of password manager, cybersecurity expert Lesley Carhart says in a Mastodon post.
"Use a password manager," Carhart says, adding that cloud-based options may well remain an acceptable choice. "If a cloud-based password manager is right for your risk and threat model, for heavens sakes don't stop using it in favor of a techier option you won't use."
For all LastPass customers, Carhart recommends spending "some time over the holidays changing all your meaningful passwords in it and your master password," as well as signing up for the free Have I Been Pwned service. To use it, individuals enter their email address and then receive an alert whenever that email address and their associated password appear in a public data breach.
Guidance issued by experts in the wake of the latest breach notification includes enabling two-factor authentication for all available services - so if a user's password vault gets cracked, attackers still won't be able to access the account. Also beware phishing attacks, including scam emails demanding the recipient reset their password due to the LastPass breach.