LastPass has an updated announcement about a recent data breach: the company – which promises to keep all your passwords in one safe place – is now saying hackers were able to “copy a backup of customer vault data,” which they theoretically now have access to have all those passwords if they can crack the stolen vaults (via TechCrunch).
If you have an account that you use to store passwords and login information on LastPass, or if you had one and didn’t delete it before this fall, your password vault may be in the hands of hackers. Still, the company claims that if you have a strong Master Password and the latest defaults, you could be safe. However, if you have a weak Master Password or less secure, the company says that “as an extra security measure, you should consider minimizing risk by changing the passwords of the websites you have on file.”
This can mean changing the passwords for every website you have trusted LastPass to store.
While LastPass insists that passwords are still secured by the account’s master password, it’s difficult to take its word for it given how it handles these disclosures.
When the company announced in August that it had been breached, it said it did not believe any user data had been accessed. Then, in November, LastPass said it had spotted a breach that appears to have relied on information stolen in the August incident (it would have been nice to hear about that possibility sometime between August and November). This intrusion allowed someone to gain “access to certain items” of customer information. It turns out that these “certain items” were the most important and secret things LastPass stores. The company says there’s “no evidence unencrypted credit card details were accessed,” but that probably would have been better than what the hackers actually got away with. At least it’s easy to cancel a card or two.
A backup of customers’ vaults was copied from cloud storage
We’ll get into how it all went in a moment, but here’s what LastPass CEO Karim Toubba says about taking the vaults:
The attacker was also able to copy a backup copy of customer vault data from the encrypted storage container stored in a proprietary binary format containing both unencrypted data such as website URLs and fully encrypted sensitive fields such as website usernames and passwords, secure notes and form data.
Toubba says that using only your master password could give a malicious actor access to this encrypted data, and therefore your passwords. LastPass says it never had access to Master Passwords.
That’s why he says, “It would be extremely difficult to try to brute force guess master passwords” as long as you had a very good master password that you never reused (and as long as no technical error got in the way). LastPass encrypted the data (although the company has made some pretty basic security mistakes before). But whoever has that data could try to unlock it by guessing random passwords, AKA brute-forcing.
LastPass says using the recommended default settings should protect you from these types of attacks, but it doesn’t mention a feature that would prevent someone from repeatedly trying to unlock a vault for days, months, or years. There’s also a possibility that people’s master passwords could be accessed in other ways – if someone reuses their master password for other logins, it may have been leaked in other data breaches.
It’s also worth noting that if you have an older account (prior to a newer default introduced after 2018), a weaker password-strengthening process may have been used to protect your Master Password. According to LastPass, it currently uses “a higher-than-usual implementation of 100,100 iterations of the password-based key derivation feature,” but when a Verge employee verified their older account via a link the company puts on its blog, they were told they’d upgraded their account to 5,000 iterations set.
Perhaps the more worrying part is the unencrypted data — since it contains URLs, it could give hackers an idea of which sites you have accounts with. If they have decided to target specific users, this could be meaningful information when combined with phishing or other types of attacks.
If I were a LastPass customer, I would not be happy with how the company disclosed this information
While this isn’t great news, it’s all something that could theoretically happen to any company that stores secrets in the cloud. In cybersecurity, the name of the game isn’t a 100 percent track record; How to Respond to Disasters When They Happen.
And this is where LastPass totally failed in my opinion.
Keep in mind that it’s making this announcement today, December 22nd — three days before Christmas, a time when many IT departments are mostly on vacation and people probably won’t be paying attention to updates to their password manager.
(Also, the announcement doesn’t come until after five paragraphs to the part copying the vaults. And while some of the information is in bold, I think it’s fair to expect such an important announcement to be at the top.)
LastPass says the August vault backup wasn’t originally compromised; Instead, the story goes that the threat actor used information from that breach to target an employee who had access to a third-party cloud storage service. The vaults were stored and copied to one of the volumes accessed in that cloud storage, along with backups that contained “basic customer account information and associated metadata.” According to LastPass, this includes things like “company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service.”
According to Toubba, as a result of the first breach and the secondary breach that exposed the backups, the company is taking all possible precautionary measures, including adding more logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials, and more .
That’s all good, and it should do those things. But if I were a LastPass user, I would seriously consider leaving the company at this point because we are looking at one of two scenarios here: either the company was unaware that backups were active with the users’ vaults of the cloud storage service when it announced that it had detected unusual activity there on November 30, or it knew and chose not to notify customers of the possibility that hackers had gained access to them. Both don’t look good.