23.12.2022Ravie LakshmananPassword Management / Data Breach
LastPass’ August 2022 security breach may have been more serious than previously disclosed by the company.
The popular password management service revealed on Thursday that malicious actors obtained a wealth of its customers’ personal information, including their encrypted password vaults, using data from the earlier breach.
Also stolen is “basic customer account information and associated metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service,” the company said.
The August 2022 incident, which is the subject of an ongoing investigation, involved the perpetrators accessing source code and proprietary technical information from their development environment through a single compromised employee account.
LastPass said this allowed the unidentified attacker to obtain credentials and keys that were subsequently used to extract information from a backup stored in a cloud-based storage service stressed that it was physically removed from its production environment is separated.
On top of that, the attacker is said to have copied customer vault data from the encrypted storage service. It is stored in a “proprietary binary format” that contains both unencrypted data, such as website URLs, and fully encrypted fields, such as website usernames and passwords, secure notes, and form data.
These fields, the company says, are protected with 256-bit AES encryption and can only be decrypted with a key derived from the users’ master password on users’ devices.
LastPass confirmed that the vulnerability did not involve access to unencrypted credit card data as this information was not archived in the cloud storage container.
The company didn’t disclose how recent the backup was, but warned that the attacker could “attempt to use brute force to guess your master password and decrypt the copies of the vault data it took,” as well Targeting customers with social engineering and credential stuffing attacks.
At this point, it should be noted that the success of brute-force attacks to predict master passwords is inversely proportional to their strength, ie the easier the password is to guess, the fewer attempts are required to crack it.
“If you reuse your Master Password and that password was ever compromised, an attacker could use dumps of compromised credentials that are already available on the internet to try to access your account,” warns LastPass.
The fact that website URLs are in clear text means that successfully decrypting the Master Password could give attackers a glimpse of the websites where a particular user has accounts, allowing them to launch additional phishing or credential stealing attacks .
The company said it notified a small subset of its business customers — less than 3% — to take certain unspecified actions based on their account configurations.
The development comes days after Okta acknowledged attackers gained unauthorized access to its GitHub-hosted Workforce Identity Cloud (WIC) repositories and copied the source code.
Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.