LastPass has a doozy of an updated announcement about a recent data breach: the company — which promises to keep all your passwords in one, secure place — is now saying that hackers were able to “copy a backup of customer vault data,” meaning they theoretically now have access to all those passwords if they can crack the stolen vaults (via TechCrunch).
If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn’t deleted it before this fall, your password vault may be in hackers’ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”
That might mean changing the passwords for every website you trusted LastPass to store.
While LastPass insists passwords are still secured by the account’s master password, it’s hard to just take its word at this point, given how it’s handled these disclosures.
When the company announced it had been breached in August, it said it didn’t believe user data had been accessed. Then, in November, LastPass said it detected an intrusion, which apparently relied on information stolen in the August incident (it would’ve been nice to hear about that possibility sometime between August and November). That intrusion let someone “gain access to certain elements” of customer info. It turns out those “certain elements” were, you know, the most important and secret things that LastPass stores. The company says there’s “no evidence that any unencrypted credit card data was accessed,” but that would likely have been preferable to what the hackers actually got away with. At least it’s easy to cancel a card or two.
We’ll get to how this all went down in a bit, but here’s what LastPass CEO Karim Toubba is saying about the vaults being taken:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Toubba says the only way a malicious actor would be able to get at that encrypted data, and therefore your passwords, would be with your master password. LastPass says it has never had access to master passwords.
That’s why he says, “it would be extremely difficult to attempt to brute force guess master passwords,” as long as you had a very good master password that you never reused (and as long as there wasn’t some technical flaw in the way LastPass encrypted the data — though the company has made some pretty basic security errors before). But whoever has this data could try to unlock it by guessing random passwords, AKA brute-forcing.
LastPass says that using its recommended defaults should protect you from that kind of attack, but it doesn’t mention any sort of feature that would prevent someone from repeatedly trying to unlock a vault for days, months, or years. There’s also the possibility that people’s master passwords are accessible in other ways — if someone re-uses their master password for other logins, it may have leaked out during other data breaches.
It’s also worth noting that if you have an older account (prior to a newer default setting introduced after 2018), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.
Perhaps the more concerning bit is the unencrypted data — given that it includes URLs, it could give hackers an idea of which websites you have accounts with. If they decided to target particular users, that could be powerful information when combined with phishing or other types of attacks.
While none of that is great news, it’s all something that could, in theory, happen to any company storing secrets in the cloud. In cybersecurity, the name of the game isn’t having a 100 percent perfect track record; it’s how you react to disasters when they happen.
And this is where LastPass has, in my opinion, absolutely failed.
Remember, it’s making this announcement today, on December 22nd — three days before Christmas, a time when many IT departments will largely be on vacation, and when people aren’t likely to be paying attention to updates from their password manager.
(Also, the announcement doesn’t get to the part about the vaults being copied until five paragraphs in. And while some of the information is bolded, I think it’s fair to expect that such a major announcement would be at the very top.)
LastPass says that the vault backup wasn’t initially compromised in August; instead, its story is that the threat actor used info from that breach to target an employee who had access to a third-party cloud storage service. The vaults were stored in and copied from one of the volumes accessed in that cloud storage, along with backups containing “basic customer account information and related metadata.” That includes things like “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” according to LastPass.
Toubba says the company is taking all sorts of precautions as a result of the initial breach, and the secondary breach that exposed the backups, including adding more logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials, and more.
That’s all good, and it should do those things. But if I were a LastPass user, I’d be seriously considering moving away from the company at this point, because we’re looking at one of two scenarios here: either the company didn’t know that backups containing users’ vaults were on the cloud storage service when it announced that it had detected unusual activity there on November 30th, or it did know and chose not to tell customers about the possibility that hackers had gotten access to them. Neither of those is a good look.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24310494/Screenshot_20221221_222708.png)
Screenshot: Richard Lawler / The Verge
/cdn.vox-cdn.com/uploads/chorus_asset/file/24303737/IMG_3388.png)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24303740/IMG_3389.png)
