LastPass has recently disclosed some more information about the breach that happened in June, and the impact may be worse than we initially thought. This can be seen in discussions going on, with some people believing the situation may actually be worse than what has been disclosed.
LastPass attackers now know all websites you have passwords stored for and the blobs, encrypted only by your master password https://t.co/Wdbt6mWe8C https://t.co/HldcJ8DYkK
— SwiftOnSecurity (@SwiftOnSecurity) December 22, 2022
The company disclosed that from the breach, the hackers were able to access a treasure trove of personal information belonging to its clients, including their encrypted password vaults.
Basic customer account information, including “business names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which users were using the LastPass service,” was also stolen, according to the company.
A data breach occurred at LastPass in August 2022, which is still under investigation.
The attack involved the perpetrator accessing source code and proprietary information from the company’s development environment through a compromised employee account. This allowed the attacker to obtain credentials and keys, which they used to extract information from a backup stored in a cloud-based storage service.
The perpetrator of the data breach at LastPass copied both unencrypted and fully encrypted customer data, including website URLs, usernames and passwords, secure notes, and form-filled data, from the company’s encrypted storage service. LastPass has emphasized that the cloud-based storage service used in the attack is physically separate from its production environment.
What does this mean to the normal user?
Fortunately for the users, the data is encrypted using 256-bit AES encryption – which basically means strong encryption in layman’s terms, and only a specific encryption key generated from each user’s master password can be used to decrypt the data. This implies that accounts with weak passwords might be in great danger. Another reason why following good password practices is highly recommended.
Also, LastPass has confirmed that the data breach did not expose unencrypted credit card information, as this type of data was not stored in the cloud storage service that was accessed. The company also warned that the attackers may try to use brute force methods to guess the master passwords of affected users and decrypt the copied vault data, or may use social engineering and credential stuffing attacks to target customers.
It is important to note that the success of brute force attacks to predict master passwords is inversely proportional to the strength of the passwords, meaning that passwords that are easier to guess will require fewer attempts to crack.
LastPass also cautioned that if users reuse their master password and that password has been compromised, attackers may use already available dumps of compromised credentials to try to access their accounts. The company has also said that it notified a small subset of its business customers, less than 3%, to take certain unspecified actions based on their account configurations.
This news follows a recent data breach at OKTA, in which threat actors gained unauthorized access to the company’s Workforce Identity Cloud repositories on GitHub and copied the source code.
What Should the LastPass Users do?
Among the many things recommended by experts and LastPass themselves, here are some steps that LastPass users should take to ensure they are safe:
- LastPass' customers should change their master password and all passwords stored in their vault
- LastPass' customers should use settings that exceed the LastPass default, including PBKDF2 with 310,000 iterations or more
- LastPass' customers can check the current number of PBKDF2 iterations for their accounts
- All users should create an account on Have I been Pwned? to stay informed about breaches
- LastPass' customers should be extra alert for phishing emails and phone calls
- LastPass has specific advice for business customers who use LastPass Federated Login Services
If you are a LastPass user concerned about the recent data breach, or if you are simply looking for a more secure way to manage your passwords, you may want to consider switching to a different password manager. One option to consider is a password manager that is open source.
Open-source password managers are developed and maintained by a community of volunteers, which means that their code is open for anyone to review and audit. This can be an effective way to ensure that the security of the password manager is up to par, as it allows experts to identify and address any vulnerabilities that may exist.
Additionally, open-source password managers are often more transparent about their security practices, which can help you feel more confident in your choice of a password manager. If you are considering switching to a different password manager, it is important to do your research and choose one that meets your security needs and preferences.
You can read the full disclosure here for more details.
