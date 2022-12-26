Password manager LastPass on December 22 informed that hackers were able to “copy a backup of customer vault data,” which contains “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Hackers can access these encrypted fields if they crack the master password set by the user.

Why does this matter: The only thing worse than a data breach is a data breach of a password manager. Password managers are widely used for the convenience they offer of not having to remember the password for every service you’ve signed up with, but this also makes them a honeypot of sensitive information. But this doesn’t mean you stop using password managers. By simply setting a strong master password you can improve your security significantly (as you will read below).

What happened with LastPass: A timeline of events

In a gist:

LastPass breach gets worse and worse. First: We were breached but no customer data was accessed

Next: Okay some customer data was accessed, but not password vaults.

Now: Customer password vaults were copied by the attacker but don't worry, it will be hard to crack your vault. https://t.co/V3kOfl7Xev pic.twitter.com/vbhL71R6ep — AJ Stuyvenberg (@astuyve) December 22, 2022

No evidence of customer data compromise (August 25, 2022): LastPass published a notice saying they “detected some unusual activity” but they saw “no evidence that this incident involved any access to customer data or encrypted password vaults.” The company also indicated that it has “deployed containment and mitigation measures” and has launched a detailed investigation into the incident.

LastPass published a notice saying they “detected some unusual activity” but they saw “no evidence that this incident involved any access to customer data or encrypted password vaults.” The company also indicated that it has “deployed containment and mitigation measures” and has launched a detailed investigation into the incident. Investigation concludes the same (September 15, 2022): LastPass concluded its “investigation and forensics process in partnership with Mandiant” and reiterated that the hackers didn’t have access to customer data or encrypted password vaults. LastPass also shared more details on how the hackers exploited the platform and what did they have access to.

LastPass concluded its “investigation and forensics process in partnership with Mandiant” and reiterated that the hackers didn’t have access to customer data or encrypted password vaults. LastPass also shared more details on how the hackers exploited the platform and what did they have access to. Unauthorised access to customer info, but passwords safe (November 30, 2022): LastPass informed that it found “an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information” but that “customers’ passwords remain safely encrypted.”

LastPass informed that it found “an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information” but that “customers’ passwords remain safely encrypted.” Hackers have customer passwords, but can’t see without master password (December 22, 2022): In its latest update, LastPass informed that some “source code and technical information were stolen” and “used to target another employee, obtaining credentials and keys” which were then used to steal backups of basic data of customers as well as customer vault data.

What customer data has been compromised?

1. Encrypted customer vault data:

website usernames

passwords

secure notes

form-filled data

2. Unencrypted customer vault data:

website URLs (this could give the hackers a good idea of what site you use, allowing for targets attacks like phishing scams)

3. Account information and related metadata:

company names

end-user names

billing addresses

email addresses

telephone numbers

IP addresses

What data hasn’t been compromised?

1. Master Passwords: The encrypted fields (category 1 above) can only be unencrypted if the hackers figure out the master password of the respective user’s vault. “Encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client,” the company explained.

2. Credit card data: “There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment,” the company informed.

How hard is it to crack the master password?

Hackers can attempt to use brute force (meaning they try using computers to guess various combinations of characters and get lucky) to guess the master password and decrypt vault data. How easy this is will depend on the strength of your password. For example, a 10-digit password with only numbers can be cracked almost instantly whereas a 13-digit password with numbers, upper and lowercase letters, and symbols will take 2 million years to crack. Of course, this is with the current standard of technology. As computers get faster, these numbers will reduce.

The LastPass breach shows why it's so important to use long complex passwords, especially a master pw. The time to brute force a long pw is significantly more. A complex 8 character pw can be cracked in 1 day whereas 14 characters is up to 200M years.#cybersecurity #cyberattack pic.twitter.com/lVHCvEhAAE — Cyber Outlook (@CyberOutlook) December 23, 2022

“It would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” LastPass reassured, but we don’t know how many users followed these best practices.

Should you still use a password manager?

Yes. Unless you can remember the username and password for every site you’re on, this incident should not put you off from using a password manager since this is still safer than other forms of storing a password such as on a Google Doc or simply choosing an easy password. As you can see in the tweet above, you can be protected even from a breach as long as you have a complex master password.

The takeaway from this incident is not to abandon password managers but to use a strong master password. Never use this master password on other sites. Additionally, use two-factor authentication whenever possible so that a leaked password alone cannot be used to compromise your account. If you’re not comfortable with using LastPass, there are other password managers that have a better track record when it comes to security such as the BitWarden (which is open source) and 1Password.

What should Last Pass users do?

Set a strong master password: Well, if we haven’t said enough time already, please set a strong master password, which uses numbers, lower and upper case letters, and symbols, and is at least 13 characters. Change passwords on all sites if you had a weak master password: If your master password was weak, it is likely that hackers will be able to crack it. “In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored,” LastPass advised its users. Beware of phishing attacks using unencrypted data: “ The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password,” the company informed.

What is LastPass doing to address this incident?

It is safe to say that LastPass is going to require a lot to rebound from this incident and regain user trust, but here are the steps the company has taken so far:

New development environment: LastPass has decommissioned the development environment, which played an instrumental role in the breach, in its entirety and is “rebuilding a new environment from scratch.”

Logging and alerting measures: The company also “ added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defence […] to supplement our own team.”

The company also “ Rotating certificates and credentials: LastPass said that it is “actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security. We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed.”

LastPass said that it is Ongoing investigation: “ This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. […] In the meantime, our services are running normally, and we continue to operate in a state of heightened alert,” the company informed.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

