LastPass says attackers got users’ info and password vault data

The August 2022 LastPass breach has resulted in potentially catastrophic consequences for the company and some of its users: attackers have made off with unencrypted customer data and copies of backups of customer vault data.

The information couldn’t come at a worst time, as businesses are winding down their activities and employees and users are thick in the midst of last-minute preparations for end-of-year holidays.

The LastPass breach resulted in theft of customer vault backups

LastPass, the company behind the eponymous password manager, has suffered a breach earlier this year, which resulted in attackers accessing its third-party cloud-based storage environment.

“While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” LastPass CEO Karim Toubba explained.

Once the attackers obtained cloud storage access key and dual storage container decryption keys, they copied information from backup that contained customer account info and related metadata, including:

• Company names
• End-user names
• Billing addresses
• Email addresses
• Telephone numbers
• IP addresses from which customers were accessing the LastPass service

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” Toubba noted.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.”

They did not say how many customers’ info and vault backups have been grabbed.

What now?

LastPass says that, if users followed best security practices – having a master password of 12+ characters and not having used it for other accounts – current password-cracking technology will get attackers nowhere. But, if they did not, they should change the passwords of websites they have stored.

Business customers who do not use LastPass Federated Login Services are advised to do the same.

While a timely cracking of long and unique passwords is difficult (but pricy), the bigger danger is social engineering attacks.

“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password,” Toubba said.

But that’s not enough! Since LastPass does not encrypt website URLs, the attackers have enough data for launching targeted phishing campaigns impersonating other services. They know the users’ name, email address and phone number, and the online services they use, so users should be on the lookout for a variety of phishing attempts in the coming days and months.

They are likely to be bogus reset alerts, are likely to mention the LastPass breach as the reason for the required action, and will likely lead to lookalike sites on domains that sound legitimate. So, don’t follow links provided in emails and always go to the service’s website independently.

If you’re a LastPass user:

• Change all of your passwords sooner rather than later (if not immediately)
• Enable two-factor authentication wherever you can
• People store all kinds of information in secure notes: bank account, cryptocurrency account, and cryptowallet data; account recovery phrases / codes; payment card PINs; and other sensitive data. Evaluate the content of your secure notes and data that LastPass automatically inserts in online forms, and change what can be changed.
• Change your master passwod (make it long, complex and unique)

“The painful thing for LastPass users who did unfortunately reuse their master password on other sites is that this case is now an *offline* attack – which means 2FA or changing one’s LastPass web password (or even master password) won’t help much – the attackers have a point-in-time snapshot of all the credentials in those stolen vaults. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you’re screwed,” noted security researcher Kenneth White.

I don’t doubt many users will be disappointed with LastPass and will be looking for an alternative password manager to store their passwords – perhaps even one that’s not cloud-based (though that comes with drawbacks, such as no password syncing capabilities, which makes life more difficult). LastPass is saying that they are putting in place a host of additional layers of protections, but many users’ trust is likely gone.

But I anticipate another problem altogether: non-technical users that know little about security. They may have difficulties adapting to using another password manager AND are more likely to fall for phishing attempts. That’s not a problem that’s easily solved and a reminder that, for some people, less technical solutions might sometimes be a better alternative.

Organizations that use LastPass should be getting in front of this by alerting users to the possibility of phishing attack. Explain things well and offer actionable advice.