What do we know about the new LastPass password manager breach?

LastPass is one of the most popular password management programs, it is available in both a free version, with a limited set of features, and a paid version. In August, the company that develops the software announced that it had suffered a security breach in which attackers gained access to parts of the company’s development environment after compromising a developer’s account. According to information shared by the company at the time, the attackers stole parts of the source code and some proprietary technical information.

In response to the incident, the company announced the implementation of additional containment and mitigation measures and the adoption of enhanced security measures. The company has engaged a leading cybersecurity and forensic firm to lead the investigation into the incident. LastPass initially said that users’ master passwords were not compromised as a result of the incident. In an update released just before Christmas, the company revealed that the attackers obtained personal information belonging to its customers, including encrypted archives containing their passwords.

According to the update provided by the company, ongoing investigations revealed that the attackers were able to access a cloud-based storage environment using information obtained during the August security incident. The information obtained allowed the attackers to conduct a new attack against another employee with the intent to obtain the credentials and keys used to access and decrypt some storage volumes present in the cloud-based storage environment.

According to what was revealed by the company, the cloud storage service that was accessed by the attackers is physically separated from the production environment. Once the access key to the cloud storage and the keys to decrypt its contents were obtained, the attackers copied the information contained therein, including basic customer account data and related metadata. Copied data includes company names, end user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers accessed the LastPass service.

Three novelties

From 2023, almost all data on Apple iCloud will be hack-proof

by Andrea Nepori

08 December 2022

The attackers also managed to copy a backup of customer “vault” data that is stored in a proprietary binary format. The backup contains both unencrypted data (e.g. website URLs) and encrypted sensitive data (e.g. usernames and passwords used on websites, secure notes and data used for autofilling web forms) with the encryption algorithm. 256-bit AES encryption.

“The attacker was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully sensitive data encrypted.” reads the update provided by the company. “These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture Please note that the master password is never known to LastPass and is not stored or managed by LastPass. Encryption and decryption of data is performed only on the local LastPass client.”

What is the risk for users?

The risk to customers is that attackers may attempt to conduct brute-force attacks to crack the master password and decrypt the copies of the data in the vault copies obtained during the attack. LastPass specified that the hashing and encryption algorithms used are extremely robust and it is difficult for attackers to guess the Master passwords for customers using strong passwords. However, this statement should not lead us to think that users are safe, because those who have used weak passwords could be at risk.

LastPass has confirmed that to date the attackers have not had access to unencrypted credit card data as it is not stored in the cloud storage they accessed. The company has alerted a small subset (less than 3%) of its business customers by recommending they take certain actions based on their specific account configurations. What information did the new update give us? Let’s try to read between the lines of the communication published by the company.

First, it should be noted that the two events, the August breach and this event are deeply related. The second violation was only possible thanks to the information obtained from the first, highlighting problems in the management of the first incident.

Another element that emerges from the update provided by LastPass is the lack of encryption of the URLs of users’ websites. This information is valuable to attackers who could use it for spear-phishing attacks by learning about users’ interests across the sites they visit.

The third aspect that emerges from the update provided by LastPass is that the company stores users’ IP addresses. This information could be used to profile an active user. It is worth remembering that the European Court of Justice in 2016 established that the dynamic IP address is, under certain conditions, comparable to personal data. The ruling refers to concepts of indirect identification of online users. This data is now in the hands of attackers with obvious repercussions on user privacy.

A sentence in the update deserves attention: “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.” This sentence shifts the responsibility for any future data breaches onto the same users, guilty of not having used strong passwords. However, while LastPass has required passwords of at least 12 characters since 2018, some online users confirm that they have been using shorter passwords since before 2018 and have not been alerted to date.

This aspect deserves attention and highlights a lack of control by the company of compliance with the policies established for user passwords. We just have to wait for further developments of the investigation still in progress.