If you currently use LastPass to store your passwords and login information, or if you previously used the service but hadn’t deleted your account before this fall, hackers may have access to your password vault. However, the business asserts that if you use its most recent default settings and a strong master password, you might be secure. However, the company advises that “as an extra security measure, you might consider decreasing risk by changing passwords of websites you have stored” if you have a weak master password or less security.
Changing the passwords for each website that you trusted LastPass to save them for might be necessary.
Even though LastPass claims that the master password for the account still protects passwords, considering how it has handled previous releases, it is difficult to merely believe what it says at this point.
The corporation stated that it didn’t think customer data had been accessed when it first disclosed the hack in August. Then, in November, LastPass claimed to have discovered an intrusion that probably used data obtained in the August incident. It would have been wonderful to learn about this possibility between August and November. Someone was able to “get access to certain parts” of consumer data thanks to the intrusion. It turned out that those “certain aspects” were, you know, the most crucial and private information stored by LastPass. Although the business claims there is “no evidence that any unencrypted credit card data was obtained,” that would have been better than what the hackers were able to get away with. At least cancelling a few cards is simple.
When asked about the theft of the vaults, LastPass CEO Karim Toubba said the following. We’ll discuss how this all transpired in a moment.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format and includes both fully-encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data as well as unencrypted data, such as website URLs.
According to Toubba, your master password is the only method a bad actor may access that encrypted data and, consequently, your passwords. According to LastPass, it’s never had access to master passwords.
As long as you had a very strong master password that you never reused (and as long as there wasn’t some technical flaw in the way LastPass encrypted the data, though the company has made some pretty basic security mistakes before), he claims that “it would be extremely difficult to attempt to brute force guess master passwords.” But anyone gets access to this data might attempt to unlock it by brute-forcing, or guessing random passwords.
LastPass claims that utilising its suggested defaults should guard against that sort of assault, but it makes no mention of any features that would stop someone from trying to unlock a vault repeatedly for days, months, or even years. Additionally, if someone reuses their master password for additional logins, it may have been exposed during previous data breaches. This raises the likelihood that people’s master passwords are accessible in other ways.
It’s also important to keep in mind that if you have an older account (one that was created before a new default option was introduced after 2018), your master password may have been protected using a less effective password-strengthening procedure. The Password-Based Key Derivation Function currently uses “a stronger-than-typical implementation of 100,100 iterations,” according to LastPass, but when a Verge staff member checked their older account using a link the company provides in its blog, it told them their account was set to 5,000 iterations.
The unencrypted data is perhaps more worrisome because it contains URLs, which could reveal to hackers the websites you have accounts with. When paired with phishing or other sorts of assaults, that information may be quite effective if they choose to target specific users.
While none of it is good news, any firm that stores secrets in the cloud may theoretically experience any of it. In cybersecurity, how you respond to crises when they occur is more important than having a flawless record.
And this is where I think LastPass has failed miserably.
It should be noted that this news is being made today, December 22, three days before Christmas, when most IT teams will be on vacation and users are unlikely to be paying attention to updates from their password manager.
(Also, it takes the statement five paragraphs to mention that the vaults have been replicated. Although part of the material is bolded, I believe it is reasonable to anticipate that such a significant announcement would appear right at the top.)
In contrast, according to LastPass, the threat actor used information from that breach to target a worker who had access to a third-party cloud storage service. LastPass claims that the vault backup wasn’t first hacked in August. The backups that contained “basic customer account information and related metadata” were also kept in and duplicated from one of the volumes accessed in that cloud storage, along with the vaults. According to LastPass, this information consists of “business names, end-user names, billing addresses, email addresses, phone numbers, and the IP addresses from which consumers were accessing the LastPass service.”
As a result of the initial breach and the subsequent breach that revealed the backups, according to Toubba, the company is taking a variety of precautions. These precautions include increasing logging to identify suspicious activity going forwards, rebuilding its development environment, rotating credentials, and more.
That’s all fine, and it ought to carry out those actions. However, if I were a LastPass user at this point, I’d be thinking very hard about leaving the company, as we’re looking at one of two possibilities: either the company didn’t know that backups containing users’ vaults were on the cloud storage service when it announced that it had discovered unusual activity there on November 30th, or it did know and decided not to inform customers about the possibility that hackers had gained access to them. Neither of those are attractive.