LastPass Hacked: LastPass says hackers stole its customers’ encrypted password vaults; “worst breach”
“Stop using LastPass as your password manager. Move to any other one, and please change any passwords you have on there now,” that was a dire warning from the Director of Engineering at SpotAi.
LastPass, the startup that’s supposed to users’ passwords safe, confirmed today that hackers stole its customers’ encrypted password vaults. The announcemet comes the same day Comcast Xfinity reported that users’ accounts were hacked in widespread 2FA bypass attacks.
In an announcement today, LastPass CEO Karim Toubba confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. LastPass that the data breach took place earlier this year.
“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
In an updated blog post, Toubba said the threat actors took a copy of a backup of customer vault data from the encrypted storage container which is stored in a “proprietary binary format” that contains both unencrypted data by using cloud storage keys stolen from a LastPass employee.
The unencrypted data, which includes website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. But LastPass didn’t say how recent the stolen backups are.
A former LastPass engineer even took to social media to warn about the recent breach.
“I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation. This is the worst breach LastPass has had. By a lot,” a former LastPass engineer warned.
https://twitter.com/ejcx_/status/1606428769731878913
According to LastPass, the previously undisclosed incident took place in August of this year. LastPass added that no customer data was accessed during the August 2022 incident, but some of the company’s source code and technical information were stolen from its development environment and used to target another employee.
“Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
What Does This Mean for LastPass Customers And How Can You Protect Yourself?
If you’re a LastPass customer, the best and quickest thing you can do to protect yourself is to change your current LastPass master password to a new and unique password. Using a passphrase with special characters that is only known to you. Also, make sure you down down your new password and kept in a safe place. This means that your current LastPass vault is secured.
LastPass also recommends changing the passwords if you think that your LastPass password vault could be compromised.
“If you think that your LastPass password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.”
You can read the full notice below.
Notice of Recent Security Incident
Update as of Thursday, December 22, 2022
To Our LastPass Community,
We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.
What We’ve Learned
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
LastPass production services currently operate from on-premises data centers with cloud-based storage used for various purposes such as storing backups and regional data residency requirements. The cloud storage service accessed by the threat actor is physically separate from our production environment.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
What Does This Mean? Is My Data at Risk?
The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.
The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.
What Should LastPass Customers Do?
As a reminder, LastPass’ default master password settings and best practices include the following:
- Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
- To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
- We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.
However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
For those Business customers who have implemented LastPass Federated Login Services, LastPass maintains our Zero Knowledge architecture and implements a hidden master password to encrypt your vault data. Depending upon the chosen implementation model, this hidden master password is actually a combination of two or more separately-stored, 256 bits or 32 characters long cryptographically-generated random strings that must be specifically combined to use (you can read more about this in our Technical Whitepaper here).
The threat actor did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure and they were not included in the backups that were copied that contained customer vaults. Therefore, if you have implemented the Federated Login Services, you do not need to take any additional actions.
However, it is important to note that if you are a Business customer who is not using Federated Login and your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
What We’ve Done, and What We’re Doing
In response to the August 2022 incident, we eradicated any further potential access to the LastPass development environment by decommissioning that environment in its entirety and rebuilding a new environment from scratch. We also replaced and further hardened developer machines, processes, and authentication mechanisms.
We have added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defense with a leading managed endpoint detection and response vendor to supplement our own team. We have also continued to execute our plans of implementing a new, fully dedicated, set of LastPass development and production environments.
In response to this most recent incident, we are actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security. We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed.
We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations. If you are a Business customer and you have not already been contacted to take action, then there are no other recommended actions for you to take at this time.
This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.
We thank you for your continued support and patience as we continue to work through this incident.
Karim Toubba
CEO LastPass