RISKS

What happened

Free password manager LastPass was hacked – again! This appears to be the second time in just over three months and the third time within twelve months.

In a blog post published on November 30th, LastPass stated “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.”

LastPass CEO Karim Toubba admitted that, during a recent incident, a hacker was able to access “certain elements” of “customers’ information.” In the November 30 update, the company didn’t specify what was meant by “certain elements” but did state “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.” Then again, he also stated “We are working diligently to understand the scope of the incident and identify what specific information has been accessed”, so it’s unclear if they can fully confirm no passwords were accessed.

Then, Toubba posted another update on December 22 with more information, including this statement:

“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service… The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Toubba also stated: “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass” and claimed that if you use the default settings he recommended “it would take millions of years to guess your master password using generally-available password-cracking technology” and “There are no recommended actions that you need to take at this time.” However, he did note that users whose master passwords did not make use of the recommended defaults should change the passwords of websites they have stored.

This incident evidently relates to a previously identified incident back in August, as Toubba noted that “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” In that instance, the attacker was able to compromise a Lastpass developer’s endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he “had successfully authenticated using multi-factor authentication.”

Back then, LastPass acknowledged that the attacker had internal access to the company’s systems for four days until they were detected and evicted. While Toubba said then that the company’s investigation (carried out in partnership with cybersecurity firm Mandiant) found no evidence the threat actor accessed customer data or encrypted password vaults, it’s clear that the hacker was was ultimately able to access some level of customer data, and copy an entire backup of customer data, taking encrypted and unencrypted data for those customers.

LastPass has received public criticism from some in the infosec industry for its response as well as its security posture (including the decision to leave users’ website URLs unencrypted). Also, in early January, an anonymous LastPass customer based in Massachusetts filed a class action lawsuit against the company. The individual said they stored Bitcoin private keys in their LastPass account and claimed that a threat actor accessed the account and stole $53,000 in cryptocurrency around Thanksgiving.

 

Déjà Vu All Over Again

Last December, LastPass suffered a credential stuffing attack that allowed threat actors to confirm a user’s master password. It was also revealed that LastPass master passwords were stolen by threat actors distributing the RedLine password-stealing malware.

Also, in September 2019, LastPass fixed a security vulnerability in the password manager’s Chrome extension that could have allowed threat actors to steal the credentials last used for logging into a site. LastPass also discovered vulnerabilities discovered in 2016 and 2017, a hacking episode in 2015 and a security issue back in 2011. That’s eight security incidents in twelve years!

 

Why is this important?

While password management sites can be helpful to keep track of your passwords, they can be hacked just like any other site. Unfortunately for LastPass users, they have a long track record of being hacked, with the latest instance appearing to be the most significant yet.

 

What does this mean to me?

Because the threat actor has a copy of the information offline, they can attempt brute force methods on accounts, with the ability to use customer data to determine which accounts to prioritize. Even changing the master password of the account — while still obviously recommended — is not going to have an impact on the threat actor’s ability to decrypt their copy of the account. Not only that, but website URLs can sometimes contain user account tokens, API keys and credential data.

This illustrates the importance of enabling multi-factor authentication (MFA) on any accounts that support it, expediting that protection on any accounts for which LastPass stored credentials.

The LastPass example also illustrates several examples of vulnerabilities that can be exploited by hackers, including internal resources (such as the developer endpoint that was compromised back in August) and third-party sites (such as the third-party cloud storage service). With so many potential attack surfaces, companies need to implement a variety of controls to protect themselves today.

 

 

APPROACHES

Helpful Controls

 

Commonality of attack

High

 

Article on story

LastPass Hacked for the Second Time in Six Months, LastPass faces mounting criticism over recent breach

 

 

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING