What You Need To Know
The popular password manager, LastPass, had a breach in August of this year (2022). While the company notified users of the breach on August 25th, the organization stated only source code and some technical information were taken. The forensic investigation was completed in September and LastPass notified users that no encrypted password vaults were taken.
On November 30th, LastPass published a notification about unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. LastPass “determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” At the time, an investigation was ongoing to determine the scope of the incident. An update was published on December 22, 2022 confirming the acquisition of customer data by the threat actor.
According to LastPass, stolen information included basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
More importantly, the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
What That Means For You
Soon after the notice was posted, security researchers started digging into the details of the incident to determine what exactly threat actors could do with the password vaults they copied. It seems there are two main issues with the stolen information.
- Unencrypted Data. According to LastPass, encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using Zero Knowledge architecture. The issue is the number of fields that are NOT encrypted. It seems that when a password entry is created in LastPass, the URL, Name, Password Creation Time, Last Password Modification Time, Last Password Access Time, if the account is a favorite, if the password was auto-generated, and potentially Notes are not encrypted. This information would give an attacker an excellent place to start targeting accounts that are used most often, which may be vulnerable, etc. This information would also provide plenty of information to create a social engineering attack against specific users which can be prioritized because each vault is distinguishable.
- Encrypted Vault. While the usernames and passwords are encrypted, the security of the information is based on the strength of the master password and your susceptibility to being phished.
Is Your Stolen Vault Still Safe?
Your vault may or may not be safe. The vaults were copied by the attacker so they can run as many bruteforce password cracking attempts as their time and technology allow. If you were using a complex, 18-character master password, you are most likely safe. You may still be a target for phishing/vishing/smishing attacks now. If you aren’t using a password that is long and complex, take a look at the image below to see how long it may take to crack your master password. Remember, if your master password has been used elsewhere (especially somewhere that has been breached), there is a high likelihood that the time to crack will be MUCH lower.
What To Do
If you don’t use and have never used LastPass, take note of best practices for password management and carry on. If you have used LastPass and don’t want to take any chances, assume all your passwords have been compromised. Export your current password data off LastPass and import it to a new password manager. Don’t forget to delete the export file after you have imported to the new manager. Make a plan to change all of your critical passwords (bank, medical, work, school, etc.). Do not change them until after you are off LastPass. Add Two-Factor Authentication (2FA) to all these sites RIGHT NOW if you haven’t already done so. Change your critical passwords once they are in the new manager.
Just because one password manager has been compromised does not mean all password managers should be untrusted. The likelihood of bad password practices is much higher for individuals solely relying on memory for all passwords. Move forward securely.
If you need specific help, reach out to Asylas at 615-622-4591.