LastPass, one of the leading password managers, said hackers obtained a trove of personal information from its customers, as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.
The disclosure, posted Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said a threat actor gained unauthorized access through a single compromised developer account to parts of the password manager’s development environment and “stole portions of the source code and certain technical information from LastPass.” The company said at the time that master passwords, encrypted passwords, personal information and other data stored in customers’ customer accounts were not affected.
Sensitive data, both encrypted and unencrypted, copied
In Thursday’s update, the company said hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers and IP addresses that customers used to access LastPass services. The hackers also copied backed up customer vault data that contained unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form completions.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” wrote Karim Toubba, CEO of LastPass, referring to the advanced encryption scheme and a bit of fare that is considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt. The CEO continued:
As a reminder, the Master Password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is only performed on the local LastPass client. For more information on our Zero Knowledge architecture and encryption algorithms, see here.
The update said that in the company’s investigation to date, there is no evidence that unencrypted credit card information was accessed. LastPass does not completely store credit card information, and the credit card information it stores is kept in a different cloud storage environment than the one the threat accessed.
The breach revealed in August, which allowed hackers to steal LastPass source code and proprietary technical information, appears to be related to a separate breach at Twilio, a San Francisco-based provider of two-factor authentication and communications services. The threat actor in that breach stole data from 163 Twilio customers. The same phishers that hit Twilio also compromised at least 136 other companies, including LastPass.
Thursday’s update said the threat actor was able to use source code and technical information stolen from LastPass to hack an individual LastPass employee and obtain security credentials and keys to access and decrypt storage volumes within the company’s cloud-based storage service. business.
“To date, we have found that once the cloud storage access key and decryption keys for the dual storage container were obtained, the threat actor copied information from the backup containing basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers and the IP addresses from which customers accessed the LastPass service,” said Toubba. “The threat actor was also able to copy backed up client vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, and fully encrypted sensitive fields, such as website usernames and passwords, secure notes and entered data.”
LastPass representatives did not respond to an email asking how many customers had their data copied.
Increase your security now
Thursday’s update also noted several remedies LastPass has taken to strengthen post-breach security. The steps include decommissioning the hacked development and rebuilding it, maintaining a managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been compromised.
Given the sensitivity of the data stored by LastPass, it is alarming that such a wide range of personal data has been obtained. While cracking the password hashes would require huge amounts of resources, it is not out of the question, especially considering the methodical and resourceful nature of the threat actor.
LastPass customers must ensure that they have changed their master password and all passwords stored in their vault. They must also ensure that they are using settings that exceed the LastPass standard. Those institutions hash stored passwords using 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a hashing scheme that can make it impossible to crack master passwords that are long, unique, and randomly generated. The 100,100 iterations are sadly short of the 310,000 iteration threshold that OWASP recommends for PBKDF2 in conjunction with the SHA256 hashing algorithm used by LastPass. LastPass customers can check the current number of PBKDF2 iterations for their accounts here.
LastPass customers should also be on the lookout for phishing emails and phone calls purporting to come from LastPass or other services seeking sensitive data and other scams that exploit their compromised personal information. The company also has specific advice for business customers who have implemented the LastPass Federated Login Services.