On November 30, LastPass reported that they were breached and an unauthorized party, using information obtained in the August 2022 incident, was “able to gain access to certain elements of our customers’ information”. On December 22, Karim Toubba, the CEO of LastPass, announced that the LastPass breach is more severe. The announcement confirms that the user vault data was also obtained.
In August, LastPass announced that attackers were able to steal source code and proprietary technical information. On November 30, LastPass announced that they detected unusual activity within a third-party cloud storage service, shared by both LastPass and its affiliate, GoTo. Their investigation determined an unauthorized party, using information obtained in the August 2022 incident, was “able to gain access to certain elements of our customers’ information”.
Now, LastPass is announcing that the “unknown threat actor” leveraged the technical information from the August breach to target an employee in obtaining credentials and keys able to access and decrypt “storage volumes within the cloud-based storage service”. The “threat actor” used the keys to copy information from backups that contained basic customer account information including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses that customers were using to access the LastPass service. The “threat actor” was also able to copy customer vault data that contains both unencrypted data, such as website URLs, as well as encrypted fields such as website usernames and passwords, secure notes, and form-filled data. LastPass claims that there is no evidence that any unencrypted credit card data was accessed.
Data At Risk
LastPass states that encrypted fields remain secure and can only be decrypted with a unique encryption key derived from each user’s master password using their Zero-Knowledge architecture. However, according to LastPass, the “threat actor” can use brute force to guess the master password and decrypt the copies of the vault data that they took. LastPass claims that their hashing and encryption methods would make it difficult to guess the master password if the customer followed LastPass best practices. However, if the customer did not follow LastPass best practices, it would “significantly reduce the number of attempts needed to guess” the master password correctly. Therefore, LastPass recommends changing stored website passwords.
LastPass also states that Business customers who have not implemented “LastPass Federated Login Services” should change the passwords of websites they have stored.
Previous LastPass Data Incidents
According to Wikipedia, LastPass has a history of security incidents.
2011 Security Incident
On May 3, 2011, LastPass discovered an anomaly in their incoming and outgoing traffic networks. Data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. LastPass rebuilt the servers and requested all users to change their master passwords.
2015 Security Breach
On June 15, 2015, LastPass account email addresses, password reminders, server-per-user salts, and authentication hashes were compromised; however, encrypted user vault data was not affected.
2016 Security Incident
In July 2016, due to poorly written URL parsing code in the LastPass extension, a method was found for reading plaintext passwords for arbitrary domains from a LastPass user’s vault when that user visited a malicious website. LastPass was notified privately and fixed their browser extension.
2017 Security Incidents
On March 20, 2017, a vulnerability in the LastPass Chrome extension was discovered. The exploit applied to all LastPass clients, including Chrome, Firefox, and Edge. These vulnerabilities were patched.
On March 25, an additional security flaw was discovered allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.
2019 Security Incident
2021 Third-Party Trackers And Security Incident
In 2021 it was discovered that the LastPass Android app contained third-party trackers. Also, at the end of 2021, an article in BleepingComputer reported that LastPass users were warned that their master passwords were compromised.
Any breach is bad, but for a password manager, a breach where the hacker gets the vault data is about as bad as it can get. If I used LastPass, I would do the following:
- Change my LastPass master password.
- Turn on LastPass multi-factor authentication if it is not turned on.
- Change all critical website passwords (email, financial institutions, credit cards, etc.).
- Consider switching to a different password manager. Personally, I have a Premium subscription to the Bitwarden Password Manager. I consider it the best $10 I spend each year. Jim Hillier recommends the free version of Bitwarden if you do not need the Premium features.