On November 30, LastPass reported that they were breached and an unauthorized party, using information obtained in the August 2022 incident, was “able to gain access to certain elements of our customers’ information”. On December 22, Karim Toubba, the CEO of LastPass, announced that the LastPass breach is more severe. The announcement confirms that the user vault data was also obtained.
In August, LastPass announced that attackers were able to steal source code and proprietary technical information. On November 30, LastPass announced that they detected unusual activity within a third-party cloud storage service, shared by both LastPass and its affiliate, GoTo. Their investigation determined an unauthorized party, using information obtained in the August 2022 incident, was “able to gain access to certain elements of our customers’ information”.
Now, LastPass is announcing that the “unknown threat actor” leveraged the technical information from the August breach to target an employee in obtaining credentials and keys able to access and decrypt “storage volumes within the cloud-based storage service”. The “threat actor” used the keys to copy information from backups that contained basic customer account information including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses that customers were using to access the LastPass service. The “threat actor” was also able to copy customer vault data that contains both unencrypted data, such as website URLs, as well as encrypted fields such as website usernames and passwords, secure notes, and form-filled data. LastPass claims that there is no evidence that any unencrypted credit card data was accessed.
Data At Risk
LastPass states that encrypted fields remain secure and can only be decrypted with a unique encryption key derived from each user’s master password using their Zero-Knowledge architecture. However, according to LastPass, the “threat actor” can use brute force to guess the master password and decrypt the copies of the vault data that they took. LastPass claims that their hashing and encryption methods would make it difficult to guess the master password if the customer followed LastPass best practices. However, if the customer did not follow LastPass best practices, it would “significantly reduce the number of attempts needed to guess” the master password correctly. Therefore, LastPass recommends changing stored website passwords.
LastPass also states that Business customers who have not implemented “LastPass Federated Login Services” should change the passwords of websites they have stored.
Previous LastPass Data Incidents
According to Wikipedia, LastPass has a history of security incidents.
2011 Security Incident
On May 3, 2011, LastPass discovered an anomaly in their incoming and outgoing traffic networks. Data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. LastPass rebuilt the servers and requested all users to change their master passwords.
2015 Security Breach
On June 15, 2015, LastPass account email addresses, password reminders, server-per-user salts, and authentication hashes were compromised; however, encrypted user vault data was not affected.
2016 Security Incident
In July 2016, due to poorly written URL parsing code in the LastPass extension, a method was found for reading plaintext passwords for arbitrary domains from a LastPass user’s vault when that user visited a malicious website. LastPass was notified privately and fixed their browser extension.
2017 Security Incidents
On March 20, 2017, a vulnerability in the LastPass Chrome extension was discovered. The exploit applied to all LastPass clients, including Chrome, Firefox, and Edge. These vulnerabilities were patched.
On March 25, an additional security flaw was discovered allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.
2019 Security Incident
2021 Third-Party Trackers And Security Incident
In 2021 it was discovered that the LastPass Android app contained third-party trackers. Also, at the end of 2021, an article in BleepingComputer reported that LastPass users were warned that their master passwords were compromised.
Any breach is bad, but for a password manager, a breach where the hacker gets the vault data is about as bad as it can get. If I used LastPass, I would do the following:
- Change my LastPass master password.
- Turn on LastPass multi-factor authentication if it is not turned on.
- Change all critical website passwords (email, financial institutions, credit cards, etc.).
- Consider switching to a different password manager. Personally, I have a Premium subscription to the Bitwarden Password Manager. I consider it the best $10 I spend each year. Jim Hillier recommends the free version of Bitwarden if you do not need the Premium features.
8 thoughts on “LastPass Hacker Gets Vault Data”
The only reason I know about and use LastPass is because I read an article from DCT recommending it. This was several years ago. Has this happened to other password managers in the past or recently? Especially the one suggested in this article, Bitwarden.
Please let me know
Thanking you in advance,
(with apologies to John Durso for jumping in here)
To the best of my knowledge we have never published an article recommending LastPass, and a search of our article archive confirms. Maybe you read it somewhere else.
Bitwarden has never been breached or hacked. I use Bitwarden myself and, if John Durso uses Bitwarden (which he does), you can pretty much bet your bottom dollar the service is as safe and private as humanly possible,.
I found this history of hacked password managers, from 2022 back to 2014: https://password-managers.bestreviews.net/faq/which-password-managers-have-been-hacked/
(NOTE: I cannot attest to the accuracy of the information in that list)
Hope that helps.
As Jim has mentioned, to date there has been no known breach of Bitwarden. A few of the reasons Jim and I chose Bitwarden over LastPass is that Bitwarden has security advantages over LastPass.
First, it is open source software. As opposed to LastPass closed source software. Open source means that anyone can look at the source code and view it for weaknesses. More transparency and more eyes to review it.
Second, Bitwarden’s entire vault is encrypted. Nearly everything in the LastPass vault is unencrypted. LastPass only encrypted certain fields. This makes a LastPass user vulnerable to phishing even if the hacker does not crack the password. For example, URLs were not encrypted. Anyone that has a LastPass vault can view which websites have an account and target individuals based on that info even if the password is later changed.
Third, Lastpass has poor local encryption management. LastPass vault encryption key is always resident in memory and never wiped. The entire vault is decrypted once and stored entirely in memory. Furthermore, the vault recovery key and dOTP are stored on each device in plain text, rendering the master password useless. Bitwarden’s is significantly better. Note, this isn’t an issue in this LastPass breach but just an indication of the poor software that is LastPass.
Fourth, Bitwarden default local iteration count used with PBKDF2 is 100,001. They also add another 100,000 iterations on the server making it 200,001. LastPass has a RECOMMENDATION of 100,000 but it isn’t a default. Why didn’t they make that a default? Why not warn users that their iteration was less than their recommendation when they wrote it in a blog in 2018? Many users report that they only have 5000, 500 or even 1 (which may have been the default when a user joined). The lower iteration, the easier to crack.
Fifth, Bitwarden has met many compliances and certifications.
Sixth, Bitwarden has many 3rd party security audits (you can read them here https://bitwarden.com/help/is-bitwarden-audited/) and has been transparent with their findings.
Note, although both Jim and I use Bitwarden, I have also heard good things about 1Password.
A G A I N ! I dumped those amateurs a couple of years ago.
I seem to remember years ago reading that it was called “Lastpass” because it was the last password manager you’d ever need…!!!
If I was one of the 500 odd employees working at Lastpass I’d be updating my resume over the Xmas break…
Does Bitwarden support auto login? I changed from LastPass to Roboform but as you have said that BitWarden has no known breaches then if it supports auto login of sites then it might be worth a try out.
Ahhh a classic case of post then explore! I see it does support auto logins after playing with it for a while 🙂
Sorry for jumping before looking….
Hello John & Jim,
Thanks for the detailed response to my questions. You are obviously correct about not publishing an article recommending LastPass. I found where I read about it.
I just wanted to let you know I appreciate the detailed info on both password managers. I will be using Bitwarden starting now. By the way, I apologize for not thanking you for the heads up about LastPass vulnerabilities and the breach details.