Hackers stole LastPass encrypted password vaults, and now we’re just hearing about it

LastPass has a bunch of updated announcements about the latest data breach: The company — which promises to keep all your passwords in one secure place — says the hackers managed to “back up customers’ vault data,” which means they could, in theory, They now have access to all of those passwords if they can crack the stolen safes (via Techcrunch).

If you have an account that you use to store passwords and login information on LastPass, or if you did have one and didn’t delete it before this fall, your password vault could be in the hands of hackers. However, the company claims that you may be safe if you have a strong master password and its latest default settings. However, if you have a weak master password or a lower level of security, the company says “As an additional security measure, you should consider reducing your risk by changing website passwords that you have stored.”

This may mean changing the passwords for every website that you trust LastPass to store.

While LastPass insists that passwords are still secured by the account’s master password, it’s hard to take his word for it at this point, given how it handles such disclosures.

When the company announced it had been hacked in August, it said it did not believe users’ data had been accessed. Then, in November, LastPass said it detected the intrusion, which apparently relied on information stolen in the August incident (it would have been nice to hear about this possibility sometime between August and November). This snooping allows someone to “access certain elements” of a customer’s information. It turns out that these “checked items” were, you know, the most important and confidential things LastPass stores. The company says there’s “no evidence that any unencrypted credit card data was accessed,” but that’s probably better than what hackers have already gotten away with. At least it’s easy to cancel a card or two.

We’ll get to how this all happens in a bit, but here’s what LastPass CEO Karim Tuba has to say about the vaults being taken:

The threat actor was also able to backup customer vault data from an encrypted storage container that is stored in a proprietary binary format containing unencrypted data, such as website URLs, as well as Fully encrypted sensitive fields such as website usernames, passwords, secure notes, and form-filled data.

Toubba says the only way a malicious actor could gain access to that encrypted data, and thus your passwords, would be with your master password. LastPass says it never had access to master passwords.

That’s why, he said, “it would be very difficult to try to force guessing master passwords” as long as you had a really good master password that you never used again (and as long as there wasn’t some technical flaw in the way LastPass encrypted the data—although the company I’ve made some basic security mistakes before). But anyone with that data could try to unlock it by guessing random passwords, or AKA brute force.

LastPass says that using the default settings is recommended should It protects you from this type of attack, but it doesn’t mention any kind of feature that would prevent someone from trying to open a vault over and over again for days, months or years. There’s also the possibility that people’s master passwords could be accessed in other ways – if someone re-used their master password for other logins, it may have been leaked during other data breaches.

It’s also worth noting that if you had an older account (before the newer default introduced after 2018), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses a “stronger than usual implementation of 100,100 iterations of password-based key derivation functionality,” but when edge An employee checked their older account using a link the company includes on its blog, and told them their account was set to 5,000 repeats.

Perhaps the most worrisome thing is the unencrypted data – since it includes URLs, it might give hackers a clue as to which websites you have accounts with. If they decide to target specific users, this can be powerful information when combined with phishing or other types of attacks.

While none of that is great news, it could, in theory, happen to any company that stores secrets in the cloud. In cybersecurity, the name of the game doesn’t have a 100% track record; It’s how you respond to disasters when they happen.

And this is where LastPass fails completely, in my opinion.

Remember, they’re making this announcement today, on December 22nd — three days before Christmas, which is when many IT departments are pretty much on vacation, and when people aren’t likely to care about updates from their password manager.

(Also, the ad doesn’t even get to the part about copying safes five paragraphs in. And while some of the information is dark, I think it’s fair to expect such an important announcement to be at the top).

LastPass says its vault backup wasn’t initially compromised in August; Instead, his story is that the threatened actor used information from this breach to target an employee with access to a third-party cloud storage service. The vaults were stored and copied from one of the accessed folders in this cloud storage, along with backups containing “basic customer account information and related metadata”. That includes things like “company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers were accessing the LastPass service,” according to LastPass.

Tuba says the company is taking all kinds of precautions as a result of the initial breach, secondary breach that exposed backups, including adding more logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials and more.

That’s all fine, and you should be doing these things. But if you were a LastPass user, I would seriously consider walking away from the company at this point, because we’re looking at one of two scenarios here: Either the company didn’t know that the backups containing the users’ vaults were running a cloud storage service when it announced that it had detected unauthorized activity. Normal there on November 30th, or that I did Knows and chooses not to tell customers that hackers can access it. None of those are a good look.