LastPass Users: Your information and password vault data is now in the hands of hackers

LastPass, one of the leading password managers, said hackers obtained a wealth of its customers’ personal information as well as encrypted and encrypted passwords and other data stored in customers’ vaults.

The disclosure, posted Thursday, is an exciting update on the LastPass breach that was revealed in August. At the time, the company said a threat actor gained unauthorized access through a single compromised developer account to parts of the password manager’s development environment and “took parts of the source code and some technical information of LastPass.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts were not affected.

Sensitive data is copied whether it is encrypted or unencrypted

In an update Thursday, the company said the hackers gained access to personal information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses that customers use to access LastPass services. The hackers also backed up customer vault data that included unencrypted data such as website URLs, encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password using our zero-knowledge architecture,” LastPass CEO Karim Tuba wrote, referring to the advanced encryption system and a bit. To the advanced encryption system and a bit of a mod is considered strong. Zero-knowledge refers to storage systems that are impossible for a service provider to decrypt. Follow the CEO:

As a reminder, the master password is not known to LastPass and is not stored or maintained by LastPass. Data encryption and decryption is performed only on the local LastPass client. For more information on Zero Knowledge’s architecture and encryption algorithms, please see here.

The update mentioned that in the company’s investigation so far, there is no indication that unencrypted credit card data was accessed. LastPass does not store all credit card data, and the credit card data it does store is kept in a different cloud storage environment than the one the threat actor accessed.

An intrusion disclosed in August that allowed hackers to steal LastPass source code and proprietary technical information appears to be linked to a separate breach by Twilio, a San Francisco-based provider of two-factor authentication and connectivity services. The threat actor in this breach stole data from 163 Twilio customers. The same scammers that hit Twilio have also hacked at least 136 other companies, including LastPass.

Thursday’s update said a threat actor could use source code and technical information stolen from LastPass to hack a separate LastPass employee and obtain credentials and security keys to access and decrypt volumes within the company’s cloud storage service.

So far, we have determined that once the cloud storage access key and the dual storage container decryption keys were obtained, the threat actor copied information from the backup containing basic customer account information and related metadata, including company names, end user names, and billing. “The addresses, email addresses, phone numbers, and IP addresses from which customers were accessing the LastPass service,” Toba said. “The threat actor was also able to backup customer vault data from the encrypted storage container, which is stored in a proprietary binary format containing Unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data.”

LastPass representatives did not respond to an email asking how many customers their data had been copied.

Enhance your security now

Thursday’s update also listed several remedies LastPass has taken to strengthen its security following the hack. Steps include shutting down the compromised development and rebuilding it from scratch, maintaining the managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been affected.

Given the sensitivity of the data stored by LastPass, it is concerning that such a wide range of personal data has been obtained. Although hacking a password hash requires huge amounts of resources, it is not out of the question, especially given how systematic and efficient the threat actor is.

LastPass customers should ensure that they change their master password and all passwords stored in their vault. They should also ensure that they use settings that override LastPass’ default. These settings hash stored passwords using 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a hashing scheme that can make long, unique, randomly generated master passwords impenetrable. 100,100 iterations is woefully short of the minimum 310,000 iterations OWASP recommends for PBKDF2 in combination with the SHA256 hash algorithm used by LastPass. LastPass customers can check the current number of PBKDF2 occurrences for their account here.

LastPass customers should also be extra alert to phishing emails and phone calls purporting to come from LastPass or other services looking for sensitive data and other scams exploiting their compromised personal data. The company also has specific advice for business customers who have implemented LastPass unified sign-in services.