LastPass admits to severe data breaches, theft of encrypted password lockers

December 23, 2022Ravi LakshmananPassword management/data breach

LastPass’ August 2022 security breach may have been more serious than the company previously disclosed.

A popular password management service revealed Thursday that malicious actors obtained a range of their customers’ personal information that includes their encrypted password vaults using data pulled from a previous hack.

Also stolen was “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers were accessing the LastPass service,” the company said.

The August 2022 incident, which remains the subject of an ongoing investigation, involved miscreants gaining access to source code and private technical information from its development environment via a single hacked employee account.

LastPass said this allowed the anonymous attacker to obtain credentials and keys that were later leveraged to extract information from a backup stored in the cloud storage service, which it confirmed was physically separate from its production environment.

Furthermore, the adversary is said to have copied customer safe data from the encrypted storage service. They are stored in a “proprietary binary format” containing unencrypted data, such as website URLs, fully encrypted fields such as website usernames and passwords, secure notes, and form-filled data.

The company explained that these fields are protected using 256-bit AES encryption and can only be decrypted with a key derived from the users master password on users’ machines.

LastPass confirmed that the security breach did not include access to unencrypted credit card data, as this information was not archived in the cloud storage container.

The company didn’t disclose how recent the backup was, but warned that the threat actor “may attempt to use brute force to guess your master password and decrypt copies of store data they have taken,” as well as target customers through social engineering and credential stuffing attacks.

It should be noted at this point that the success of brute-force attacks to predict master passwords is inversely proportional to their strength, meaning that the easier the password is to guess, the fewer attempts are required to crack it.

“If you reuse your master password and that password is ever compromised, the threat actor could use dumps of compromised credentials already available on the Internet to try to access your account,” LastPass warned.

The fact that website URLs are in plain text means that successful decryption of a master password can give attackers a sense of which sites a particular user has accounts for, enabling them to launch phishing attacks or steal additional credentials.

The company also said it notified a small subset of its business customers — which is less than 3% — to take certain actions that were not specified based on their account configurations.

The development comes days after Okta admitted that threat actors gained unauthorized access to Workforce Identity Cloud (WIC) repositories hosted on GitHub and copied source code.