LastPass Admits Hackers Obtained Customer Password Vaults

Password manager’s update on its August breach confirms customer password vault was stolen, as security experts slate the firm

Password management service LastPass is once again in the headlines for all the wrong reasons at the end of 2022.

Just before Christmas, LastPass CEO Karim Toubba issued an update on the security breach that took place in August this year, in which it admitted hackers had stolen source code and other technical data.

But now LastPass has admitted that the hackers actually obtained the cloud storage access key and dual storage container decryption keys, and “the threat actor copied information from backup that contained basic customer account information and related metadata.”

LastPass Logo

LastPass admission

The hacker was “also able to copy a backup of customer vault data from the encrypted storage container.”

This means that customer’s passwords, although secured with 256-bit AES encryption, could be vulnerable to brute force attacks to guess the master password.

That said LastPass said that “because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.”

“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault,” it added. “In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”

LastPass said that since 2018 it has required a twelve-character minimum for master passwords. “This greatly minimizes the ability for successful brute force password guessing,” it said.

It also recommends that users never reuse their master password on other websites.

“If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology,” said the password management service. “Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.”

“However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly,” it added. “In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.”

Ongoing investigation

LastPass said in response to the August 2022 incident, it has “eradicated any further potential access to the LastPass development environment by decommissioning that environment in its entirety and rebuilding a new environment from scratch.”

It said it has also replaced and further hardened developer machines, processes, and authentication mechanisms.

LastPass also added additional logging and alerting capabilities to help detect any further unauthorised activity including a second line of defence with a leading managed endpoint detection and response vendor to supplement its own team.

LastPass added that in response to this most recent incident, it is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security. It is also performing an exhaustive analysis of every account with signs of any suspicious activity within its cloud storage service, adding additional safeguards within this environment, and analysing all data within this environment to ensure we understand what the threat actor accessed.

The firm said this remains an ongoing investigation and it has notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution.

LastPass criticism

LastPass’ security update released on 22 December has been heavily criticised by some security experts.

For example a blog post by Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, slated the company’s response.

He alleged that the update from LastPass was “full of omissions, half-truths and outright lies.”

“As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low,” he wrote. “Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.”

“Their statement is also full of omissions, half-truths and outright lies,” he alleged in his blog post.

Some of Wladimir Palant’s criticisms deal with how the company has framed the incident and how transparent it is being.

Another security researcher, Jeremi Gosney, on Mastodon called on LastPass customers to move to another password manager.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he wrote, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

Previous breaches

Unfortunately this not the only time that LastPass has suffered a security breach.

In January 2016 a security researcher (Sean Cassidy) cast doubts on the security of LastPass when he claimed he had discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.

Cassidy went public and publish his exploit on Github after notifying the firm two months previously, but he was not satisfied by their response.

Prior to that in June 2015, LastPass suffered a major data breach, in which the stolen data could have allowed hackers to guess weak master passwords.

The company said at the time that as a precaution it was prompting all users to change their master passwords.

Third-party passwords stored with LastPass were not affected at the time.