Update: LastPass Breach Compromised Large Amounts of Sensitive Data
On December 22, LastPass updated its notice about an August 2022 cyberattack that was disclosed in November. At that time, LastPass wrote that “an unauthorized party … was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted.” The December 22 updates notes that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container” as well as other sensitive customer data.
Aside from leaking customer data, which should be expected to leak after it was stored in the cloud, LastPass relied solely on a user-selected passphrase to protect the password information, and failed to encrypt some additional data included in the password vault. Competitors include a machine-selected random string in addition to the user-selected passphrase to create the encryption key. But aside from the technical details and shortcomings, this significant breach is the result of a business model that justifies subscription revenue by offering cloud-based services to synchronize password vaults across devices. Prior to implementing subscription-based pricing, some password managers offered local peer-to-peer synchronization not requiring the storage of password vaults outside of devices using them.
From a password manager perspective, based on the information we have this appears to be close to a worst case scenario. However, keep in mind it appears that the cyber threat actors have access to the encrypted password vault, not the passwords themselves. This means how long it takes for your passwords to be accessed depends on the strength of your Password Manager password (which should be VERY strong) and / or how LastPass approached the encryption of those vaults. Are Password Managers still a good idea? I feel absolutely yes. However, I would most likely use a different vendor (LastPass has had numerous problems in the past). In addition, this is where MFA is so important, as it provides that second layer of defense. Finally, Passkeys (FIDO / phishing resistant MFA) will help resolve many of these issues, making authentication not only simpler for people, but stronger.
Think of a scenario like this where a threat actor obtains access to your backup data along with the keys to decrypt it, by leveraging compromised information to compromise an employee with access to those keys. Review the access controls you have on information stored in the cloud, particularly concentrated collections such as backups, ensuring they are strongly encrypted, and access to that data is monitored, then review the who and how you have controlling access to those keys. For data exfiltrated from LastPass, the sensitive data elements within those containers is protected by unique AES 256-bit keys derived from your master password which LastPass doesn't have. Even so, review stored accounts, enabling MFA wherever possible, and if you decide to switch password managers, don't update the LastPass repository with your revised credentials.
The reality of attackers making off with entire vaults that also contain some unencrypted information that could still be considered sensitive or identifying is just too much. This is not LastPass’ first or second cyber breach. While LastPass has been handling their duty to report well, they have not been improving their cyber defenses sufficiently as a response to these breaches. My questions: 1) How is a data transfer of protected customer vaults not alerting? 2) How does an increase in traffic go unnoticed? 3) Finally, why is customer data kept in their vault unencrypted?
It is to be hoped that 2023 will see the widespread adoption of Passkeys, the safest and most convenient mechanism for user authentication. While it will reduce the risk of fraudulent reuse of credentials, social engineering attacks against users, it will not reduce the responsibility of those in the IAM business for protecting the other sensitive data that they hold about their customers. It is not clear that they are up to the task; users must consider the risk.
William Hugh Murray
Read more in
LastPass: Notice of Recent Security Incident
Wired: Yes, It’s Time to Ditch LastPass
The Register: LastPass admits attackers have a copy of customers’ password vaults
Ars Technica: LastPass users: Your info and password vault data are now in hackers’ hands
Dark Reading: LastPass Cops to Massive Breach Including Customer Vault Data