LastPass Confirms Hackers Stole Its Password Vault, What You Should Know
Back in August of this year, the password manager LastPass suffered a security breach that resulted in the theft of proprietary technical information and portions of the company’s source code. Hackers then used the stolen information to breach LastPass again at the end of November. Shortly after this follow-up breach, the company disclosed that threat actors had stolen customer information, but didn’t specify what information had been stolen. Now, the CEO of LastPass, Karim Toubba, has published an update revealing that the hackers managed to access customers’ password vaults.
The breach in August affected the LastPass development environment, which didn’t contain any customer information. However, the target of the more recent breach was a cloud storage service containing off-site backups of customer data. The hackers used information stolen in the August breach to target a LastPass employee, likely in a phishing attack, and acquire the access and decryption keys for the company’s cloud storage container. Thanks to these keys, the threat actors were able to gain unauthorized access to the storage container and make copies of the backup data stored within.
The stolen data includes customer account information and metadata, such as company names, usernames names, billing addresses, email addresses, telephone numbers, and IP addresses, as well as vault data. These vaults are where customers’ passwords and other credentials are stored. While threat actors now possess copies of these vaults, all passwords, usernames, secure notes, and form-filled data remain encrypted. However, unlike the vaults of some password managers like Bitwarden, LastPass customer vaults contain some unencrypted data, including the website URLs associated with each vault entry. This unencrypted information could enable threat actors to determine the websites on which LastPass users have accounts.
However, the threat doesn’t end there. It’s important to note that the threat actors now have their own copy of LastPass customers’ vaults. Rather than attempting to access the encrypted information within customers’ vaults directly on LastPass servers where security measures could rebuff repeated attempts at unauthorized access, the threat actors are free to employ all sorts of methods to break through the encryption on their own terms. The threat actors can work to decrypt customers’ vault data offline where there won’t be a trail leading back to them and customers won’t receive any notification of unauthorized access, if the threat actors manage to decrypt stolen vault data.
The breach in August affected the LastPass development environment, which didn’t contain any customer information. However, the target of the more recent breach was a cloud storage service containing off-site backups of customer data. The hackers used information stolen in the August breach to target a LastPass employee, likely in a phishing attack, and acquire the access and decryption keys for the company’s cloud storage container. Thanks to these keys, the threat actors were able to gain unauthorized access to the storage container and make copies of the backup data stored within.
The stolen data includes customer account information and metadata, such as company names, usernames names, billing addresses, email addresses, telephone numbers, and IP addresses, as well as vault data. These vaults are where customers’ passwords and other credentials are stored. While threat actors now possess copies of these vaults, all passwords, usernames, secure notes, and form-filled data remain encrypted. However, unlike the vaults of some password managers like Bitwarden, LastPass customer vaults contain some unencrypted data, including the website URLs associated with each vault entry. This unencrypted information could enable threat actors to determine the websites on which LastPass users have accounts.
However, the threat doesn’t end there. It’s important to note that the threat actors now have their own copy of LastPass customers’ vaults. Rather than attempting to access the encrypted information within customers’ vaults directly on LastPass servers where security measures could rebuff repeated attempts at unauthorized access, the threat actors are free to employ all sorts of methods to break through the encryption on their own terms. The threat actors can work to decrypt customers’ vault data offline where there won’t be a trail leading back to them and customers won’t receive any notification of unauthorized access, if the threat actors manage to decrypt stolen vault data.
LastPass customers should immediately change the master passwords for their accounts, as the threat actors will most likely begin conducting phishing attacks against LastPass customers using the email addresses and phone numbers stolen in the breach. Their aim will be to trick LastPass customers into giving up their master passwords. The threat actors can then try using any passwords stolen in this manner to determine the encryption keys that protect users’ encrypted vault data. However, any master passwords stolen through phishing attacks will be useless for this purpose if the stolen passwords are new passwords put in place after the vault data was stolen. The threat actors may also try using passwords stolen in other data breaches. However, so long as Last Pass customers’ used unique passwords as their master passwords, this technique won’t work.
If the threat actors do manage to obtain LastPass customers' master passwords, they won't have immediate access to customers' encrypted data. Each customer’s encrypted vault data is protected by a key derived from a user’s master password. LastPass generates this key by applying the PBKDF2 key derivation function to a master password a set number of times. LastPass’ current standard for key generation is 100,100 iterations of the derivation function, which makes it quite difficult for threat actors to determine a user’s encryption key through the application of brute force computing power.
If the threat actors do manage to obtain LastPass customers' master passwords, they won't have immediate access to customers' encrypted data. Each customer’s encrypted vault data is protected by a key derived from a user’s master password. LastPass generates this key by applying the PBKDF2 key derivation function to a master password a set number of times. LastPass’ current standard for key generation is 100,100 iterations of the derivation function, which makes it quite difficult for threat actors to determine a user’s encryption key through the application of brute force computing power.
That said, 100,100 iterations is significantly below the 310,000 iterations recommended by the Open Web Application Security Project (OWASP). Additionally, even the 100,100 iteration standard is somewhat new for LastPass, and some older LastPass accounts are still protected by keys generated using only 5,000 iterations of the derivation function. Practically speaking, these older accounts will be significantly easier to crack open.
Cracking open encrypted vault data isn’t a matter of whether it can happen, but when. In the best case scenario for LastPass users, it may take thousands of years for threat actors to break through the encryption using the encryption-cracking tools that are currently available. However, computing power increases over time, meaning that the time it takes to decrypt the stolen vault data will decrease over time as well. While it may be a pain, LastPass users should not only change their master passwords, but also every single password stored in their vaults. Threat actors may not be able to break through the encryption on users’ vault data and access their stored passwords tomorrow, but, now that the data is out there, it could happen at any point in the future, so LastPass users should take action now.
Cracking open encrypted vault data isn’t a matter of whether it can happen, but when. In the best case scenario for LastPass users, it may take thousands of years for threat actors to break through the encryption using the encryption-cracking tools that are currently available. However, computing power increases over time, meaning that the time it takes to decrypt the stolen vault data will decrease over time as well. While it may be a pain, LastPass users should not only change their master passwords, but also every single password stored in their vaults. Threat actors may not be able to break through the encryption on users’ vault data and access their stored passwords tomorrow, but, now that the data is out there, it could happen at any point in the future, so LastPass users should take action now.
