Hand over smartphone with master key lock showing password vaults breached

Encrypted LastPass Password Vaults, Customer Information Stolen in November Breach

Popular password management service LastPass has confirmed that a previously reported November “security incident” was a breach that resulted in the theft of customer data, including encrypted password vaults and stored web addresses that are not encrypted.

The November breach was a follow-on from a separate August breach. Information stolen from that earlier breach was used to access third-party cloud storage shared by LastPass and parent company GoTo. LastPass and GoTo say that they are still investigating the issue and have not yet released complete information on the incident, but Amazon has previously revealed that it hosts a billion of the company’s customer records on AWS servers.

Stolen password vaults were encrypted, but concerning vulnerabilities remain

Though the primary public concern will naturally center on the stolen password vaults, a more immediate issue is the unencrypted information connected to each vault. This includes basic customer account and contact information: real names and user names, billing and email addresses, phone numbers, and IP addresses. And in terms of the password vaults, the thieves can see the URLs for which passwords are stored. LastPass says that credit card and payment data was not accessed, however.

There is the possibility that password vaults may be cracked via “brute force” guessing techniques, but customers are able to negate this by changing their master password and stored passwords. However, it will be important to check for password re-use among these stored credentials.

LastPass also noted that business customers using its Federated Login Services are at no special risk; the attackers did not have access to the stored key fragments necessary to access the hidden master password this system employs. The company has contacted about 3% of its business customers that use less secure configurations to advise them of actions they should take to remain secure.

The company listed a number of security improvements it has made since the August incident, including completely rebuilding its development environment and rotating all credentials and certificates that may have been impacted. But this does not change the fact that password vaults were exfiltrated, and while they may be very difficult to crack (given the mandatory minimum 12-character master password) it is always possible that they will be broken open at some future point. Changing passwords at this point only secures the current iterations of password vaults (though still a very prudent idea, along with potentially enabling the optional two-factor authentication feature).

Stolen password vaults raise questions about management service security

Password management services are often touted as both an ideal solution to having to juggle dozens of unique login credentials, and an enhanced form of login security far superior to the standard method. But as this incident demonstrates, the reliability of such a service all comes down to the ability to protect password vaults from theft and cracking.

This concern extends past when one stops using the service. Customers of LastPass that left the service between August and the disclosure of the breach may have still lost their previous password vaults to the hacker, leaving a collection of login information floating around the dark web. Should even older vaults have been accessed in this breach, there is even greater cause for concern; prior to 2018, LastPass allowed for weaker master passwords and had a less robust key derivation function.

Another concern is that, in the prior breach, LastPass admitted that the attackers took some source code and “LastPass proprietary technical information.” What exactly that means is unknown outside the company, but it’s quite likely the login credentials that were abused to steal the password vaults were sitting in the source code. Customers are left to wonder what else was sitting in there, or what future vulnerabilities the attackers might find as they pore over all of this “technical information.”

The most immediate knowable threat to LastPass customers, assuming the password security is as advertised, is phishing. The unencrypted information provides ample opportunity for highly targeted phishing attempts, conveniently paired with an account email address and potentially a phone number that is used for 2FA verification purposes.

Mike Walters, VP of Vulnerability and Threat Research at Action1, elaborates on this threat: “Users should beware of sophisticated phishing attacks aimed at stealing their master password. An attacker can pretend to be LastPass, regulatory authorities, and other organizations and trick users into sharing their credentials. Remember, modern phishing can go beyond average emails and combine different communication channels, such as phone calls, SMS, messengers, and others. I recommend that all users change their master passwords and enforce password security best practices. It includes creating a strong master password at least 30 characters long, re-encrypting the password vault, and enabling multi-factor authentication (MFA).”

The incident caps off a very bad year for Lastpass’s security reputation, a good deal of which was self-inflicted by its inability to be forthright with customers in the wake of data breaches. The company still holds the largest password management market share at about 21%, but has numerous smaller competitors lined up behind it that will likely see some benefit from this.

The market may also take a blow as a whole, however, with potential new users that see what happened with LastPass and ultimately decide a management tool is not worth their time. But incidents such as these can be avoided if password management services ensure that all user information, including the types of information exposed here, is encrypted prior to being handed off to the host company.