LastPass Hack Update: user vault data and information stolen
Password management service LastPass announced today that the disclosed password breach of August 2022 was more serious than it thought initially. The update confirms that user vault data and personal information was obtained by the threat actor.
Password management company LastPass published an update today regarding the fallout of a security breach that happened in August 2022. Back then, the attackers were able to steal source code and proprietary technical information according to the company.
The attacker used the obtained data for another attack. LastPass confirmed that it suffered another data breach of a third-party cloud storage that is shared with its former parent company GoTo. User information were obtained by the attacker, but attackers did not access user vaults according to LastPass' initial message regarding the incident.
Today, LastPass confirmed that the hack has been serious. A new blog post on the official company blog confirms that the attacker was able to "copy a backup of customer vault data". This data includes unencrypted and encrypted data. Unencrypted data includes website URLs but also metadata, including "company names, end-user names, billing addresses, email addresses, telephone numbers" and IP addresses of customers when they access LastPass. Even worse, the data includes encrypted fields that contain a customer's usernames and passwords, secure notes and form-fill data. These are encrypted with 256-bit AES encryption according to LastPass, but may be brute forced by the attacker to gain access to user vaults. The master password is not stored by LastPass, which means, that the attacker could not obtain it.
Unencrypted Credit Card information was not accessed, according to LastPass. Complete Credit Card numbers are not stored and the company does not archive Credit Card information in the cloud storage environment.
User data is at risk
The attacker managed to obtain a treasure trove of information during the hack. Not only did they manage to obtain customer data, such as names, phone numbers and email addresses, they also managed to obtain customer vault data. While most of the vault data is encrypted, all that stands between access is the master password.
A weak master password is broken easily with brute force attempts. LastPass' best practices regarding master password use may protect customer data against brute force attacks, as it recommends passwords with at least 12 characters and a mix of numbers, letters and special characters.
The threat actor may use the discovered information for social engineering or phishing attacks. Since information such as email addresses, names and phone numbers were obtained, they may target LastPass customers using multiple attack vectors. Phishing emails, phone calls, and even letters may be used to obtain the master password to unlock vault data.
It is unclear from LastPass' announcement whether customer information and vault data can be linked by the attacker. If that is the case, unencrypted data, such as website URLs, may also lead to extortion.
Closing Words
This is the worst case scenario for any password management service and its customers. LastPass customers should take this very seriously and start to act immediately.
In particular, it is important to do the following:
- Change the master password immediately, making sure that it is unique and strong.
- Change all stored login information for all sites in the vault, especially if the original master password could be considered weak.
- Pay good attention to any emails, phone calls, letters, chat messages and other means of communication regarding LastPass.
Even when customers act swiftly and make the necessary changes to protect their data, the attacker may still obtain the old information with successful brute force attacks. While that may not lead to account compromises, it may provide the attacker with detailed information about a customer's activity on the Internet. It may also reveal classified information, such as information about a company's infrastructure or production environments.
Now You: is your data affected? What would you do immediately?
LASTPASS bought by a “LogMeIn” around 2015, and LogMeIn is a Remote Access software company should have been the proverbial RED FLAG for anyone who subscribed to LASTPASS at that time. “IT WAS FOR ME”. LogMeIn has been notorious for nefarious users to steal others confidential files and information from young to old from their perspective machines through REMOTE ACCESS!
Seeing that level of anguish for stolen data that is end-to-end encrypted, imagine that the US surveillance state does not even need to steal it from LastPass, and has probably much higher abilities to decrypt it than the petty criminal scenario that is considered here. It’s really worth considering the relevance of mass storing all passwords online centrally on a US company server.
I just don’t get, how could you trust strangers over your passwords, just get a pen + a notebook = and you’re good to go. It’s easy, safe, portable. It’s the best.
This incident is one of the many very bad example of a privacy & security company, the reason is mostly about: BAD PRACTICE, LastPass remind every single one of us to be more cautious about privacy & security, because we may believe in fake things, as Epictetus puts it: “It is impossible for a man to learn what he thinks he already knows.” — as Marcus Aurelius puts it: “Waste no more time arguing about what a good man should be. Be one.” — and lastly as Seneca puts it: “The fool, with all his other faults, has this also, he is always getting ready to live.” – Don’t “getting ready” to implement and reinforce necessary & important things – no matter how small it is, do it now, do all the things that is necessary & important – no matter how small it is, do it now.
I don’t use cloud storage in any shape or form. Keepass is my tried and trusted password manager and since it’s located on my local machine there’s zero chance that the data could be hijacked.
@TelV – Not “zero chance” that your data could be breached… Have you ever heard of malware? Password breaches aren’t the only things you should be wary of. A simple worm or trojan horse or godforbid Remote Access malware could easy peruse your local machine and make images of your hard drive/s and then go through your files for your PW.txt or Keepass file or whatever.
This news was the final straw. Deleted account and changed all passwords that were stored on LastPass. Have a local password manager and MAY consider Bitwarden in the future.
In particular, it is important to do the following:
Change the master password immediately, making sure that it is unique and strong.
Change all stored login information for all sites in the vault, especially if the original master password could be considered weak.
Pay good attention to any emails, phone calls, letters, chat messages and other means of communication regarding LastPass.
The only needed action is the last one. Since not even LastPass has any master passwords, and you are using the default settings with a unique master password, it would take millions of years for someone to brute force hack a vault they stole. There is no need to change the master password, or any saved passwords.
Pen + Paper + Safe = Golden
LastPass was so secure 2 years ago when I created my account that after a day it locked me out of my account when I knew my master password. All the vault data was gone and I switched to Bitwarden as a cloud based password manager. Never looked back.
Use a strong password manager for anything and use open source password manager and backup file as well just in case.
Pretty funny to see how many people here think they are safe by only using local password storage. When the websites you sign into get hacked, the hackers get your passwords – they don’t need your password vault. And since most people use variations of the same passwords for most sites, all you need to do is have one of your sites compromised and you lose a bunch of them.
The best solution is the same one as always – generate different, random passwords for each site that are as complex as allowed, save them in some sort of password manager so you don’t have to remember them all, and change them all every few months.
@Andy Prough , I’m not sure anyone stated being “safe by only using local password storage” but that local password storage contributed to safety, implicitly, rather. This said I fully agree with your comment. Regarding cloud pw-managers but not only my belief is that the seriousness, professionalism, proved privacy and security of an app/software is more important than a general, principle approach. I’d add to your wise advice that choosing a different email (aliases and/or disposable email addresses) contributes as well to privacy/security by means of compartmentalization, something never to forget and to always practice.
@Tom Hawack, The good thing about the cloud password managers is that Ghacks will always tell you when they have been hacked, and you’ll know to change all your passwords right away. There’s a popular one that starts with a “b” that I don’t think has ever been compromised. LastPass, on the other hand, has probably been hacked 3 or 4 times over the years.
I agree on disposable email addresses, I like the fact that we have a lot of tools these days to generate them for us.
Why do Silicon Valley companies keep getting breached so often.
First thought was “Oh, not a Silicon Valley company for once”. Then saw that LogMeIn was sold to Francisco Partners 3 years ago.
Don’t put all your eggs in one basket was an old saying. Especially someone else’s basket you’re entrusting your eggs (password) too. Convenience is nice, but it also means more risk. Obvious these companies cannot be trusted to protect anything.
“Many of us store confidential data in the cloud….”
Up to everyone how they store their data/information but I would never trust cloud storage companies.
They can block access etc at any time and I don’t trust any of them to properly safeguard MY data.
KeepassXC has never been audited. Screw that for a game of soldiers. And the original Keepass looks like something out of the Ark.
No. I think I will stick with LastPass, thank you very much.
They talk about that here: https://keepassxc[DOT]org/docs/#faq-audit
In any case, the full source code is on github, if someone skilled wants to examine it.
yeah, this is like the 3’rd time this year that hackers have compromised LastPass. It should never be trusted. I am glad I never used it. The best password manager is the one you install locally and has no access to Cloud.
Until your hard disk and backup fail. Don’t say that’s unlikely. I had two backup drives fail on the same day. Fortunately my HDD did not fail. More recently, my Home version of Windows set up with local account decided to amuse me by requiring a Bitlocker key (by default, Bitlocker was supposed to be no available to Home edition and there was no key in my M$ account because it Windows was configured with a local account). In this case, the only way I could get it running again was factory reset. Fortunately, all data were backed up to cloud.
Over the past few years in this part of the world people have lost everything they own due to fire or flood (which would include all on-site backup).
The point of the story is you need flexibility. Rely solely on on-site data, you may lose the works. Rely soley on cloud, you may lose that. By all means use KeyPass but make sure you keep an encrypted cloud backup.
Many comments emphasize on the risk, not to mention the privacy absurdity of using cloud pw-managers and bounce on Lastpass’ hack to further argument their position. Fine. But what about cloud storage as a whole, independently of having it manage one’s passwords? Many of us store confidential data in the cloud and perhaps as well some of those who make an exception for login management. Is this coherent? I mean, if we consider the cloud doesn’t deserve our confidence for passwords then should it deserve it for any other confidential data?
Seriously after so many leaks someone still uses their services?
There are good and bad sides by cloud pw-managers. Good side is you always have access to it, no matter which device your on, and even if you get a new phone. It’s easy.
As long as your master password is pretty good, they won’t be able to use the encrypted data for anything. I use Password Crypt.
Actually, I was wrong just above, and I clearly understand WHY people trust in cloud PW managers.
It is due to websites like this one (not only this one, ALL websites similar do the same) that publish regularly comparisons between different PW managers.
And in these comparisons, it is NEVER mentioned the risk of such a cloud architecture. They always prefer insist on the fact that this GUI is more pretty, or this one looks old school…..
But what is importance of GUI aspect vs DATA SECURITY that should be the ONLY criteria to take into account for a PW manager.
And this should always give a “plus” to locally managed solutions…. that are nevertheless always those with the worst note….
+1
I cannot understand how people may trust in cloud PW managers
While with Keepas (I’m using) or any LOCALLY MANAGED PW manager, there is no risk of data loss. And even if it’s a little bit more complicated to use a common PW database on several devices, there are nevertheless quite easy solutions to do it.
I am not affected, as I never used Lastpass. I do not trust cloud pw managers , thus using KeepassXC and have a triple back-up strategy to protect my pw from loss.
My data is not affected. I am not ignorant enough to trust strangers with my passwords.
It’s really sad that so many people are not sufficiently educated about how the devices they are sold actually work.
It’s just plain wrong that others are allowed to profit from that ignorance.
I have no sympathy for anyone who continues to use these terrible cloud services when there is a totally free alternative that has been available for many years. You’ve made your bed, now lie on it.
Why Oh why! after the last breach people should have used their last brain cell and dumped it. I guess after this breach people with no brain cells will continue to use it.
I’m not affected because I dumped LastPass over a year ago and now use free, open-source KeyPass. LastPass was an early leader in the password safe game, but has now repeatedly proven itself unworthy. It’s beyond me why people continue to use it.
I also recommend Bitwarden for those who need a cloud-hosted solution. Also free, also open-source.
I deleted my account early this year. Hopefully, they didn’t manage access to historical data.
@LPisGoneAlready,
> I deleted my account early this year. Hopefully, they didn’t manage access to historical data
Rejoice, indeed. One thing I’ve never had any certitude when it comes to cloud storage is if deleting one’s account automatically deletes the account’s data (perhaps not, or not always) and if deleting by ourselves all of the account’s data prior to closing it may contribute to a greater confidence that all of the account’s data is effectively removed from the cloud. In other words, when we delete cloud storage do we delete the storage’s backup(s). Perhaps it depends of the company’s storage policy and servers…
No feedback concerning LastPass, I don’t use it, fortunately as it seems.