LastPass Hack Update: user vault data and information stolen
Password management service LastPass announced today that the disclosed password breach of August 2022 was more serious than it thought initially. The update confirms that user vault data and personal information was obtained by the threat actor.
Password management company LastPass published an update today regarding the fallout of a security breach that happened in August 2022. Back then, the attackers were able to steal source code and proprietary technical information according to the company.
The attacker used the obtained data for another attack. LastPass confirmed that it suffered another data breach of a third-party cloud storage that is shared with its former parent company GoTo. User information were obtained by the attacker, but attackers did not access user vaults according to LastPass' initial message regarding the incident.
Today, LastPass confirmed that the hack has been serious. A new blog post on the official company blog confirms that the attacker was able to "copy a backup of customer vault data". This data includes unencrypted and encrypted data. Unencrypted data includes website URLs but also metadata, including "company names, end-user names, billing addresses, email addresses, telephone numbers" and IP addresses of customers when they access LastPass. Even worse, the data includes encrypted fields that contain a customer's usernames and passwords, secure notes and form-fill data. These are encrypted with 256-bit AES encryption according to LastPass, but may be brute forced by the attacker to gain access to user vaults. The master password is not stored by LastPass, which means, that the attacker could not obtain it.
Unencrypted Credit Card information was not accessed, according to LastPass. Complete Credit Card numbers are not stored and the company does not archive Credit Card information in the cloud storage environment.
User data is at risk
The attacker managed to obtain a treasure trove of information during the hack. Not only did they manage to obtain customer data, such as names, phone numbers and email addresses, they also managed to obtain customer vault data. While most of the vault data is encrypted, all that stands between access is the master password.
A weak master password is broken easily with brute force attempts. LastPass' best practices regarding master password use may protect customer data against brute force attacks, as it recommends passwords with at least 12 characters and a mix of numbers, letters and special characters.
The threat actor may use the discovered information for social engineering or phishing attacks. Since information such as email addresses, names and phone numbers were obtained, they may target LastPass customers using multiple attack vectors. Phishing emails, phone calls, and even letters may be used to obtain the master password to unlock vault data.
It is unclear from LastPass' announcement whether customer information and vault data can be linked by the attacker. If that is the case, unencrypted data, such as website URLs, may also lead to extortion.
This is the worst case scenario for any password management service and its customers. LastPass customers should take this very seriously and start to act immediately.
In particular, it is important to do the following:
- Change the master password immediately, making sure that it is unique and strong.
- Change all stored login information for all sites in the vault, especially if the original master password could be considered weak.
- Pay good attention to any emails, phone calls, letters, chat messages and other means of communication regarding LastPass.
Even when customers act swiftly and make the necessary changes to protect their data, the attacker may still obtain the old information with successful brute force attacks. While that may not lead to account compromises, it may provide the attacker with detailed information about a customer's activity on the Internet. It may also reveal classified information, such as information about a company's infrastructure or production environments.
Now You: is your data affected? What would you do immediately?Advertisement