LastPass CEO, Karim Toubba, has confirmed that a threat actor has stolen customer password vaults. This follows a disclosure in August that an unauthorized party had successfully hacked development servers and stolen source code and some LastPass technical information. At that time, Toubba said there was no evidence of customer data or password vaults being accessed. Fast forward to the end of November, and LastPass stated information obtained during that earlier compromise had enabled a threat actor to access “certain elements” of customer data within a third-party cloud storage service. Again, it was stressed that customer passwords remained “safely encrypted.” In a report published December 1, a security expert explained it was unclear what information had been obtained by the attacker. Now, it would appear we know. And it doesn’t make for very reassuring reading.
In the December 22 update, Toubba explains how the threat actor was able to “access and decrypt some storage volumes” from the cloud-based storage service, physically separate from the LastPass production environment. The problem is that this service stored backups, including backups of customer vault data. These backups, Toubba explained, are stored in a proprietary binary format and contain both encrypted and unencrypted data. The encrypted data includes website credentials such as usernames and passwords, as well as any secure notes that may have been entered. This data is encrypted using 256-bit AES encryption and requires the user’s master password to decrypt. The plain text data would appear to be website URLs.
How this impacts you as a LastPass customer really depends upon how strong your master password is. If it’s something short and memorable, perhaps even a string you use elsewhere, then you could be in immediate trouble. Although Toubba states that LastPass’ Zero Knowledge architecture means that sensitive vault data, including site passwords, are safely encrypted, he does admit that users with weak master passwords “should consider minimizing risk by changing the passwords of websites you have stored.” Whether or not you believe your “Master Password” is strong enough or not, changing just your Master Password is akin to closing the barn door after the horse has escaped. The hacker/cyber-criminal was able to exfiltrate the entire LastPass password database from a server that was used to back-up the password vaults. At this time, I strongly recommend changing ALL of your saved passwords in LastPass. You should also be changing that master password to something much stronger. While LastPass requires at least 12 characters for a master password, I’d argue this is far too short today: my recommendation is to double that. Using passphrases can help create a strong and long password.
In his statement, Toubba states that encrypted fields in the data vault can only be decrypted using the “unique encryption key derived from each user’s master password.” The fact that a cyber-criminal has an entire copy of LastPass’ password database file backup, it’s only a matter of time before they break the encryption and begin their attacks.
Do you need to quit LastPass?
Whether you think LastPass is a service you can continue to trust or not is for you to decide. The transparency in companies declaring breaches is always to be applauded, although many questions remain as to why it has taken LastPass so long (almost 4 months) to determine and disclose that actual password vaults had been stolen. Based on this information, I can no longer recommend LastPass as a secure password vault.
No company can be 100% safe from breaches; that’s a simple truth, but trust is paramount in the world of password management, and there can be little doubt that this trust has been broken for LastPass users.
Credit and thanks to Davey Winder – Forbes Magazine
https://www.forbes.com/sites/barrycollins/2022/12/29/leaving-lastpass-heres-where-to-go-next
David’s Alert to our clients:
LastPass Password Manager Breach
We finally know the extent of the LastPass breach and it is not a good situation. The breach was disclosed back in August 2022 by LastPass when they told their users that an unauthorized party got into some development servers and stole source code and some LastPass technical information.
Fast forward to the end of November, LastPass stated information obtained during that earlier compromise had enabled a threat actor to access “certain elements” of customer data within a third-party cloud storage service. Again, it was stressed that customer passwords remained “safely encrypted.”
In the December 22 update, LastPass explains how the threat actor was able to “access and decrypt some storage volumes” from the cloud-based storage service, physically separate from the LastPass production environment. The problem is that this cloud-based storage service stored backups, including entire backups of customer vault data.
In his statement, LastPass CEO Karim Toubba states that encrypted fields in the stolen data vault can only be decrypted using the “unique encryption key derived from each user’s master password.” The fact that a cyber-criminal has an entire backup copy of LastPass’ password database file, it’s only a matter of time before they break the encryption and begin their attacks.
Based on this information, it is our very strong recommendation that every LastPass user immediately log into every account for which you have a saved password in LastPass and change that password.
Although I understand this is a monumental undertaking, you’ll need to take action right away. Start with the most valuable passwords like Amazon accounts where you will most likely have a credit card linked to your account, banking accounts, mortgage companies, insurance companies and any logins with information that an attacker could use for identity theft.
I strongly recommend that you also enable 2FA (2 factor authentication) on every account that offers it. This is the best way to protect yourself and your passwords in the future.
Do you need to quit LastPass?
Whether you think LastPass is a service you can continue to trust or not is for you to decide. The transparency in companies declaring breaches is always to be applauded, although many questions remain as to why it has taken LastPass so long (almost 4 months) to determine and disclose that actual password vaults had been stolen. Based on this information, I will no longer recommend LastPass as a secure password vault.
No company can be 100% safe from breaches; that’s a simple truth, but trust is paramount in the world of password management, and there can be little doubt that this trust has been broken for LastPass users.
ACTSmart has a password management solution (PassPortal) that you can move to. PassPortal is the application we use for managing our clients secure passwords. Pam and I have been using LastPass for years for our personal use and are moving to PassPortal.
Give me a call if you’re interested. 781-826-9665
~David Snell
Scroll to the bottom of David’s post to read his ALERT to our clients and recommendations for your best course of action
Deliver David's Tech Talk to my inbox
We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!