LastPass's Breach Notice.
Article 1
Archive 1
The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company.
The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in.
Also stolen is "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company said.
The August 2022 incident, which remains a subject of an ongoing investigation, involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account.
LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subsequently leveraged to extract information from a backup stored in a cloud-based storage service, which it emphasized is physically separate from its production environment.
On top of that, the adversary is said to have copied customer vault data from the encrypted storage service. It's stored in a "proprietary binary format" that contains both unencrypted data, such as website URLs, and fully-encrypted fields like website usernames and passwords, secure notes, and form-filled data.
These fields, the company explained, are protected using 256-bit AES encryption and can be decoded only with a key derived from the users' master password on the users' devices.
LastPass confirmed that the security lapse did not involve access to unencrypted credit card data, as this information was not archived in the cloud storage container.
The company did not divulge how recent the backup was, but warned that the threat actor "may attempt to use brute-force to guess your master password and decrypt the copies of vault data they took," as well as target customers with social engineering and credential stuffing attacks.
It bears noting at this stage that the success of the brute-force attacks to predict the master passwords is inversely proportional to their strength, meaning the easier it is to guess the password, the lesser the number of attempts required to crack it.
"If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet to attempt to access your account," LastPass cautioned.
The fact that website URLs are in plaintext means that a successful decryption of the master password could give the attackers a sense of the websites a particular user holds accounts with, enabling them to mount additional phishing or credential theft attacks.
The company further said that it notified a small subset of its business customers – which amounts to less than 3% – to take certain unspecified action based on their account configurations.
The development comes days after Okta acknowledged that threat actors gained unauthorized access to its Workforce Identity Cloud (WIC) repositories hosted on GitHub and copied the source code.
Article 2
Archive 2
Pictured: the encrypted vault with your passwords.
LastPass has a doozy of an updated announcement about a recent data breach: the company — which promises to keep all your passwords in one, secure place — is now saying that hackers were able to “copy a backup of customer vault data,” meaning they theoretically now have access to all those passwords if they can crack the stolen vaults (via TechCrunch).
If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn’t deleted it before this fall, your password vault may be in hackers’ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”
That might mean changing the passwords for every website you trusted LastPass to store.
While LastPass insists passwords are still secured by the account’s master password, it’s hard to just take its word at this point, given how it’s handled these disclosures.
When the company announced it had been breached in August, it said it didn’t believe user data had been accessed. Then, in November, LastPass said it detected an intrusion, which apparently relied on information stolen in the August incident (it would’ve been nice to hear about that possibility sometime between August and November). That intrusion let someone “gain access to certain elements” of customer info. It turns out those “certain elements” were, you know, the most important and secret things that LastPass stores. The company says there’s “no evidence that any unencrypted credit card data was accessed,” but that would likely have been preferable to what the hackers actually got away with. At least it’s easy to cancel a card or two.
A backup of customers’ vaults was copied from cloud storage.
We’ll get to how this all went down in a bit, but here’s what LastPass CEO Karim Toubba is saying about the vaults being taken:
"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."
Toubba says the only way a malicious actor would be able to get at that encrypted data, and therefore your passwords, would be with your master password. LastPass says it has never had access to master passwords.
That’s why he says, “it would be extremely difficult to attempt to brute force guess master passwords,” as long as you had a very good master password that you never reused (and as long as there wasn’t some technical flaw in the way LastPass encrypted the data — though the company has made some pretty basic security errors before). But whoever has this data could try to unlock it by guessing random passwords, AKA brute-forcing.
LastPass says that using its recommended defaults should protect you from that kind of attack, but it doesn’t mention any sort of feature that would prevent someone from repeatedly trying to unlock a vault for days, months, or years. There’s also the possibility that people’s master passwords are accessible in other ways — if someone re-uses their master password for other logins, it may have leaked out during other data breaches.
It’s also worth noting that if you have an older account (prior to a newer default setting introduced after 2018 ), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.
Perhaps the more concerning bit is the unencrypted data — given that it includes URLs, it could give hackers an idea of which websites you have accounts with. If they decided to target particular users, that could be powerful information when combined with phishing or other types of attacks.
If I were a LastPass customer, I would not be happy with how the company has disclosed this info
While none of that is great news, it’s all something that could, in theory, happen to any company storing secrets in the cloud. In cybersecurity, the name of the game isn’t having a 100 percent perfect track record; it’s how you react to disasters when they happen.
And this is where LastPass has, in my opinion, absolutely failed.
Remember, it’s making this announcement today, on December 22nd — three days before Christmas, a time when many IT departments will largely be on vacation, and when people aren’t likely to be paying attention to updates from their password manager.
(Also, the announcement doesn’t get to the part about the vaults being copied until five paragraphs in. And while some of the information is bolded, I think it’s fair to expect that such a major announcement would be at the very top.)
LastPass says that the vault backup wasn’t initially compromised in August; instead, its story is that the threat actor used info from that breach to target an employee who had access to a third-party cloud storage service. The vaults were stored in and copied from one of the volumes accessed in that cloud storage, along with backups containing “basic customer account information and related metadata.” That includes things like “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” according to LastPass.
Toubba says the company is taking all sorts of precautions as a result of the initial breach, and the secondary breach that exposed the backups, including adding more logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials, and more.
That’s all good, and it should do those things. But if I were a LastPass user, I’d be seriously considering moving away from the company at this point, because we’re looking at one of two scenarios here: either the company didn’t know that backups containing users’ vaults were on the cloud storage service when it announced that it had detected unusual activity there on November 30th, or it did know and chose not to tell customers about the possibility that hackers had gotten access to them. Neither of those is a good look.
Article 1
Archive 1
LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen
The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company.
The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in.
Also stolen is "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company said.
The August 2022 incident, which remains a subject of an ongoing investigation, involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account.
LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subsequently leveraged to extract information from a backup stored in a cloud-based storage service, which it emphasized is physically separate from its production environment.
On top of that, the adversary is said to have copied customer vault data from the encrypted storage service. It's stored in a "proprietary binary format" that contains both unencrypted data, such as website URLs, and fully-encrypted fields like website usernames and passwords, secure notes, and form-filled data.
These fields, the company explained, are protected using 256-bit AES encryption and can be decoded only with a key derived from the users' master password on the users' devices.
LastPass confirmed that the security lapse did not involve access to unencrypted credit card data, as this information was not archived in the cloud storage container.
The company did not divulge how recent the backup was, but warned that the threat actor "may attempt to use brute-force to guess your master password and decrypt the copies of vault data they took," as well as target customers with social engineering and credential stuffing attacks.
It bears noting at this stage that the success of the brute-force attacks to predict the master passwords is inversely proportional to their strength, meaning the easier it is to guess the password, the lesser the number of attempts required to crack it.
"If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet to attempt to access your account," LastPass cautioned.
The fact that website URLs are in plaintext means that a successful decryption of the master password could give the attackers a sense of the websites a particular user holds accounts with, enabling them to mount additional phishing or credential theft attacks.
The company further said that it notified a small subset of its business customers – which amounts to less than 3% – to take certain unspecified action based on their account configurations.
The development comes days after Okta acknowledged that threat actors gained unauthorized access to its Workforce Identity Cloud (WIC) repositories hosted on GitHub and copied the source code.
Article 2
Archive 2
Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it
Last month, the company announced that threat actors had accessed “certain elements” of customer info. Just as many US workers are leaving for a holiday break, the company reveals that meant their encrypted passwords.Pictured: the encrypted vault with your passwords.
LastPass has a doozy of an updated announcement about a recent data breach: the company — which promises to keep all your passwords in one, secure place — is now saying that hackers were able to “copy a backup of customer vault data,” meaning they theoretically now have access to all those passwords if they can crack the stolen vaults (via TechCrunch).
If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn’t deleted it before this fall, your password vault may be in hackers’ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”
That might mean changing the passwords for every website you trusted LastPass to store.
While LastPass insists passwords are still secured by the account’s master password, it’s hard to just take its word at this point, given how it’s handled these disclosures.
When the company announced it had been breached in August, it said it didn’t believe user data had been accessed. Then, in November, LastPass said it detected an intrusion, which apparently relied on information stolen in the August incident (it would’ve been nice to hear about that possibility sometime between August and November). That intrusion let someone “gain access to certain elements” of customer info. It turns out those “certain elements” were, you know, the most important and secret things that LastPass stores. The company says there’s “no evidence that any unencrypted credit card data was accessed,” but that would likely have been preferable to what the hackers actually got away with. At least it’s easy to cancel a card or two.
A backup of customers’ vaults was copied from cloud storage.
We’ll get to how this all went down in a bit, but here’s what LastPass CEO Karim Toubba is saying about the vaults being taken:
"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."
Toubba says the only way a malicious actor would be able to get at that encrypted data, and therefore your passwords, would be with your master password. LastPass says it has never had access to master passwords.
That’s why he says, “it would be extremely difficult to attempt to brute force guess master passwords,” as long as you had a very good master password that you never reused (and as long as there wasn’t some technical flaw in the way LastPass encrypted the data — though the company has made some pretty basic security errors before). But whoever has this data could try to unlock it by guessing random passwords, AKA brute-forcing.
LastPass says that using its recommended defaults should protect you from that kind of attack, but it doesn’t mention any sort of feature that would prevent someone from repeatedly trying to unlock a vault for days, months, or years. There’s also the possibility that people’s master passwords are accessible in other ways — if someone re-uses their master password for other logins, it may have leaked out during other data breaches.
It’s also worth noting that if you have an older account (prior to a newer default setting introduced after 2018 ), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.
Perhaps the more concerning bit is the unencrypted data — given that it includes URLs, it could give hackers an idea of which websites you have accounts with. If they decided to target particular users, that could be powerful information when combined with phishing or other types of attacks.
If I were a LastPass customer, I would not be happy with how the company has disclosed this info
While none of that is great news, it’s all something that could, in theory, happen to any company storing secrets in the cloud. In cybersecurity, the name of the game isn’t having a 100 percent perfect track record; it’s how you react to disasters when they happen.
And this is where LastPass has, in my opinion, absolutely failed.
Remember, it’s making this announcement today, on December 22nd — three days before Christmas, a time when many IT departments will largely be on vacation, and when people aren’t likely to be paying attention to updates from their password manager.
(Also, the announcement doesn’t get to the part about the vaults being copied until five paragraphs in. And while some of the information is bolded, I think it’s fair to expect that such a major announcement would be at the very top.)
LastPass says that the vault backup wasn’t initially compromised in August; instead, its story is that the threat actor used info from that breach to target an employee who had access to a third-party cloud storage service. The vaults were stored in and copied from one of the volumes accessed in that cloud storage, along with backups containing “basic customer account information and related metadata.” That includes things like “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” according to LastPass.
Toubba says the company is taking all sorts of precautions as a result of the initial breach, and the secondary breach that exposed the backups, including adding more logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials, and more.
That’s all good, and it should do those things. But if I were a LastPass user, I’d be seriously considering moving away from the company at this point, because we’re looking at one of two scenarios here: either the company didn’t know that backups containing users’ vaults were on the cloud storage service when it announced that it had detected unusual activity there on November 30th, or it did know and chose not to tell customers about the possibility that hackers had gotten access to them. Neither of those is a good look.
