Last month, we notified everyone that unauthorized access was detected to a third-party cloud-based storage service that LastPass uses to store archived backups of production data. In an effort to be transparent with its customers, they have issued an update on the ongoing investigation and addressed any security concerns any LastPass customer has about the safety of their data.
What We’ve Learned
Based on our investigation so far, we have learned that a threat actor obtained unauthorized access to the cloud-based storage environment using information obtained from an incident that emerged in August of 2022. While LastPass has explicitly stated that none of their customer data was “compromised” in the August security breach, however, some source code and technical information were stolen from the development environment. This information was then further used to target another employee, obtaining credentials and keys used to access and decrypt some storage volumes within the cloud-based storage service.
It’s important to note that LastPass’ production services currently operate from on-premises data centers, with cloud-based storage used for various purposes, such as storing backups and meeting regional data residency requirements. The cloud storage service accessed by the threat actor is physically separate from their production environment.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from a backup that contained basic customer account information and related metadata. This included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses of customers accessing the LastPass service.
The threat actor also copied a backup of customer vault data from the encrypted storage container. This data is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. It’s important to note that the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data are performed only on the local LastPass client.
There is no substantial evidence that any unencrypted credit card data was accessed. According to LastPass, their database does not store complete credit card numbers, and credit card information is not archived in this cloud storage environment.
What Does This Mean? Is My Data at Risk?
The threat actor might have attempted brute force to guess your master password and decrypt the copies of vault data they took. However, because of the hashing and encryption methods used by LastPass to protect their customers, it would be challenging even to attempt any brute force guess master passwords, especially for those customers who are complying with laid-out password best practices. LastPass has mentioned that they routinely test all the latest password-cracking technologies against their algorithms to keep pace with and improve upon our cryptographic controls.
The threat actor may also target customers with other viable tactics, such as phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it’s crucial to always remember that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.
What Should LastPass Customers Do?
As a reminder, LastPass’ default master password settings and best practices include the following:
Since 2018, we have required a twelve-character minimum for master passwords. We encourage the use of passphrases
In conclusion, LastPass has been vigorously evident across the attack surface with instances revealing that they remained compromised for 4 days even before the 33 Million August Hack. Their parent company couldn’t identify the actual source behind LastPass breach. On that note users must remain vigilant in protecting their online accounts and personal information without entirely relying on third-party services. While the threat actor could access some customer data and vault backups, the encrypted fields remain secured with solid encryption. They can only be decrypted with a unique key derived from each user’s master password.
As always, we recommend following the industry’s best practices for creating strong, unique passwords and being cautious of phishing attacks or other attempts to obtain personal information. It’s also a good idea to regularly review and update your account security settings and to enable multi-factor authentication whenever possible.
As the saying goes, “An ounce of prevention is worth a pound of cure.” In the context of cybersecurity, adopting proactive measures to protect your data can save you a lot of headaches in the long run.