NetworkTigers discusses the LastPass hack and what users may do about it.
Hacks and breaches that compromise user data are common occurrences. From retailers to financial institutions, we entrust organizations with troves of personal information. Databases of valuable data are targeted endlessly by threat actors looking to cash in. Businesses and consumers expect companies to maintain top-notch security, but we know that keeping our data locked down may not be the main objective for most businesses.
It is more bothersome when a company that’s foundationally embedded in security and customer confidence is breached. That scenario becomes even more troubling when said company appears to be reluctant to explain the ramifications of a breach fully and seems to be more interested in telling the public the bare minimum. That appears to be what happened with LastPass.
What is LastPass?
While offering dark web scanning, browser extensions and more, LastPass is primarily a password management platform designed to make it easier for users to log in to their personal and business accounts by storing their passwords in a database or “vault.” Using a single master password, users can log in to their accounts without committing their credentials to memory.
As even casual internet users need to memorize potentially dozens of different passwords (provided that they adhere to good cybersecurity practices), LastPass offers convenience in addition to a more secure option than writing down your passwords or saving them in your web browser or operating system. LastPass has often found itself at the top of the list of recommended password management tools, having more than 33 million registered users.
LastPass hack timeline
August 5, 2022: breach disclosed; nothing to see here
In a since-updated blog post, LastPass CEO Karim Toubba wrote that the company had noticed “unusual activity within portions of the LastPass development environment.” While troubling, LastPass was quick to engage in an internal investigation regarding the anomaly.
Toubba asserted that a compromised developer account was used to gain access to its development environment, in which no personal information is stored. The hackers, however, were said to have made off with some of the company’s proprietary source code.
After hiring a forensic cybersecurity team, Toubba said LastPass had “achieved a state of containment, implemented enhanced security measures” and found “no further evidence of unauthorized activity.” The company even went so far as to tell users that no action was required on their part to keep their data safe or protect their accounts from unauthorized access.
September 15, 2022: problem solved, reassurances issued
LastPass issued an update on the previous month’s breach, stating that security firm Mandiant had been brought in to assist with the investigation. LastPass’s administrators detected a threat actor that had remained within its development system over the course of four days, but were able to contain the hacker’s activity and implement more robust security measures where they were deemed needed.
Once more, LastPass reminded customers that the intruder was in no way able to access customer passwords or vaults, as the environment they breached is “physically separated” from those that contain user data.
How the hacker compromised a developer’s endpoint access was not disclosed. However, impersonation and the mishandling of multifactor authorization were implied.
November 30, 2022: customer data compromised, no big deal
More than three months after initial disclosure, Toubba issued a statement explaining that the hacker responsible for the August breach “was able to gain access to certain elements of our customers’ information” using the technical data stolen over the summer.
Toubba’s acknowledgment of user data exposure was brief. It did not describe what kind of customer information had been exposed, how long it had been accessible or how many LastPass users may have been affected by the intrusion.
LastPass notified law enforcement of their findings and Mandiant was once again brought into the investigative fold as the company worked to “understand the scope of the incident and identify what specific information has been accessed.”
December 22, 2022: happy holidays, hackers have your passwords
In a statement issued just before the holiday weekend, LastPass reported that customer information had, in fact, been exfiltrated from the platform in the form of a cloud-based backup full of encrypted customer vault data such as login credentials and passwords. In addition, the stolen vaults contained unencrypted information including company names, contact information, IP addresses and billing addresses.
Toubba, for his part, assured customers that their passwords were still secure. Customer vaults, he said, could only be decrypted via users’ master password, which is “never known to LastPass and is not stored or maintained by LastPass.”
In what feels like passing the buck, Toubba said that as long as customers had adhered to LastPass’s default settings and had not used their master password elsewhere, it would take a hacker “millions of years” to crack into a customer vault. He downplayed the breach further, saying that LastPass users require no action to protect themselves from being hacked.
Toubba has, as of the writing of this article, posted no further updates on his blog regarding the incident.
January 23, 2023
LastPass’s parent company, GoTo, disclosed that the hack had impacted several of the company’s other products and that multiple encrypted customer backups had been stolen.
To the dismay of the security community, GoTo took two months to publicly announce the theft via a statement from CEO Paddy Srinivasan who provided no public guidance for concerned customers and did not reveal how many were affected.
According to an article about the hack by Tech Crunch’s Carly Page, GoTo’s public relations director Jen Mathews and spokesperson Nikolett Bacso-Album have both declined any further comment upon being asked for more details regarding the incident.
As of now, no information has been disclosed regarding who may be responsible for the hack.
What researchers are saying about the LastPass hack
While Toubba has minimized the severity of last year’s breach from the point of its initial discovery, security researchers and experts unaffiliated with the company have been quick to poke holes in LastPass’s official statements.
Between the trickle of information and the timing of Toubba’s most recent, and possibly last, blog update, the general consensus is that the breach is much more dangerous than implied. In the scathing words of AdBlock Plus creator Wladimir Palant, Toubba is guilty of “omissions, half-truths and outright lies.”
Jeremi Gosney, referencing LastPass’s track record with security lapses, said that “in the last 10 years. I don’t know what the threshold of ‘number of major breaches users should tolerate before they lose all faith in the service’ is, but surely it’s less than seven.”
He holds the company’s feet to the fire in a blog post that is also critical of LastPass’s encryption methods, to put it lightly.
1Password joined the chorus as well. While they are a competitor in the password management market, principal security architect Geoffrey Goldberg’s response to Toubba’s “millions of years” comment has not been challenged. He says that the statement’s accuracy wholly depends on master passwords generated by algorithms prioritizing a degree of randomness that human-created passwords can’t achieve.
What are LastPass users to do?
Security researchers generally agree that the theft of customer password vaults is, in the words of PCMag’s Michael Kan, ”about as bad as it can get.” A platform like LastPass relies on customer trust which, in the case of those paying attention, is likely to be at an all-time low.
If you are a LastPass user, here are some suggestions that experts are encouraging you to act on:
Security pros recommend that users simply abandon the platform in favor of managers with a better track record of customer protection. You can export your passwords from LastPass easily.
LastPass users should also operate under the assumption that the entirety of their passwords has been exposed. They should, therefore, change all of their online passwords, giving priority to those associated with financial and medical sites.
Enable multi-factor authentication across all accounts that allow for it.
If you remain with LastPass, change your master password and follow their suggested guidelines.
Whoever is responsible for stealing LastPass vaults doesn’t need to crack them open to cause trouble. The unencrypted data taken has everything they need to create effective phishing scams. Stay vigilant and be wary of any suspicious texts or emails.