top of page

LastPass security incident 2022 – what you need to know

On December 22, 2022, password management company LastPass revealed that a group of hackers had successfully gained access to their customers' vaults. The hackers accessed a cloud storage space on which there were backups of the vaults and they were thus able to copy/download these vaults locally to their machines. This announcement follows a previous statement from LastPass in August 2022 that a hacker gained access to a developer account and stole part of the source code from a development environment. At the time, LastPass said it had "seen no evidence that the incident involved access to customer data or encrypted password vaults.

Worse, in addition to the theft of the vaults, some data was unencrypted. What data is encrypted/unencrypted?

The stolen data includes the following unencrypted information:

  • Business names

  • End User Names

  • Billing addresses

  • Phone numbers

  • Email addresses

  • IP addresses used to access LastPass

  • Password Vault Website URLs

The stolen encrypteddata includes:

  • Website usernames and passwords

  • Secure Notes

  • As well as all other items stored in the chest. (Licenses, Cards, etc.)


Today, January 5, 2023, we still do not know which chests were stolen. Is it the safes of all customers, only certain safes? We don't know...


How can hackers decrypt data?

To decrypt this data and access the information stored in your vault, hackers must determine your "master" password. They can do this for example by using GPUs to carry out "Brute Force" with or without a dictionary on the binaries of the vaults they recovered. Indeed, as the vaults have been copied, the protection via double authentication is no longer present because they hold the file in your vault locally and can therefore use an army of GPUs to crack them.LastPass has recommended using a master password of 12 characters or longer with a combination of letters, numbers and symbols since 2018, but it is likely that many LastPass users have chosen weaker master passwords, which makes them easier to crack.

What to do if you are a LastPass user?

If you are a LastPass user, it is strongly recommended that you change your "master" and increase the number of iterations (more on that later). It is also strongly recommended tochange the passwords of all accounts associated with your LastPass account and implement double authentication as soon as possible. Monitor your accounts carefully for suspicious behavior.


It is recommended that you do not use LastPass to store sensitive information, such as credit card information or social security information. If you already have these types of information stored in your vault, it is recommended that you delete them and find another way to store them securely. This security incident exposed some unencrypted information, such as company names, end user names, billing addresses, phone numbers, and email addresses. Although this information itself is not necessarily sensitive, it can be used by hackers to try to phish you and harvest other sensitive information. Therefore, it is important to take steps to protect your sensitive information.


Change password manager

Discovering this information as well as that which I am about to reveal to you I think that LastPass is no longer a company that should be trusted this is why I think you should seriously consider changing managers and changing all your passwords.


Here are some alternatives:

  • Bitwarden => Open Source with a free version that makes coffee. It is even possible to selfhost it. In order to selfhost it I recommend you take a look at the project Vaultwarden< /u>. The premium plan costs only $10 per year.

  • 1Password => Intuitive and easy-to-use UI/UX but no “Free” plan.

  • Keepass => Open Source and free. It's a small program that runs locally on your machine, it generates a .kdbx file for the trunk and you can store this file locally or on a OneDrive/Dropbox type cloud.


Encryption and iterations: how LastPass protects your data

LastPass uses military grade AES-256 encryption to protect your data BUT , there was quite a controversy because in 2018 LastPass increased the number of iterations at 100 100 except they failed to apply this change to all users.

Iteration in LastPass refers to the number of times the "encryption-decryption" is done. The higher the number of iterations, the more difficult it is for an attacker to crack your master password using brute force techniques.

LastPass uses an iteration count that should be at 100 to ensure that the time it takes to decrypt your data is long enough to deter brute force attacks or make them very expensive. Unfortunately, a good part of the "old" Users, before 2018, have a lower iteration value and did not know that they could increase it in the settings.



Here is the LastPass help link to increase the number of iterations: How do I change my password iterations for LastPass ? - LastPass Support


Based on the image below from the excellent article "LostPass: after the LastPass hack, here's what you need to know" , we can estimate the time or money it would cost to crack a relatively strong password depending on the amount of iterations. Many LastPass users were only at 1, 500, 1000, 5000, 10,000 iterations.

Image source: LostPass: after the LastPass hack, here's what you need to know • Graham Cluley => ; original source: Snippet from Wladimir Palant’s blog post.


Disastrous communication and lack of transparency: LastPass criticized for its management of this security incident

In addition to the security concerns raised by this security incident, LastPass has also been criticized for its disastrous communication and lack of transparency in handling this incident.

Indeed, when this incident was first announced in August 2022, LastPass claimed to have "not seen any evidence that this incident involved access to data clients or encrypted password vaults". However, when the actual breach was announced in December 2022, it became clear that this claim was incorrect and that the hackers had in fact accessed and stolen customer vaults. All ? Maybe.


This lack of transparency has sparked strong criticism from the IT security community, who have accused LastPass of hiding the truth and downplaying the incident. of security. Many have also criticized the company for its lack of clear communication and regular updates regarding the status of the situation and the measures taken to protect users.

This episode highlighted the importance of choosing a trusted provider and keeping your data secure.


LastPass Security Incident History: A Long List of Issues

This recent security incident is not the first the password management company has faced. Since its inception in 2008, LastPass has experienced a series of security incidents that have called into question the safety of its users and trust in the service.

Here's a look at some of the most notable LastPass security incidents:


2011:

An anomaly in incoming and outgoing network traffic has been discovered by LastPass. Administrators found no signs of a typical security breach, but they also could not determine the cause of these anomalies. Since it was theoretically possible that data like email addresses, server salt, and salted password hashes had been copied from LastPass's database, the company decided to take the servers offline. ;hacked" in order to rebuild them and asked all users to change their master password on May 4, 2011.


2015:

On June 15, 2015, LastPass published a blog post stating that it had discovered and stopped suspicious activity on its network the previous week. Their investigation found that LastPass account email addresses, password reminders, per-user server salts, and authentication hashes had been compromised, but users' encrypted vault data had not. not been affected.


2016:

In July 2016, a post published by an independent online security company, Detectify, detailed a method for reading plaintext passwords for arbitrary domains from the a LastPass user's vault when that user visits a malicious website. This vulnerability was made possible by poorly written URL processing code in the LastPass extension. The flaw was not made public by Detectify until LastPass was privately notified and could patch their browser extension.


2017:

On March 20, Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox, and Edge. These vulnerabilities were disabled on March 21 and fixed on March 22.

On March 25, Ormandy discovered an additional security vulnerability allowing remote code execution based on the user's navigation to a malicious website. This vulnerability has also been fixed.


2019:

On Friday, August 30, 2019, Tavis Ormandy reported a vulnerability in the LastPass browser extension in which websites with malicious JavaScript code could obtain a username and a password inserted by the password manager on the previously visited site. On September 13, 2019, LastPass publicly announced the vulnerability, acknowledging that the issue was limited to Chrome and Opera extensions only; nevertheless, all platforms have received the vulnerability patch.


2020:

On April 6, 2020, a vulnerability was discovered relating to the storage of the master password in the web extension. LastPass stored the master password in a local file when the "Remember Password" is enabled.


2022:

On August 25, 2022, LastPass announced that a hacker had gained access to a developer account and stolen part of its source code from a development environment. LastPass said it had "seen no evidence that this incident involved access to customer data or encrypted password vaults." However, just before Christmas, LastPass confirmed that the information stolen in the August 2022 attack had been used to target another employee, obtaining credentials and keys that were used to access and decrypt certain storage volumes...". This stolen information included company names, end user names, billing addresses, phone numbers, email addresses, IP addresses used to access LastPass, and website URLs from your vault -strong. Additionally, encrypted customer data was also stolen, including website usernames and passwords, secure notes, and other types of data in the vaults. Hackers still need to determine your master password to gain access to the crown jewels - the usernames and passwords for all your accounts. LastPass recommended that users change their master password and review their security information.




Conclusion

In conclusion, it is clear that LastPass has experienced several security incidents over the past few years, ranging from vulnerabilities in its browser extensions to data breaches. Although LastPass has taken steps to protect its users' data, such as encryption and iterations, it is clear that these incidents have occurred and that its users' data has not been fully protected. As a result, I think you really need to consider leaving this service and finding a more reliable alternative to store your sensitive information. There are many password manager options on the market that provide better security and transparent communication in the event of security incidents. Take the time to research and choose a service that meets your needs. Protect your data and don't take unnecessary risks by using a service that has been shown to be vulnerable and untrustworthy.




0 views
bottom of page