LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.
The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment and “took portions of source code and some proprietary LastPass technical information.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected.
Sensitive data, both encrypted and not, copied
In Thursday’s update, the company said hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services. The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba wrote, referring to the Advanced Encryption Scheme and a bit rate that’s considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt. The CEO continued:
As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
The update said that in the company’s investigation so far, there’s no indication that unencrypted credit card data was accessed. LastPass doesn’t store credit card data in its entirety, and the credit card data it stores is kept in a cloud storage environment different from the one the threat actor accessed.
The intrusion disclosed in August that allowed hackers to steal LastPass source code and proprietary technical information appears related to a separate breach of Twilio, a San Francisco-based provider of two-factor authentication and communication services. The threat actor in that breach stole data from 163 of Twilio’s customers. The same phishers who hit Twilio also breached at least 136 other companies, including LastPass.
Thursday’s update said that the threat actor could use the source code and technical information stolen from LastPass to hack a separate LastPass employee and obtain security credentials and keys for accessing and decrypting storage volumes within the company’s cloud-based storage service.
“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” Toubba said. “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data.”
LastPass representatives didn’t respond to an email asking how many customers had their data copied.
Shore up your security now
Thursday’s update also listed several remedies LastPass has taken to shore up its security following the breach. The steps include decommissioning the hacked development and rebuilding it from scratch, retaining a managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been affected.
Given the sensitivity of the data stored by LastPass, it’s alarming that such a wide breadth of personal data was obtained. While cracking the password hashes would require massive amounts of resources, it’s not out of the question, particularly given how methodical and resourceful the threat actor was.
LastPass customers should ensure they have changed their master password and all passwords stored in their vault. They should also make sure they’re using settings that exceed the LastPass default. Those settings hash stored passwords using 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a hashing scheme that can make it infeasible to crack master passwords that are long, unique, and randomly generated. The 100,100 iterations is woefully short of the 310,000-iteration threshold that OWASP recommends for PBKDF2 in combination with the SHA256 hashing algorithm used by LastPass. LastPass customers can check the current number of PBKDF2 iterations for their accounts here.
LastPass customers should also be extra alert for phishing emails and phone calls purportedly from LastPass or other services seeking sensitive data and other scams that exploit their compromised personal data. The company also has specific advice for business customers who implemented the LastPass Federated Login Services.