LastPass: Hackers accessed and copied customers’ password vaults

Password manager LastPass announced on Thursday that hackers had accessed and copied a backup of data including customers’ passwords in an encrypted format.

People who use LastPass and have a weak master password, or one which may be associated with their email address or telephone number on another service, may need to consider that all of their passwords have been compromised and need to be changed, the company said.

"If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account," LastPass CEO Karim Toubba explained, describing so-called credential stuffing attacks.

The announcement follows the company disclosing an incident from August in which “some source code and technical information were stolen from our development environment” — details that were subsequently used in the most recent attack.

In an update to its existing post, rather than a new one, Toubba, said that the data gained during the August breach was “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

The threat actor — as the data stolen in the first attack was used to support the second attack, this suggests it is the same individual or group behind both — was then able to access the decryption keys for LastPass' cloud storage and dual storage containers.

This is what has caused the most concern among onlookers as it enabled the attackers to copy the backups which LastPass keeps of its customers’ unencrypted account information “including company names, end-user names, billing addresses, email address, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The threat actor also accessed “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” In bold text, its blog post said that these encrypted fields are "secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password.”

Toubba said that LastPass's encryption and hashing methods would make it "extremely difficult" for the threat actor to 'brute force' guess master passwords — referring to the practice of guessing a password by using a computer to generate every possible key (aaaaa, aaaab, aaaac, etc.) until one of them works.

AES-256 has a large number of possible keys; 2 to the power of 256. As this explainer from the 3blue1brown YouTube channel shows, it would take hackers with today’s technology an impossibly long time to brute force a key of that size.

There are no publicly known attacks that would allow someone to brute force the key for material encrypted with a complete implementation of 256-bit AES (Advanced Encryption Standard) within a smaller period of time, although some attacks have been proposed against incomplete implementations.

“Password managers are a natural target for someone trying to gain unauthorized access to your accounts, because a successful attack provides access to all of a user's stored passwords,” warns guidance from the United Kingdom’s National Cyber Security Centre (NCSC).

Despite this risk, NCSC still recommends using password managers as long as the service complies with technical standards which include preventing the service itself (and thus any attacker) from being able to access the decryption key.

Toubba wrote: “The master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.”

However the company has been criticized for its handling of the incident and for failing to encrypt additional customer data. 

The blog post added that any customers which use LastPass’ default settings, including using a unique master password consisting of a minimum of twelve characters, do not need to take any actions. However those with weaker passwords, including business customers who do not use LastPass' federated login services, were told they “should consider minimizing risk by changing passwords of websites you have stored.”

“This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution,” Toubba added. “We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert. ”