LastPass, a popular password management service, has revealed that malicious actors have gained access to unencrypted customer data, including web URLs, email addresses, company names, billing addresses, telephone numbers, and IP addresses of LastPass customers, as well as encrypted copies of customer password vaults. This information was compromised using previously stolen data from a breach in August 2022.
According to LastPass, their requirement of a minimum of an 8 to 12-character master password and their use of a password-strengthening algorithm in unison with customers not reusing their master password would require “millions of years” for master passwords to be cracked. However, if your LastPass account was created before 2018, the minimum length requirement was not enforced, and their implementation of the password-strengthening algorithm is weaker than recommended. Essentially, your passwords, and other data in LastPass, are as safe as the strength of your master password.
LastPass released a statement in August 2022 notifying users of unusual activity and stating that they “have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” They reinforced this statement by releasing another blog post in early September stating that the threat actor gained access to their environment for four days, but there was again “no evidence that this incident involved any access to customer data.” This ultimately leads to their final two updates stating that in November 2022, a third-party cloud storage service had been compromised and that “access to certain elements of our customers’ information” was gained.
It is worth noting that LastPass also suffered a breach in 2015, which makes the current breach even more concerning. In 2015 LastPass detected malicious activity on their network, which compromised account email addresses, password reminders, server per user salts, and authentication hashes. LastPass provided the following statement for the 2015 breach:
“An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address. We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.”
In 2015, LastPass implied that although cracking passwords are possible and potentially made easier with password reminders and weaker passwords, an attacker would not achieve much because they did not have access to password vaults. But now that user password vaults have been compromised, reading their 2015 statement should give you pause.
Consider the possibility that the data that was compromised in 2015 was also compromised in 2022 (but LastPass is not telling anyone about it) and combine that with the compromise of user vaults; cracking master passwords and gaining access to password information stored in the vaults appear to be even more probable. This is scary, but LastPass does not want anyone to believe it is.
LastPass did not specifically confirm if said data was compromised, but one has to wonder if the bad actors were able to steal the most sensitive information, gaining access to the other data would be trivial.
After dissection of the timeline of events, Elteni believes that LastPass has failed to detect the threat actor’s lateral movement, ultimately because their prior breach in August of 2022 was not successfully contained. Numerous companies have utilized LastPass as their password manager for years and have opted to abandon the platform for several reasons:
- Too many prior breaches: In June 2015, LastPass’ database, which contained email addresses, server-per-user salts, password reminders, and authentication hashes, was hacked. LastPass also had vulnerability issues in 2016, 2017, and 2019.
- Older accounts may have insecure configurations, such as a low-character master password or a weak implementation of their password-strengthening algorithm.
- Improper data governance: LastPass has not stored user IP addresses, website URLs, and metadata as sensitive data, leaving them in plain text.
We urge anyone who continues using LastPass to ensure their master password is strong and complex and not reuse it on other websites. We also strongly recommend that you change your most sensitive passwords. If you wish to switch password managers away from LastPass, the following alternatives are suggested.