LastPass has posted an update to the August security incident that raises some questions about stolen unencrypted data
The password management company LastPasss notified customers in late December about a recent security incident. The notice was posted as an update of the security incident previously reported in August of 2022, which also was updated and covered on November 30, 2022.
According to LastPass, an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the August incident. Some of the stolen source code and technical information were used to target another LastPass employee, which allowed the threat actor to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
Actions for customers
LastPass states that users that followed their best password practices have nothing to worry about. LastPass’ default master password settings and best practices include the following:
- Since 2018, a twelve-character minimum for master passwords is required.
- LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
- It is recommended that you never reuse your master password on other websites. This is always true, but it completely defeats the security advantage of using a password manager. In case of a leaked or stolen password, threat actors can use credential stuffing techniques to unlock other accounts.
According to LastPass, if you followed these guidelines, it would take millions of years to guess your master password using generally-available password-cracking technology.
If you haven’t done so already, we would advise that you enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password was compromised. The instructions to enable MFA can be found on the LastPass support pages.
LastPass
LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.
As a keeper of that many passwords, LastPass is juicy prey for threat actors. So, it comes as a surprise that the initial breach was able to lead to further compromises.
Unencrypted data
Security researchers are worried about the fact that LastPass stores website URLs unencrypted.
These questions were raised because the security notice says:
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
It is indeed hard to understand why LastPass would not consider website URLs sensitive fields and it makes you wonder what the other unencrypted data is. Leaked website URLs can lead to targeted pjhishing attacks, so LastPass users should be extra weary of emails asking them to log in or change their password at sites for which they have their password stored in LastPass. Always visit the site directly and do not follow the links in emails. And, as always, enable MFA where you can.
We have reached out to LastPass to ask for additional information and we will keep you informed here.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.