Intruders get their hands on user data in LastPass incident
Password manager says credentials safely encrypted, confirms link to August attack
Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "certain elements" of customers' information, the pair have confirmed.
LastPass did not define what it meant by "certain elements," saying it was unsure what data was looked at: "We are working diligently to understand the scope of the incident and identify what specific information has been accessed this morning."
Last night's statement also confirmed the attackers obtained the information to carry out the current intrusion using information stolen in an August attack, which we covered here.
It did maintain, however, that services were unaffected and that customers' passwords remained "safely encrypted" – without ruling out that some of the data was stolen. The company is known to use a one-way salted hash for master passwords, with a fuller description in this technical whitepaper. The master passwords are used to lock users' password vaults, where their logins for various websites etc. can be stored, with the passphrase only ever entered by the user on their browser or app and not sent to or stored by LastPass.
Users who lose their master passwords can lose access to their vaults, although there are some recovery options.
The company said it has hired infosec researchers from Mandiant to investigate the break-in and called the cops.
Remote access and collaboration company GoTo, meanwhile, which Reg readers said began emailing them yesterday, says the incident has not affected their products and services, and they remain fully functional.
The August break-in
LastPass's source code and blueprints were stolen by an intruder several months ago. Back then, the criminals had access to LastPass's internal systems for four days, gaining access to portions of the LastPass development environment through a single compromised developer account, and taking sections of source code as well as some proprietary LastPass technical information.
The company pointed out at the time that its dev team did not have the ability to push source code from the development environment into production. During this period, Lastpass said it had contained the incident, and emphasized that the intruder had not gained access to customer data or encrypted password vaults. In last night's report, it made no such promise.
- LastPass source code, blueprints stolen by intruder
- 1Password's Insights tool to help admins monitor users' security practices
- Lapsus$ back? Researchers claim extortion gang attacked software consultancy Globant
- Popular password manager LastPass to be spun out from LogMeIn
- 1Password unsheathes Rusty key, hopes to unlock Linux Desktop world
- LastPass to limit fans of free password manager to one device type only – computer or mobile – from next month
Last night's breach notice added advice that customers follow best practice, including never reusing their master passphrases. We'd add that you should avoid storing these in the browser too. C'mon, using a password manager to look after your keys to a password manager? It's turtles all the way down. Most of the bigger browsers do have built in password managers and form fillers; they also sync across all your devices, and not everyone is great at logging out.
GoTo is the rebranded LogMeIn, which was acquired by the private equity arm of Paul Singer's hedge fund and Francesco Partners in 2019. They gave LogMeIn shareholders $4.3 billion in cash to take it private. LastPass had previously been acquired by LogMeIn for $110 million in October 2015. The owners then spun off LastPass as an independent company late last year.
The password manager always had a freemium model, but after the 2019 acquisition moved to a model that pushed harder for punters to shift to the paid service, and was criticized for, among other things, limiting the number of times free users could move from mobile device access to desktop access.
The unit also has its own-brand authenticator app as well as a dark web monitoring service which checks email addresses (up to 100) that users have placed in their vault against a database of breached credentials found on the unindexed hinterlands. The DB is maintained by Enzoic (formerly known as PasswordPing).
Rivals in the password manager game include 1Password, Bitwarden, Dashlane, Keeper, LogMeOnce, and NordPass.
Raf Los, head of Services GTM at infosec firm ExtraHop, commented: "I'll be eager to read the details of how the attacker(s) broke in, and take those lessons to customers and colleagues to strengthen their environments so they're not compromised in the same way. But the message here is vigilance... Understand your environment, implement controls that balance usability and security, monitor for threats and attacks, and be ready to respond when things go sideways at 2am on a Friday." ®