LastPass admits attackers have a copy of customers’ password vaults

Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contains customers' stored passwords.

In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that the August 2022 attack saw “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The update reveals that the attacker also copied “customer vault” data – the file in which LastPass stores the passwords that users entrust to it.

That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Which means the attackers have users’ passwords. But thankfully those passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.

LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” Attackers would then have to deduce the key based on the master password, another non-trivial feat.

But one of LastPass's default settings is not to re-use the master password that is required to log into the service and which is used to generate the unique key. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.

Yet we know that users are often dumfoundingly lax at choosing good passwords, while two thirds re-use passwords even though they should know better.

So while LastPass is confident that the files copied from its cloud will resist brute force attempts to crack the master password, if that credential is already out there … you know how this one ends and it is not pleasant, as a LastPass account can store hundreds of passwords.

• LastPass source code, blueprints stolen by intruder
• 1Password's Insights tool to help admins monitor users' security practices
• Lapsus$ back? Researchers claim extortion gang attacked software consultancy Globant
• Popular password manager LastPass to be spun out from LogMeIn
• 1Password unsheathes Rusty key, hopes to unlock Linux Desktop world
• LastPass to limit fans of free password manager to one device type only – computer or mobile – from next month

Oh and let’s not forget that the LastPass customer vault can also store plenty of other sensitive personal information.

LastPass therefore offered the following advice to individual and business users:

Enjoy changing all those passwords, dear reader.

LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections. ®