We have been keeping users up to date on the recent LastPass security incident that started at the beginning of August 2022.
In our previous post, "Should You Be Concerned About the Nov 30 LastPass Security Incident?", we illuminated that LastPass discovered odd behavior with a cloud storage provider. They "quickly initiated an investigation, recruited a prominent security firm, and alerted law enforcement" to determine what information may have been accessed.
LastPass concluded that an unauthorized entity used information from the August 2022 incident to access client data. The company stated that it has been working hard to establish what information was accessed.
LastPass notified users on November 22, 2022, of stolen data.
We have now discovered more information on this incident and realized that this issue is quite severe for those who utilize LastPass.
Here is what the company learned.
An unknown threat actor acquired access to a cloud-based storage system using data gathered from the previously mentioned event in August. No customer data was accessed during the August incident. Still, some codes and technical data were taken and used to track down another employee and obtain credentials and keys used to access and decrypt some storage volumes.
LastPass then goes into more detail about the attack stating that "the threat actor copied information from a backup that contained basic customer account information."
Information copied includes:
- website usernames and passwords
- secure notes
- form-filled data
- company names
- end-user names
- billing addresses
- email addresses
- telephone numbers
- IP addresses
What does this new information mean for LastPass' customers?
- LastPass claims, "The threat actor may attempt to guess your vault data master password using brute force. Because of the hashing and encryption mechanisms we use to secure our customers, brute forcing master passwords for those customers who follow our password best practices would be complicated." As a result, anyone who chose an "easy to guess" password as their LastPass master password may be more vulnerable to the data breach. As a result, a user's sole option is to update all the passwords within their current LastPass configuration.
- Customers may also be the subject of phishing, or other brute-force assaults, by con artists against online accounts connected to your LastPass vault.
- Infiniwiz advises against reusing the same password on the websites that you utilize. If you repeatedly use your master password and it is ever stolen, it will be easy for hackers to access information on other sites.
If your LastPass master password consists of 7-8 characters, we highly advise the following steps:
- Change all master passwords to a new one that has a minimum of 12 characters and includes upper/lower case letters, digits, and special characters. While 9-10 characters should be enough, processing rates at least double every year, allowing hackers to "brute force" passwords faster. Choosing 12 characters will assure you don't have to repeat the same practice in 5 years.
- Do the same for all passwords within LastPass. If there are too many to tackle right away, first change passwords that are related to financial institutions, email, and social networks.
- Although not as critical as the preceding items, employ second-factor authentication on any financial or communication-related transactions.
Since this incident, what has LastPass done to help secure users more effectively?
- Removed all remaining access points to the LastPass development environment by completely decommissioning it and creating a brand-new environment from scratch.
- Developer machines, procedures, and authentication systems were replaced and strengthened further.
- Introduced more logging and alerting tools to support their staff in detecting any extra fraudulent activity.
- Implemented extra security measures by thoroughly examining every account with any indication of suspicious behavior within their cloud storage service.
While LastPass has made it clear that they are trying to be open and honest with its users, here are some of the concerns users have made on this announcement and the omissions made by the company.
In a recent article, “What’s in a PR statement: LastPass Breach Explained” by PalentInfo, they break down the LastPass statement and its flaws. Here are some of the points the writer makes.
- Just before the holidays, LastPass released an update on their security failure. This timing, as some have hypothesized, was probably not accidental; rather, it was planned to limit news coverage.
- The amount of time it took to duplicate the data for millions of users is a concern for users. Why wasn't this caught by LastPass before the hackers were completed with it? In their statement, we won't find that out.
- LastPass acknowledges that website URLs aren't encrypted but doesn't classify this as "critical data." But URLs for websites contain a lot of critical information. The knowledge of your access to different software and applications would be hugely valuable to threat actors. They might then create targeted phishing emails.
- In the statement, LastPass states that “it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” This lays the foundation for blaming the clients. LastPass should be aware that passwords for at least some of their users will be decrypted. However, they blame clients for not following their "best practices".
Overall, while there are some blind spots users are trying to figure out within this security incident, make sure that you stay up to date on this issue. Also, make sure you have the proper security and training measures in place to avoid your sensitive information from being stolen.
The Infiniwiz technical team in the Chicagoland area takes a proactive approach to your cybersecurity. We set up the proper IT protocols and help you implement the employee procedures to keep your data and network safe from online hackers. However, make sure to do your part in staying alert. If you have any more questions, feel free to contact us!