If you have a LastPass account, which you use to store login information and passwords, or you previously had one that you did not delete, your password vault might be in hackers’ hands. Read on to learn more about the story.
LastPass recently revealed that cybercriminals stole customer vault data after gaining unauthorized access to its cloud storage earlier this year through stolen information during an August 2022 incident.
The story followed a previous update when Karim Toubba, the company’s CEO, announced that the threat actors accessed “certain elements” of the customer information. Toubba recently added that LastPass used the cloud service to store production data’s archived backups.
How the Attack Took Place
The attackers stole the “dual storage container decryption keys and cloud storage access key” from its developer environment and gained access to Lastpass’ cloud storage.
“The hackers copied information from the backup containing basic customer account information. Then, they linked metadata including end-user names, company names, billing addresses, telephone numbers, email addresses, and the IP addresses the customers used for accessing the LastPass service,” Toubba said.
The attackers also copied a customer vault data backup from the encrypted storage container. Lastpass stored it in a proprietary binary format containing unencrypted data (such as website URLs) and fully encrypted sensitive fields (like website usernames and passwords, form-filled data, and secure notes).
Some of the Stolen Data is “Safely Encrypted”
Fortunately, the company says that they secured the encrypted data with 256-bit AES encryption and one needs a unique encryption key linked to each user’s master password to decrypt it. According to Toubba, LastPass does not store the master password on its systems or maintain it. Hence the user’s master password is unknown to LastPass.
The password manager giant warned the customers that cybercriminals would try to brute-force the master passwords to gain access to the encrypted vault data. However, if the customers follow the LastPass recommended password best practices, the brute-forcing attempts will become time-consuming and challenging for the attackers.
If you follow the password best practices, “it will take millions of years for attackers to guess your master password using the common password-cracking technology,” Toubba added. “Furthermore, your sensitive vault data, like usernames and passwords, secure notes, form-fill fields, and attachments, remain safely encrypted through LastPass’ Zero Knowledge architecture.”
Users’ Safety is in their Hands
It is worth noting that the brute-force attacks’ success in predicting the master password is inversely proportional to their strength. It means that the easier it is to guess the master password, the hackers need fewer attempts to crack it. “If you reuse the master password and it was compromised, a threat actor will use numerous compromised credentials that are readily available on the internet to attempt unauthorized access to your account,” LastPass cautioned.
The fact that website URLs were in plaintext signifies that a successful master password decryption could give the attackers a sense of all the websites a user holds accounts with, enabling them to mount more credential theft or phishing attacks.
LastPass: Taking Immediate Steps to Control the Breach
LastPass warned its customers that threat actors could use the data for phishing attacks or credential stuffing (using the stolen data to try logging into other unrelated services). LastPass informed its customers that it never calls, texts, or emails its customers asking them to click on a link to verify personal data.
The company notified regulatory and law enforcement authorities about the incident, “taking extreme cautionary measures.” It also added new security measures for detecting any future unauthorized activity.
How to Protect Against Such Brute Force Attacks
Attackers plan a brute force attack using trial-and-error to guess login info and encryption keys or locate a hidden web page. They work through every possible combination, hoping to guess passwords correctly. Such attacks are planned by ‘brute force,’ meaning they utilize numerous forceful attempts to try and force their way into the private account(s).
Although an old attack method, it is still popular with hackers and effective. Since it depends on the password’s length and complexity, cracking it can take a few seconds or many years. Thus, time is a crucial factor that attackers take to crack your password.
Hence, your goal must be to ensure your password slows down the brute-force attempts because if it takes longer, most cybercriminals will give up the effort and move on. Here are a few ways users can strengthen their passwords against brute attacks:
- Longer passwords with various characters: When possible, users must choose a 10-character password that must include symbols or numerals. It will create 1.71 x 1020 (171.3 quintillions) possibilities. If an attacker uses a GPU that attempts 10.3 billion hashes per second, it will take approximately 526 years to crack the password. Although, a supercomputer will crack the password within a few weeks. By this logic, more characters in your password make it even harder to solve. Changing passwords often and avoiding the most common passwords is also crucial.
- Use unique passwords for different websites: You can avoid becoming a credential-stuffing victim by never reusing a password. If you wish to upgrade your account security, choose different usernames for every website. Thus, you will get phishing protection for other accounts from getting compromised even if they get breached.
- Use Multi-Factor- Authentication: The good news is that accounts protected with multi-factor authentication will make it difficult for cybercriminals to access your accounts without the second factor (like a phone pop-up or an emailed or texted code). Thus, it becomes essential to secure the second-factor accounts first, like your cell phone plan or email accounts.
Two Breaches in a Single Year
The recent cloud storage breach is the second incident that LastPass disclosed since the start of the year. It comes after the company confirmed in August that attackers breached its developer environment using a compromised developer account.
Lastpass published information regarding the August advisory after BleepingComputer reached out to them and received no response to queries regarding a possible breach.
LastPass sent emails to the customers confirming that the cybercriminals stole proprietary source code and technical information from its systems. In another update, LastPass also revealed that the cybercriminals behind the August breach maintained unauthorized access to its systems for four days. LastPass mentions that over 100,000 businesses and 33 million people worldwide use its password management software.
Final Words
Password managers are gaining popularity as a good thing to use if you want to store your passwords, which should be long, unique, and complex for each website or service. But such security incidents remind us that all password managers are not created equal and can get compromised or attacked differently. Since everyone’s threat model is different, one person will not have the exact requirements as another.
The best thing a LastPass customer can do is change their current LastPass master password to a unique and new password (or passphrase) that they write down and keep in a safe place. It means that their existing LastPass vault is secure.