Following news that hackers have stolen encrypted backups from the parent company of popular password manager LastPass, we look at what password managers are, plus the implications of the attack for businesses.
We are all used to using passwords but without extra measures (eg: 2FA) they are now recognised as having security limitations as well as others.
For example, drawbacks of relying on passwords include:
- Human difficulty in remembering strong, unique passwords for multiple accounts.
- Vulnerability to password reuse and weak password creation.
- Increased risk of password-related data breaches.
The risks of using passwords include:
- Password cracking through brute-force attacks, dictionary attacks, or social engineering techniques.
- Phishing scams that can trick users into revealing their passwords.
- Data breaches that expose passwords stored in unencrypted or poorly protected databases.
- Password reuse across multiple accounts, which can increase the damage from a single data breach.
What Are Password Managers And Why Use Them?
Password managers are software apps, typically installed as browser plug-ins, that securely store and manage passwords, credit card information, and other sensitive data. Some are free versions while others offer monthly subscription accounts. They allow users to generate strong and unique passwords for each account, automatically log in to websites, and fill out forms with a single click or keyboard shortcut. The data is encrypted and protected with a master password, providing an additional layer of security to the user’s online accounts.
Password managers, therefore, provide users with a fast, practical, and (perhaps until now) trusted way to log in to websites, platforms, apps, and other access gateways, and to mitigate some of the risks of using passwords. Even when using password managers, however, it is always important to follow best practices for password security, such as using strong, unique passwords and enabling two-factor authentication when available.
What Is LastPass?
LastPass, owned by GoTo (previously owned by LogMeIn) is perhaps the most popular password manager. There are, however, many different password managers available, such as Google Password Manager, Microsoft Authenticator, Dashline, Sticky Password, Password Boss, Keeper (good for cross-platform uses), 1Password, LogMeOnce and others.
There are also password vaults in other programs and CRMs that act as password managers, such as Zoho Vault, and Digital Vault. Google’s Chrome browser has a password manager to help to stop people from using weak passwords by suggesting combinations of characters that may be more secure. Microsoft’s Authenticator app can manage passwords for both Edge and Chrome.
What Happened To LastPass?
On January 23, GoTo, the parent company of LastPass, gave an update of a “security incident” that it first reported in November 2022. The original “security incident” though is understood to have taken place in August 2022.
The update, following an investigation of the incident (a hack) stated that “a threat actor” had obtained “encrypted backups from a third-party cloud storage service” relating to its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products. GoTo also reported that it had evidence that the threat actor had also obtained an encryption key for a portion of the encrypted backups. An encryption key is a code used to encrypt and decrypt data, i.e. the data’s unreadable to anyone without the key.
What Have GotTo and LastPass Said?
November 2022 reports about the hack on GoTo say that it took place in the third-party cloud storage service that is currently shared by both GoTo and its affiliate, LastPass.
Reports from the LastPass blog in December 2022 say that the “threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022”. LastPass says that while no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from its development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt “some storage volumes within the cloud-based storage service”.
What Was Taken?
According to LastPass, once the threat actor obtained the cloud storage access key and dual storage container decryption keys, they copied basic customer account information and related metadata from backup which included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor is also known to have taken a copy of a backup of customer vault data from the encrypted storage container. This contained both unencrypted data, such as website URLs, as well as fully encrypted fields such as website usernames and passwords, secure notes, and form-filled data.
What Was Not Taken?
LastPass has assured users that there is no evidence that any unencrypted credit card data was accessed, and that the copy of the encrypted fields that were taken “remain secured with 256-bit AES encryption” and that they can only be decrypted with a unique encryption key derived from each user’s master password using LastPass’s ‘Zero Knowledge architecture’. Also, LastPass has reminded users that the master password is never known to LastPass and is not stored or maintained by LastPass.
What Is LastPass Doing About It?
LastPass says that in response to the August 2022 incident it has:
- Decommissioned the development environment and rebuilt a new one from scratch to eradicate any further potential access, and replaced and hardened developer machines, processes, and authentication mechanisms.
- Added more logging and alerting capabilities to help detect any further unauthorised activity, and implemented a new, fully dedicated set of LastPass development and production environments.
In response to the most recent incident LastPass says it has:
- Started rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security.
- Performed an analysis of every account with signs of any suspicious activity within the cloud storage service and added additional safeguards.
- Analysed all data within the environment to understand exactly what the threat actor accessed.
LastPass has already notified affected business customers (3% of its total business customers) and recommended actions they should take.
What Should Customers Do?
LastPass says that business customers who haven’t already been contacted needn’t take any recommended actions at this time.
However, LastPass has issued the general advice to customers to make use of its password default settings whereby it says, “it would take millions of years to guess your master password using generally-available password-cracking technology.” Also, LastPass had advised customers against reusing their master password on other websites (password sharing).
What Are The Risks?
Following the LastPass hack, there are several potential security risks to customers, such as:
- The hacker could use brute force attempts (software) to guess master passwords. If the hacker obtains the master passwords to the stolen data encryption vaults, they may be able to decode the data.
- The unencrypted data that was taken could now lead to customers being targeted with phishing attacks, credential stuffing or other brute force attacks against online accounts associated with the LastPass vaults.
What Does This Mean For Your Business?
LastPass is a popular, market leading password manager, used and trusted by many businesses. It is likely, therefore, to be a shock to many that there’s been (another) security incident whereby hackers have been able to steal customer data from a company that is supposed to be in the business of protecting very sensitive customer data.
It’s so serious in fact that customers’ data encryption vaults have been taken, and this could mean that despite the communication from LastPass about the hack, that business customer confidence in the service and LastPass’s brand could be hugely damaged by this incident.
Also, the theft of the other data could mean that business customers are now more at risk of being targeted by social engineering or phishing attacks, credential stuffing, or other brute force attacks. The data could also be sold to many other attackers, leading to increased risks going forward and the need to invest more time and money on taking extra security measures.
By Mike Knight