LastPass Shares Details of Connected Security Breaches

Originally published at: LastPass Shares Details of Connected Security Breaches - TidBITS

Password management service LastPass announced that attackers stole unencrypted customer account data and encrypted usernames and passwords. This is a terrible, horrible, no good, very bad thing for LastPass, though LastPass users shouldn’t be at significant risk—as long as they heeded the company’s advice and have strong master passwords.

1 Like

[Bringing these two posts in from another thread to centralize discussion. -Adam]

More bad news for LastPass users:

Ars Technica: Password manager says breach it disclosed in August was much worse than thought.

The gist of the article (if I’m reading it correctly): the breach last August that LastPass said was limited to source code of the app, wasn’t. The hackers also got a backup of customer vault data; some of it encrypted, some of it not.

I’d recommend anyone using LastPass take a look at this article.

1 Like

As a long time LastPass user, this is definitely startling. LP did send a link to their blog post on the matter (quoted in the Ars article above) in an email to (presumably) all its customers. On the downside, the unencrypted data included a lot of personally identifying information, including “…company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

On the upside (if there is one), the sensitive information stolen was encrypted, including “…website usernames and passwords, secure notes, and form-filled data.” They also added “There is no evidence that any unencrypted credit card data was accessed.”

So since I have a strong master password, I’m not too concerned about the bad actors force-decrypting my data (I’m not worth the considerable effort and cost to do so). But this isn’t the first breach LP has suffered, and as that sage Gomer Pyle used to say, “Fool me once, shame on you; fool me twice, shame on me.”

I have canceled auto-renewal on my subscription, and will certainly be looking at alternatives before it’s time to renew.

3 Likes

I don’t follow this topic closely, but it’s my impression that LastPass has suffered several security breaches now while other password managers haven’t. Have I simply run across more articles about LastPass and missed mentions about other password managers, or has LastPass’s systems been compromised more often than its competitors’? If it’s the latter case, is that because LastPass is a tempting target due to its size or popularity, or is it because LastPass isn’t doing a great job at securing its systems (compared to its competitors)? Or is it because of some other reason?

I commend LastPass for being transparent about the breaches, but I’m sure the company and its users would prefer not having any incidents that needed reporting in the first place.

As I understand, LastPass has reported three breeches this year, but all three seem to be routed in the first breach.

Perhaps they could have taken steps after the first one to have avoided the second two; I don’t know.

There was only one breach this year, but LastPass has provided two updates since the initial report.

Wikipedia has a list of security issues LastPass has experienced over the last twelve years.

1 Like

I’d count it as two breaches. One in August 2022 that captured some developer information and credentials and a second one in November 2022 that leveraged the previously stolen information to access the backup vault.

If you read down in what you linked, you’ll see that each time, they announced the incident and then followed up later with details on how they responded—there are four separate updates in that post.

1 Like

Unfortunately, they say that website URLs were not encrypted in the stolen data. This means it will be easy for bad guys to find high-value targets.

Otoh, how do we know for sure that other password managers have not kept quiet about similar breaches?

Also it means that the thief has a reliable list of email addresses (which may as well be identities these days) and a list of businesses and organizations with which that identity has an account. Even without the passwords this is a privacy nightmare. I can’t imagine what legitimate reason LastPass had to not encrypt the entire login, the only reason the thief could steal it is because LastPass was holding it (how do you not wonder if they were planning to sell this enormously valuable marketing data), and I would be leaving them immediately for that reason alone if I was a customer.

2 Likes

Not encrypting the URLs is another black mark on LPs framework, for sure. But using them to identify high-value targets? Maybe, if there was some particularly enticing site known to attract only high-rollers. But in my case, that’s not an issue. :slight_smile:

1 Like

Just finding banking URLs with their user IDs (email addresses) and the phone number - often used for password recovery text messages, perhaps by some banks or financial institutions - some thievery might not require the password being decrypted at all.

1 Like

If you work for the spam/scam/malware industry in some third world country, any “rich American“ is a high value target.

1 Like

All 350 million of us? :slight_smile:

My guess would be only those who receive spam.

I often put confidential stuff in the LastPass Notes field. Is that also not encrypted? Shudder.

What I would like to know is whether other password managers have this same flaw or not. There’s a lot of technical info. on the website for 1Password, but I did not find a clear statement of exactly which data is encrypted.

Oh, good question! That is not addressed specifically in the LP blog article on the incident. They reference “Secure Notes,” but that’s a different feature altogether from the “Notes” section of a web site password card, which is what I’m assuming you’re referring to.

This kind of justifies my hesitancy to use a password manager, or something like LifeLock. Why let someone else know your passwords and other personal information? What is preventing the password manager uploading all your passwords to their own servers? I do use Safari’s password vault, but only for meaningless webpages that have nothing important on them anyway. I kind of came up with my own encryption algorithm to generate passwords, and I store only the keys in a Notes folder. Never stored CC numbers on websites. When the federal OPM (office of Personal Management) had a hack, everybody got something like LifeLock for free. The only thing I have learned from that is how many registered sex offenders are within couple of miles from me and when a new one moves in, and that my common e-mail address is on the dark web (who’s isn’t?). I also stopped using Grammatic, not knowing how they treated text in password boxes.

I worked for the AF as a civilian, never used MySpace, but was shocked (well not really) when an official memo came down the pike telling AF members not to discuss anything related to their service stuff, like none of it, on their MySpace page. I thought DUH! Some of these guys and gals probably had more security training than I was forced to take. Evidently there were some fighter pilots that had posted photos of cockpits, them with their bird, etc, but we all know fighter pilots often have HUGE egos.

1 Like

Here’s another interpretation of the event(s):

“LastPass is trying to present the August 2022 incident and the data leak now as two separate events. But using information gained in the initial access in order to access more assets is actually a typical technique used by threat actors. It is called lateral movement.

“So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favorable of LastPass, which is why they likely try to avoid it.”

Source:

1 Like

Not sure if it still applies, but here is what 1Password said in 2013:

"@speedsonic Yes, notes (memos) are encrypted.

If you are using the old Agile Keychain format (syncing with Dropbox or Folder Sync), the only fields not encrypted are the title and the URL.

If you are using the new Cloud Keychain format (syncing with iCloud), all fields are encrypted."
https://1password.community/discussion/18509/memo-note-fields-are-encrypted

Since it costs nothing to send out 350M e-mails (especially if you’re sending it through a hacked/insecure/compromised mail server that somebody else is paying for), yes.

Those recipients using mail services with good spam filters won’t see it, but the senders don’t care.

1 Like