Back in August, LastPass was pwned by hackers. At the time the company said this:
Earlier this week, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.” In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.
It now turns out that this wasn’t the case as the company now admits that user data was accessed by the hackers who pwned them:
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here.
Well, that’s not good. And it highlights why entrusting your passwords to a third party may not be a good idea. While I do use a password manager and do my best to practice good password hygiene, I don’t entrust my passwords to a third party. Instead the password file is encrypted and stored on my NAS at home, or on some cloud provider so that I can get access to it on the road as well as sync it with all my devices. If one of those cloud providers gets pwned, all they will get is an encrypted file that they can’t do anything with.
In any case, LastPass needs to be completely transparent about what happened here and how much it affects end users as that’s the only way they will maintain the trust of their customer base.
UPDATE: Yoav Iellin, Senior Researcher, Silverfort offers this advice:
“Given the vast amount of passwords it protects globally, Lastpass remains a big target.
The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear but, typically, It’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.
For worried users, ensure you watch out for updates from the company and take time to verify these are legitimate before taking any action. In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security. “
UPDATE #2: Chad McDonald, Chief of Staff and CISO, Radiant Logic provides this comment:
“We’ve seen today another hack of the credential wallet vendor, LastPass which isn’t at all surprising. This isn’t an indictment of LastPass by any means, rather a criticism of the underlying problem that has driven vendors like LastPass to be very successful and effectively a staple both for home users and the enterprise. Any software, given enough time and effort, is crackable or hackable, and LastPass is certainly no exception. While LastPass’s Zero Knowledge strategy with regard to password encryption seems to have kept the attackers from accessing passwords, this didn’t keep them from apparently accessing source code. Attackers will always find a way to defeat security controls–always. Technology practitioners will work to harden code, applications and networks, but in the end given time and resources the attackers will get in.
One of the problems I see with simply continuing to harden the IT stack is that it fundamentally doesn’t acknowledge what is driving ongoing reliance on password wallets for so many people. IT sprawl and more specifically identity sprawl have driven most of us mad with the number of credentials we need to manage simply to get through our personal and professional lives everyday. Assuming we’re trying to be good netizens, we’ll also try to juggle complex passwords and potentially multi-factor authentication. This additional complexity exacerbates the identity problem. We’re effectively left with no choice other than to archive our credentials in a wallet like LastPass or god forbid a notebook somewhere. (Please tell me you aren’t keeping your passwords on the bottom of your keyboard.).
On a personal level, it isn’t realistic to expect a home user to implement an IAM strategy. The enterprise, however, should have an IAM strategy that limits identity sprawl, provides adequate credential security, and limits the need for its users to manage countless sets of credentials in the workplace. Corporations really do themselves and their users a disservice when they continue to push down responsibility for broad credential management to staff. It’s really a recipe for disaster. Consolidation, protection, and effective management of identities and credentials by the enterprise drives internal productivity, deflects Helpdesk calls, and reduces friction on staff that should be focused on their core responsibilities, rather than tracking down their 14th set of credentials and a 20 character password to log in to the CRM system.
While LastPass was the latest victim here, it won’t be the last. I expect that the organization will recover quickly and again work to harden processes and code, but I think the enterprise should do its part as well. Let’s focus on our own IAM strategies so that we can ideally be a bit less reliant on credential wallets in the first place.”