Time To Panic? LastPass Admits That Customer Password Vaults Were Stolen When It Got Pwned In August

The LastPass situation has become one of those “drip, drip, drip” situations where information is coming out one drip at a time. To recap the story, LastPass was pwned back in August with source code being stolen. At the time, the company said this:

In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

Then a few months later, LastPast admitted that user data was accessed:

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. 

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. 

That was bad. But what I am about to tell you is worse. LastPass CEO Karim Toubba posted this update on the company’s blog:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here. 

There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment. 

That qualifies as worse. The threat actor may try to brute force their way into these vaults. Or they may use social engineering or phishing attacks to get access to these vaults. Thus LastPass users should be prepared for the worst and expect that attacks are inbound.

Given the fact that worse and worse information keeps coming out about this hack, I have to wonder if it is time to dump LastPass and move on to something else more secure? As in local storage as opposed to cloud storage for your passwords. For example, I use eWallet and store my passwords in iCloud as well as my NAS. While the NAS is local, I admit that iCloud isn’t. But I would have more trust in Apple storing an encrypted file that they don’t have access to versus LastPass at this point. Especially given they have been pwned before, though they deny this. The bottom line is that this is a very bad look for LastPass. And if you use or have used LastPass, you should consider changing every password you have as they suggested in their latest disclosure as well as watching out for attacks.

One Response to “Time To Panic? LastPass Admits That Customer Password Vaults Were Stolen When It Got Pwned In August”

  1. […] issues with LastPass and their habit of getting pwned and having customer data in the wild is a big deal as the data in question happen to be […]

Leave a Reply

%d bloggers like this: