The LastPass hack saga just keeps getting worse

Posted:
in General Discussion
Following a data breach disclosure that has stretched on for months, LastPass says the same attacker hacked an employee's computer and stole a decrypted password vault.

LastPass security incident
LastPass security incident


The company reported a security incident in August 2022, saying an unauthorized party gained access to a third-party cloud-based storage service that LastPass uses to store archived backups. Some customer data was accessed, but LastPass said passwords remained safe due to its encrypted architecture.

Now, in a report on Tuesday, the company said that the same attacker had hacked an employee's home computer and stole a decrypted vault available to only a handful of company developers. The vault gave access to a shared cloud-storage environment containing encryption keys for customer vault backups stored in Amazon S3 buckets.

"This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass wrote. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."

According to Monday's report, the first event's tactics, techniques, and processes were distinct from those utilized in the second incident. As a result, it wasn't first apparent to investigators that the two were connected.

The hacker exploited the first event's data to exfiltrate the data kept in the S3 buckets during the second incident. Amazon had noticed "anomalous behavior" when the attacker tried to use Cloud Identity and Access Management (IAM) roles to perform the unauthorized activity and notified LastPass.

In December, LastPass CEO Karim Toubba said the hacker copied data from backups that included customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.

The hacker also created a copy of customer vault data, though LastPass said it was "stored in a proprietary binary format." The company claims it would be highly unlikely that the hackers could decrypt the data, but warned users that they could be targeted by phishing or social engineering attacks.

Users should update their master password, which logs them into their vault, as well as their passwords for websites and other logins, as a precaution, even though LastPass claimed that customers' credentials were encrypted and safe. Additionally, people might switch to a different password manager, such as iCloud Keychain, Bitwarden, or 1Password.

LastPass security

LastPass asserted that it would take millions of years to decipher a user's master password, but a competitor believes that it will only take a fraction of that time and can be completed for just $100. In a blog post, 1Password's principle security architect, Jeffrey Goldberg wrote that LastPass wasn't doing enough to secure customer data.

"If you consider all possible 12-character passwords, there are something around 2^72 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."

LastPass has already faced criticism for dubious security procedures. In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations.

The company assured customers that attacks were a result of passwords leaked in third-party breaches. And in February 2021, a security researcher found seven trackers inside the LastPass Android app for app analytics.

Read on AppleInsider

Comments

  • Reply 1 of 16
    welshdogwelshdog Posts: 1,902member
    I'm not familiar with the details of IT security, programming, etc., but come on!. If you are tasked with keeping thousands of people's personal data safe, you don't let employees take anything outside the secure facilities. Doesn't matter who they are, how good they are or their position in the company - nothing ever leaves the building. Also, using third parties for any part of data storage is also irresponsible IMO. You can never know for sure a vendor is doing what they are supposed to or in what way they are going to screw up. Keep it all in house, locked down and triple secured in every way you can. This is an old doc, but you can get a good idea of how seriously Apple takes security even to the point of destroying the access cards for their hardware security modules used for iCloud: https://www.networkworld.com/article/2174973/apple-reveals-unprecedented-details-in-ios-security.html


    Last Pass is lazy, stupid or greedy - or all three.

    edited February 2023 Alex1Nwilliamlondonwatto_cobratwokatmew
  • Reply 2 of 16
    JP234 said:
    "This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass wrote. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."

    So a LastPass DevOps engineer let a third party malware package onto his personal computer. That right there tells you the whole story. The solution is to FIRE the engineer and escort him out the door. He's one or both of two things: incompetent or a mole. If the second, prosecute him as well. Then pay more attention to who has access to your IP.
    I don't see how that's going to help the victims. But boy am I glad I never used their services.
    Alex1Nwilliamlondonwatto_cobraJP234
  • Reply 3 of 16
    "Don't put your passwords on another man's computer."

    Etch that into your brain...

    Print them out from time to time... and backup your passwords doc on your computer every few weeks, my advice.


    Alex1Nwatto_cobrawelshdogtwokatmew
  • Reply 4 of 16
    welshdogwelshdog Posts: 1,902member
    stevenoz said:
    "Don't put your passwords on another man's computer."

    Etch that into your brain...

    Print them out from time to time... and backup your passwords doc on your computer every few weeks, my advice.



    I use Enpass which allows me to keep all data on my computer - no cloud connection and WiFi sync to my other devices. I block it's outgoing connections via Little Snitch. I keep a backup in a safe deposit box. I certainly hope Apple and others keep pushing for their passwordless secutity methods going forward. Assuming such schemes will actually maintain security.
    twokatmewwatto_cobra
  • Reply 5 of 16
    chasmchasm Posts: 3,368member
    Passkeys will make passwords a thing of the past, and it can’t get rolled out to every website too soon.
    welshdoglolliverwilliamlondonwatto_cobra
  • Reply 6 of 16
    twokatmewtwokatmew Posts: 48unconfirmed, member
     I tried LastPass briefly, but I quickly moved on to Bitwarden. So far so good. 🤞🏻
    watto_cobra
  • Reply 7 of 16
    "This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass wrote. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."

    Sounds phishy ;)

    But, seriously, it sounds like their security protocols are in desperate need of an audit. 

    I would not trust any 3rd party with my secrets unless they had significant a$$ets to lose through negligence/malfeasance.
    watto_cobra
  • Reply 8 of 16
    XedXed Posts: 2,657member
    stevenoz said:
    "Don't put your passwords on another man's computer."

    Etch that into your brain...

    Print them out from time to time... and backup your passwords doc on your computer every few weeks, my advice.
    Bette than nothing but an extremely outmoded and rudimentary system for protecting your accounts with unique and very long passwords. You can't use 2FA authenticator service with a word doc which just exposes you even more.
    watto_cobra
  • Reply 9 of 16
    dewmedewme Posts: 5,469member
    This is a massive InfoSec failure by LastPass. Allowing any employee, much less one involved with DevOps with access to sensitive corporate assets like source code and customer data, to maintain corporate assets on a personally owned and unmanaged computer is so far beyond stupid. There is simply no excuse to justify this behavior for a company in this line of business. It’s like allowing workers at a fireworks of munitions factory to smoke on the job.

    I cannot see any way for LastPass to reestablish any level of trust with their customers. The information that LastPass was trusted with securing is exactly the same as the money and safe deposit box contents that you trust your bank with securing. Would anyone trust a bank that allowed its employees to bring the money from the vault and contents of the safe deposit boxes home with them every night?

     LastPass should simply not be in this line of business. They failed in the worst possible way. Anyone continuing as a LastPass customer needs to seek professional help. And a lawyer.
    edited March 2023 muthuk_vanalingamwilliamlondonwatto_cobra
  • Reply 10 of 16
    uraharaurahara Posts: 733member
    twokatmew said:
     I tried LastPass briefly, but I quickly moved on to Bitwarden. So far so good. 🤞🏻
    I used LastPass for a few years. Great service and convenience. 
  • Reply 11 of 16
    lkrupplkrupp Posts: 10,557member
    Makes me wonder about other password vaults like 1Password
    williamlondonwatto_cobra
  • Reply 12 of 16
    XedXed Posts: 2,657member
    lkrupp said:
    Makes me wonder about other password vaults like 1Password
    1P and others with a Secret Key aren’t susceptible to server breaches of customer data. If you aren’t aware, the Secret Key is a 3rd qualifier for un-encrypting your vault (username, password, and secret key, which is crated locally on your device and not ever stored by 1Password.
    watto_cobra
  • Reply 13 of 16
    XedXed Posts: 2,657member
    Rather, the same kind of server breaches. Your encrypted vaults can still be stolen.
    watto_cobra
  • Reply 14 of 16
    profprof Posts: 84member
    Xed said:
    Rather, the same kind of server breaches. Your encrypted vaults can still be stolen.
    Well, 1P might be all so slightly more clever in how they're approaching security. The problem still remains that they're forcing users (err, customers rather) to store their vaults in the cloud and thus make them uneccessarily susceptible to a number of possible attack vectors. Cloud and security/data privacy don't mix and never will; anyone who claims otherwise just shows that they have no f'ing clue (or worse: don't care). 
  • Reply 15 of 16
    XedXed Posts: 2,657member
    prof said:
    Xed said:
    Rather, the same kind of server breaches. Your encrypted vaults can still be stolen.
    Well, 1P might be all so slightly more clever in how they're approaching security. The problem still remains that they're forcing users (err, customers rather) to store their vaults in the cloud and thus make them uneccessarily susceptible to a number of possible attack vectors. Cloud and security/data privacy don't mix and never will; anyone who claims otherwise just shows that they have no f'ing clue (or worse: don't care). 
    It's not a problem. You don't have to use their online service if you don't want.

Sign In or Register to comment.