LastPass is a popular password manager that was heralded for their security model when it was a small startup. The allure was convenience coupled with security. Unique, random passwords were easily generated for every website a user visited and could seamlessly sync across devices. The password “vaults” that stored the passwords used an encryption model that made it impossible for LastPass or anyone else to access the contents.
Back in August LastPass notified users of a security breach that impacted their development environment but they did not believe any user data was compromised. But yesterday they quietly updated their blog post on the incident and indicated that this was a catastrophic breach. The bad news was buried several paragraphs into the narrative:
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
LastPass tried to soften the blow by touting how secure their model is but having what appears to be the entirety of their customer’s data in the hands of a threat actor is not a good thing.
No doubt heavily resourced governments will want to get their hands on these vaults to look for vulnerabilities. It also appears from the notice that email addresses and websites associated with these vaults were not encrypted, making it easy to identify its owner along with the service credentials stored in the vault. And because the master password for most users is something easily remembered it’s not out of the realm of possibility that many vaults could be unlocked with off-the-shelf GPUs in a matter of days.
But worse is that this data is now out there floating around. Even if the security model is secure today, that doesn’t mean it will be secure tomorrow. Encrypted data from the 90’s can now very easily be cracked even on a relatively cheap laptop. Patient threat actors will have a treasure trove of data to look at as the steady increase in computing power will reduce the time it will take to crack open these vaults.
In the short term the biggest threat for most users will be phishing attacks. This is because the websites stored in the vault were not encrypted so a threat actor will know that the user has an account at a financial institution for example. If you are or were a LastPass user you should be vigilant about clicking on links for services you visit frequently.
What infuriates me is that they haven’t pushed out any notice to their customers beyond this quiet update of their blog yesterday. Their press department is not responding to inquiries either.
UPDATE: A few folks who follow my Facebook page received an email from Lastpass yesterday but I did not. But those who did get a communication didn’t receive much other than an ask to visit the blog. they should have disclosed a lot more here:
As for me I spent last night changing passwords and transitioning over to BitWarden. Lastpass has lost my trust – not only because of this hack but also because of how poorly they are communicating to users.