4th January 2023
LastPass had a terrible 2022. The maker of one of the most popular password management tools suffered a security breach which they disclosed in a bulletin which had to be continually updated over the next 4 months as more details were discovered.
LastPass works by generating, encrypting, and decrypting passwords locally. The encrypted password ‘vault’ – secured by a key derived from the customer’s chosen master password – is stored in the cloud.
Initial Disclosure
They released a blog post on August 25th 2022 claiming that “we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” and only a development environment had been accessed through a single account.
They published an update on September 15th 2022 that the investigation conducted by Mandiant had concluded, and they stuck to the line that “controls prevented the threat actor from accessing any customer data or encrypted password vaults.”
On November 30th 2022 they admitted that their third-party cloud storage provider was breached in the incident.
Then on December 22nd 2022 LastPass admitted that a copy of a backup of customer vault data was stolen in the breach.
LastPass is currently advising all customers that the vaults are encrypted with 256-bit AES and can only be decrypted with a unique encryption key derived from the user’s master password. LastPass claims that the master password is “never known to LastPass and is not stored or maintained by LastPass”. The default master password settings and best practices should ensure that “it would take millions of years to guess your master password”.
LastPass advises that if you are using the default master password settings and are following best practices including never reusing your master password anywhere else, then “there are no recommended actions that you need to take at this time”. However if you are not using the defaults or are using the master password elsewhere then you should change the passwords for every asset stored in LastPass.
Going Forward
LastPass admits in their blog post that this is still an “ongoing investigation“. We don’t know if the situation will get worse. At the moment there is no news of any LastPass customers suffering breaches related to cracked vaults but that doesn’t mean that won’t happen.
If you are a LastPass customer it may be time to change all of your passwords. Spotit is currently evaluating alternative password managers and will communicate our findings in the next update.
All for now!
James @ spotit