LastPass has admitted that the attack he suffered last August of this year 2022 is more serious than he thought at the time. From the company they have confirmed that the attackers, still unidentified, managed to get hold of the password vaults of the users of the platform, by copying the encrypted files that contain them.
This has been stated in an update issued on December 22, in which they detail the advice that users of the platform should take after the attack. Now, in it they point out that “some of the source code and technical information were stolen from our development environment, and used to attack through another employee, obtaining credentials and keys that were used in turn to access and decrypt some volumes of cloud-based storage service.”
These credentials allowed attackers to copy information”containing basic customer account information as well as related metadata. Such as company names, end user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers accessed the LastPass service«.
Thanks to this update it has also been known that the attackers also copied data from «customer vaults«, that is, the files in which LastPass clients store the passwords of the users’ services. That file «Saved in a proprietary binary format that contains both unencrypted data, such as web page URLs, and fully encrypted sensitive fields, such as usernames and passwords, secure notes, and form input«.
This means that the attackers have the passwords of the users. Of course, they are encrypted with “256-bit AES encryption, and can only be decrypted with a unique encryption key derived from each user’s master password.”
LastPass advice is that even if the attackers have that file, clients using their default settings do not have to do anything even if they have given this data in this latest update, since “it would take attackers millions of years to guess your master password, and that’s using generally available password cracking technology«. The attackers would then have to deduce the key that cracks the other passwords, based on that master password, and crack them one by one. A process that is neither quick nor easy.
Since one of the default measures is not to reuse the master password that is required to connect to the service and that is used to generate the unique key. In fact, the service suggests that customers generate a complex key to access the service, and use it solely and exclusively to access it.
The company does offer advice to business users and individuals: «if your master password does not make use of the default hints, you would significantly reduce the number of attempts required to guess it. In this case, as an extraordinary measure, you should consider minimizing risks by changing the password of the websites that you have stored.«. Therefore, it would be necessary for them to change in this case not only the master password, but also that of all the websites and services that have their password stored in the LastPass key vault.
For its part, the company states that has dismantled the systems affected by the August 2022 breach and that has developed new infrastructurewhich adds additional protections to those it already had up to now to deal with this type of attack.