LastPass, the best-known and possibly the most widely used password manager in the world, is not having a good time at all. The service was the victim of two cyberattacks (that are known) during the course of 2022, one that we reported last August and another that we found out about as soon as this December began. Now the responsible company has published an entry on its official blog to say that the attack last August was worse than originally estimated.
Regarding the August cyberattack, LastPass explained at the time that the source was a malicious actor who managed to impersonate a developer after the developer managed to successfully authenticate through the multi-factor process. After gaining access, the attacker managed to get hold of portions of the source code and some technical and proprietary information of the company, but that allegedly had not managed to get hold of master passwords, encrypted passwords, personal information or other data stored in customer accounts .
However, LastPass acknowledged through the update it released yesterday that the attackers were able to access personal information and other related metadata, including client company names, end user names, billing addresses, email addresses, phone numbers, IP addresses, and even managed to get hold of the data from the vault with unencrypted data like website URLs. Added to all this encrypted data fields such as website usernames and passwords, secure notes, and form filler data.
Karim Toubba, CEO of LastPass, recalled that the attackers have not been able to get hold of the master key because it is never known and is not maintained or stored by the service, so the encryption and decryption of the data is carried out. only locally via the client. This is because the password manager uses a zero-knowledge architecture. Other data that apparently has not ended up exposed is that of unencrypted credit cards, since these are stored in a different environment than the one that the attackers did not access.
Toubba has explained, delving into what has already been stated, that “the threat actor was also able to copy a backup copy of the client’s vault data from the encrypted storage container, which is stored in a proprietary binary format containing unencrypted data such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
The theft of LastPass source code and proprietary technical information may have been related to another breach that affected Twilio, a two-step authentication and communication service provider based in San Francisco, United States. The attackers managed to steal the data of 163 Twilio customers and appear to have also attacked 136 companies, including LastPass..
Another new point that the company has highlighted is that malicious actors could use the stolen source code and technical information to go after a LastPass employee and obtain credentials and security keys that allow them to access and decrypt storage volumes within the service itself. of cloud storage that it uses internally.
In short, the attack on LastPass was much more serious than originally thought. With the new data on the table, users of this manager would not only have to change the password with which they access their vault, but also all the ones they have stored in that service. It is true that an encrypted password requires a lot of resources to obtain the original one if a strong algorithm has been used, but with these things it is always better to go carefully.
