LastPass

LastPass CEO, Karim Toubba, has confirmed that a threat actor has stolen customer password vaults.

No company can be 100% safe from breaches; that’s a simple truth, but trust is paramount in the world of password management, and there can be little doubt that trust is being tested hard right now. For business customers using the federated login services provided by LastPass, Toubba says that the threat actor "did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure, and they were not included in the backups that were copied that contained customer vaults." The transparency in declaring breaches is always to be applauded, although questions remain as to why it has taken so long to determine and disclose that password vaults had been stolen. I also recommend, in the interests of better safe than sorry, that all users change their master password as doing so should re-encrypt the password vault after doing so. Fast forward to the end of November, and LastPass stated information obtained during that earlier compromise had enabled a threat actor to access "certain elements" of customer data within a third-party cloud storage service. I would have to agree, plus changing that master password to something much stronger.

The company advised certain users to consider changing their passwords for websites they have stored with the service.

And while it may be true strong master passwords could prove challenging to guess, even the strongest passwords could be at risk if they were used on another site that was previously breached. In those cases, LastPass advised users to go in and change the passwords of all the websites they have stored which could mean a grueling, laborious day of frantically resetting account information awaits. With that data in hand, the attackers can potentially access users’ entire collection of passwords and other data stored with LastPass if they can find a way to guess a user’s master password. At the same time though, that high concentration of sensitive information makes password manager sites some of the most mouth-watering targets for bad actors. For those users, it could take attackers “millions of years” to crack those codes using “generally-available password-cracking technology,” according to the CEO. In an update announcement two days before Christmas, LastPass CEO Karim Toubba admitted the attackers were able to successfully copy a backup of customer vault data.

[T]he threat actor gained access to the Development environment using a developer's compromised endpoint. While the method used for the initial endpoint ...

[said this](https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/): “If you want to change some or all of your passwords, we’re not going to talk you out of it. But] we don’t think you need to change your passwords. - Only requiring 2FA authentication for initial login, then allowing some sort of “single sign-on” system to authenticate you automatically for a wide range of internal services. [T]he threat actor gained access to the Development environment using a developer’s compromised endpoint. Note that you need to change the passwords that are stored inside your vault, as well as the master password for the vault itself. - Issuing “bearer access tokens” for automated software tools, based on occasional 2FA authentication by developers, testers and engineering staff. The good news, LastPass continues to insist, is that the security of your backed-up passwords in your vault file should be no different from the security of any other cloud backup that you encrypted on your own computer before you uploaded it. The attack that led to an attack - Doing full 2FA authentication only occasionally, such as requesting new one-time codes only every few days or weeks. The crooks therefore now not only know where you and your computer live, thanks to the leaked billing and IP address data mentioned above, but also have a detailed map of where you go when you’re online: If you have an automated build-and-test script that needs to access various servers and databases at various points in the process, you don’t want the script continually interrupted to wait for you to type in yet another 2FA code. Of course, “we have seen no evidence” isn’t a very strong statement (not least because instransigent companies can make it come true by deliberately failing to look for evidence in the first place, or by letting someone else collect the evidence and then purposefully refusing to look at it), even though it’s often all that any company can truthfully say in the immediate aftermath of a breach.

Password manager LastPass announced on Thursday that hackers had accessed and copied a backup of data including customers' passwords in an encrypted format.

“We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert. Toubba wrote: “The master password is never known to LastPass and is not stored or maintained by LastPass. As this explainer from the 3blue1brown YouTube channel shows, it would take hackers with today’s technology an impossibly long time to brute force a key of that size. However those with weaker passwords, including business customers who do not use LastPass’ federated login services, were told they “should consider minimizing risk by changing passwords of websites you have stored.” “If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account,” LastPass CEO Karim Toubba

The follow-on attack from August's source-code breach could fuel future campaigns against LastPass customers.

The attack was a follow-on from a previous breach in August that resulted in the theft of the LastPass added that a backup copy of encrypted customer vault data was also stolen, including website usernames, passwords, secure notes, and form-filled data. LastPass has issued a statement acknowledging that a recent cyberattack has resulted in the theft of customer data, in addition to offering cybercrooks access to encrypted customer vaults.

Password breaches have been a recurring issue in the Web2 ecosystem, but Web3 may eliminate the problem.

They use browser extension wallets like Metamask or Trustwallet to sign in using a cryptographic signature, eliminating the need for a password to be stored in the cloud. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” To solve this problem, password management services like LastPass have been invented. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing. Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data.