LastPass hacked again

Popular password management company LastPass has come under pressure after being hacked in August 2022. Details of how the hackers first breached security are scarce, and the first official comment from LastPass cautiously stated that:

An unauthorized party gained access to part of the LastPass development environment through a seized developer account.

Another announcement a month later was similarly ambiguous:

The cybercriminals gained access to the development environment using an intercepted developer endpoint. Although the method used for the original point of compromise is ambiguous, the attackers used their persistent access to pretend to be the developer when the developer successfully authenticated using multi-factor authentication.

There is not much information in this paragraph, while if we remove the specialized vocabulary, the most important information seems to be this passage: “ seized developer’s endpoint ” (in common language, this probably means: a computer infected with malware) and “persistent access” (i.e.: the thieves could get in on their own, at any time).

Two-step verification (2FA) has failed

As you can see, two-factor authentication did not prove to be an effective form of defense during this attack.

This is probably due to the fact that LastPass, like most online services, does not require two-factor authentication for every connection, but only for the main login.

Usually, in order to get the benefits of two-factor authentication without paying too high a price for the inconvenience, some exceptions are used, such as:

• Two-factor authentication only occasionally, such as requesting new one-time codes only every few days or weeks. Some two-factor authentication systems offer a “remember me for X days” option.
• Require two-factor authentication only on the first login, and then allow single sign-on, which automatically authenticates the user for a wide range of internal services. For example, in many companies, an email login gives you access to other services such as Zoom, GitHub or other systems you use frequently.
• Issuing“bearer access tokens” for automated software tools that rely on occasional two-factor authentication by developers, testers and engineering staff. Simply put – if you have an automated build and test script that requires access to different servers and databases at different stages of the process, you don’t want the script to be constantly interrupted by two-factor authentication.

Another successful attack by cybercriminals in November

LastPass admitted that the criminals “stole part of the source code and some sensitive technical information.” It seems that some of the stolen technical information was enough to allow cybercriminals to launch another attack, which was revealed in November 2022:

We found that an unauthorized person, using information obtained as a result of the August 2022 incident, gained access to certain elements of our customers’ information.

This time, the company did not reiterate its original statement that none of the passwords had been stolen, as previously the company had talked about a leak of customer data (which most of us associate with information such as address, phone number, payment card details, etc.), but the company said that the data had been stolen. This time, however, “customer information” turns out to include both customer data, in the sense above, and password databases.

A few days before Christmas, LastPass admitted:

Cybercriminals stole data from a backup that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers and IP addresses from which customers accessed the LastPass service. The thieves also managed to steal a backup copy of customer vault data.

Intriguingly, LastPass also admitted that what it calls a “password cache” is not really a deployed BLOB (an amusingly descriptive IT jargon word meaning large binary object) consisting solely and completely of encrypted and therefore unintelligible data.

These “caches” contain unencrypted data, including apparently website URLs that correspond to each encrypted username and password.

If you’ve been using LastPass we have some bad news for you – not only do thieves know where you live and where your computer is located, but they also have a detailed map of what sites you browse when you’re online. It further reads:

Customer vault data [… ] is stored in its own binary format, which includes both unencrypted data such as website addresses and fully encrypted sensitive fields such as website usernames and passwords, secure notes and completed forms.

LastPass did not provide any other details about the unencrypted data that was stored in these vault files, but the words “such as website addresses” above certainly suggest that URLs are not the only private data that thieves can now read directly, without cracking passwords.

Bitwarden still safe

Bitwarden is a password management software that provides security and convenience. Using Bitwarden allows you to remember a single, strong password and allows you to access all your other passwords in one place across all your devices. In addition, Bitwarden offers features such as password synchronization between devices, multiple layers of security and automatic form filling.

Take advantage of ITH ‘s offer and ask for Bidwarden – keep your data safe!