LastPass CEO, Karim Toubba, has confirmed that a threat actor has stolen customer password vaults. This follows a disclosure in August that an unauthorized party had successfully hacked development servers and stolen source code and some LastPass technical information. At that time, Toubba said there was no evidence of customer data or password vaults being accessed. Fast forward to the end of November, and LastPass stated information obtained during that earlier compromise had enabled a threat actor to access “certain elements” of customer data within a third-party cloud storage service. Again, it was stressed that customer passwords remained “safely encrypted.” In a Forbes report published December 1, a security expert explained it was unclear what information had been obtained by the attacker. Now, it would appear we know. And it doesn’t make for very reassuring reading.
LastPass customer data vaults stolen by threat actor
In the December 22 update, Toubba explains how the threat actor was able to “access and decrypt some storage volumes” from the cloud-based storage service, physically separate from the LastPass production environment. The problem is that this service stored backups, including backups of customer vault data. These backups, Toubba explained, are stored in a proprietary binary format and contain both encrypted and unencrypted data. The encrypted data includes website credentials such as usernames and passwords, as well as any secure notes that may have been entered. This data is encrypted using 256-bit AES encryption and requires the user’s master password to decrypt. The plain text data would appear to be website URLs.
Change your LastPass master password now
How this impacts you as a LastPass customer really depends upon how strong your master password is. If it’s something short and memorable, perhaps even a string you use elsewhere, then you could be in trouble. Although Toubba states that LastPass’ Zero Knowledge architecture means that sensitive vault data, including site passwords, are safely encrypted, he does admit that users with weak master passwords “should consider minimizing risk by changing passwords of websites you have stored.” I would have to agree, plus changing that master password to something much stronger. While LastPass requires at least 12 characters for a master password, I’d argue this is too small today: my recommendation is to double that. Passphrases can help create a strong and long password.
I also recommend, in the interests of better safe than sorry, that all users change their master password as doing so should re-encrypt the password vault after doing so. In his statement, Toubba confirms that encrypted fields in the data vault can only be decrypted using the “unique encryption key derived from each user’s master password.” Assuming your master password was strong in the first place, I would tend to agree with Toubba’s conclusion of “no recommended actions” that need to be taken at this time.
What is the impact on LastPass business users?
For business customers using the federated login services provided by LastPass, Toubba says that the threat actor “did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure, and they were not included in the backups that were copied that contained customer vaults.” Again, ‘no action, is the recommended action for these users. Business users not using the federated login, and with a weak master password, Toubba again recommends they consider changing all stored website passwords. LastPass is “performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service,” Toubba stated.
Do you need to quit LastPass?
Whether you think that LastPass is a service you can continue to trust or not is a matter for you. I am not a LastPass user, but if I were, then I’d certainly be looking at alternatives following what has been a particularly challenging 2022 for the company. The transparency in declaring breaches is always to be applauded, although questions remain as to why it has taken so long to determine and disclose that password vaults had been stolen. No company can be 100% safe from breaches; that’s a simple truth, but trust is paramount in the world of password management, and there can be little doubt that trust is being tested hard right now.