LastPass: The Last Straw
While security solutions are not always perfect, I can’t help but think back to something my grandpa used to say to me when I was younger: “Nick, If you take the time to do it right the first time, you won’t keep having to fix the things you did wrong.” That man knew absolutely nothing about encryption and zero-knowledge data access principles, but he did understand something essential to the constant struggle that I see in the infosec world… There’s a lot of fixing and not a lot of foresight.
A brief history of breaches
In 2015, LastPass suffered a data breach in which email addresses, password reminders, server-per-user salts, and authentication hashes were compromised. The company responded by requiring all users to update their master passwords. In 2017, another security incident was reported that some user data was accessed by an unauthorized party, although the company stated that no sensitive data such as passwords or payment information was compromised. LastPass has also had issues with an authentication vulnerability that could allow an attacker to steal a user’s password if they have access to the user’s computer.
More recently, there was a series of incidents that led to the latest breaches at LastPass. In August of 2022, a LastPass developer’s account was compromised and some source code, along with some sensitive technical data, had been exfiltrated. The official statement from LastPass mentioned they would be engaging with a cybersecurity and forensics firm, but their product and services continued to operate normally. By September, the determination of the 3rd party investigation was that no user data had been accessed. (Hint: The “some source code” part is heavy foreshadowing.)
On November 30th, just 2 months later, LastPass notified users of a new security incident that its team was investigating. CEO Karim Touba wrote, “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.” The investigation concluded that bad actors had gained access to some customer data, but their passwords were safely encrypted. Later, it was determined that the unauthorized access was gained utilizing the data exfiltrated back in August. (Tech Tip #1337: NEVER under any circumstance allow a hacker to view your closed-source code. It’s like playing Minesweeper with all of the mines pre-flagged.) More on this at the end.
A month later, December 22nd 2022, LastPass publicly confirms that source code and technical information stolen from the LastPass development environment were used to target an employee and obtain credentials/keys, which were used to access and decrypt some storage volumes within a cloud-based storage service.
(Rinse and Repeat, amirite?)
This time, the threat actor was able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. Basically… they made off with a lot of users’ data, but the sensitive fields were still encrypted.
So, is it all that bad?
The encryption LastPass uses to secure the username, password, and other sensitive fields is AES-256 with an additional PBKDF2-SHA256 encryption on the master password. Threat actors would have a very long, difficult time trying to attack via wordlist and/or brute-force. Additionally, LastPass has a bug bounty program that allows security researchers to report vulnerabilities and get rewarded for their findings. There’s a lot of movement in the right direction, for sure.
But considering the repeated exploits of LastPass infrastructure, and the importance of what we’re all trying to protect, I’m suggesting it’s time for a change. There are other products on the market now that are well-positioned to compete and some—like Bitwarden, my favorite—even have features that arguably make it a superior choice.
Additionally, while I’m aware that it may be tempting to accuse me of overreacting, I don’t think you’d be unwise—if you’d trusted your password security to LastPass up until now—to start changing your passwords, at least the ones you think are most sensitive. Got an online retirement account where your hard-earned nest egg resides? Wouldn’t you sleep better knowing that a password stolen by criminal hackers was no longer valid, even if they able to decrypt it?
Now is also a good time to reassess whether you’ve taken full advantage of multifactor authentication. The idea here is that even if someone does successfully gain access to a password, it’s useless without also having access to a code that is randomly generated exclusively on your phone, or that only you can receive via SMS. Multifactor authentication is an extremely effective additional layer of security that you shouldn’t ignore.
Yes, I do think it’s time to wave goodbye to LastPass. As painful as the change may be, just think of how painful it would be to have your most sensitive accounts exploited. Or if you prefer carrot over stick, think of the schadenfroh grin on your face when you hear stories of catastrophic losses happening to others who did not take the same steps that you did to protect yourself. LastPass made decisions along the way that resulted in some pretty ugly consequences. You don’t have to do the same.
Nick Whittington is a professional musician/multi-instrumentalist and music producer turned ethical hacker and cyber-security enthusiast. As a valued Security Engineer at Prescriptive Data Solutions, Nick views challenges as the scaffolding of growth and wisdom and approaches all that he does with wonder, humor, and enthusiasm. He takes pride in his ability to see solutions from unconventional perspectives and is passionate about observing, learning, adapting, and creating.