With over 33 million registered users and more than 100,000 business customers, LastPass is one of the world’s most popular password managers. After an escalating series of highly-damaging disclosures over the last few months, LastPass has now admitted that hackers have compromised its systems on more than one occasion, and have stolen a huge trove of highly sensitive customer data.
In this article, we examine the LastPass data breach and consider the lessons that can be drawn from it.
- Timeline of an escalating crisis
- So what happened?
- What exactly was stolen?
- Who is responsible and why?
- What lessons can companies learn from the incident?
- What can I personally do to protect myself?
- Final thoughts
Timeline of an escalating crisis
In its disclosures, LastPass has been keen to draw a distinction between its development environment and its production environment, which it claims are physically separated from each other (i.e. are hosted on completely different networks of servers).
The development environment is used to develop and test software before it is put into production. No customer data is stored in the development environment. The production environment contains the software and infrastructure used to provide its service to customers on a day-to-day basis. Customers’ data is stored in the production environment.
The story unfolded in three disclosures from LastPass:
- August 2022: CEO Karim Toubba released a statement(new window) saying that “An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information”. Toubba noted that since it was only the development environment that had been compromised, no customer data was accessed. He also claimed that the breach had been successfully contained.
- December 2022: Toubba updated his earlier statement to announce a second breach, this time of its production environment. During this incident, an attacker was able to copy its customer vault data.
- March 1, 2023: following a detailed forensic analysis, LastPass released a statement describing in detail what happened(new window).
So what happened?
In the end, the attack turned out to be far worse than what LastPass initially disclosed:
1. Hackers were able to gain access to a LastPass software engineer’s user account . This was achieved using stolen login credentials (username and password). LastPass employee accounts are secured using two-factor authentication(new window) (2FA), but the attacker successfully used a tactic known as multi-factor authentication (MFA) fatigue(new window) to bamboozle the engineer into accepting a bogus 2FA request.
With the Amazon Web Services(new window) (AWS) cloud development environment now compromised, valuable corporate assets were stolen, but no customer data. Once discovered, LastPass believed it had contained the breach by removing and rebuilding the development environment from scratch and changing all user credentials for the developer environment.
2. Unknown to LastPass at the time, the attackers had examined AWS logs to discover where LastPass’ encryption keys were stored, who had access to them, and the IP addresses they had been accessed from.
3. The attackers scanned these IP addresses for vulnerabilities and discovered that a LastPass Senior DevOps engineer was running a very old version of Plex(new window) on their home network.
4. Plex is a popular platform that allows you to configure a device as a media server that can stream your own media content to your other devices. The Senior DevOps engineer was running a version that was three years old and was known to have a critical vulnerability(new window) that allows anyone with access to the Plex server to upload malicious code to the host machine and execute it. Plex fixed the vulnerability three years ago, but the engineer hadn’t updated their software.
5. Using this vulnerability, the attackers installed keylogger malware on the DevOps engineer’s home system. When the senior DevOps engineer used this home system to log in to LastPass and legitimately access the LastPass corporate vault, the attacker now had all the credentials required to access the vaults themselves.
Since this home system was both under the corporate radar, but otherwise appeared as normal traffic to the LastPass security controls, the attacker was able to operate unnoticed for almost eight weeks (from August 12, 2022 to October 26, 2022).
6. Leveraging this well dug-in position with almost unlimited access to secret credentials, the attackers could freely access both the development and production environments. This allowed them to download encrypted customer data, critical database backups, and source code.
With the access to the secret store, they can now also fully decrypt some of the data that had been encrypted at rest.
What exactly was stolen?
1. Customer password databases.
LastPass hasn’t disclosed the exact number of customer password databases that were stolen, but it appears to be large, and possibly all of them.
These password databases fortunately were encrypted, so the attacker cannot trivially obtain customer usernames and passwords, but that also does not mean it is impossible.
Unfortunately, many people who use poor passwords are easy targets for brute force(new window) attacks. In addition to this, many people reuse passwords between websites, which makes them vulnerable to credential stuffing(new window) attacks. These attacks can be done offline, and critically, they can be done at the attacker’s leisure (the attacker has virtually unlimited time to carry out these attacks).
During the breach, an unspecified amount of source code was also stolen. It is possible that a skilled attacker can leverage this code to find flaws in the encryption logic or the service that can be used to bypass or simplify the process of defeating users’ master passwords.
It is also worth noting that some information in the databases isn’t encrypted and can therefore be freely accessed by the attacker. This includes metadata such as URLs, file paths to installed LastPass Windows or macOS software, and certain user email addresses.
2. LastPass MFA/Federation Database
This database contained all the information needed to compromise 2FA authentication for LastPass accounts. So if a database’s login credentials are compromised, having 2FA enabled is of little help.
This database was encrypted, but its encryption keys were stolen during the second incident.
Who is responsible and why?
We’ll probably never know for sure who was behind this attack, but some have theorized that it could have been carried out by North Korean hackers.
The motivation was likely to use the stolen passwords to raid LastPass users’ cryptocurrency wallets. North Korean hackers have stolen an estimated $1.2 billion(new window) in cryptocurrency and other virtual assets in the past five years, more than half of it in 2022 alone. Indeed, theft of cryptographic assets likely makes up a large percentage of DPRK’s GDP.
Any such suspicions are purely conjectural, though.
What lessons can companies learn from the incident?
1. Keep all software updated with the latest security patches (this attack may not have happened if a Plex server had been updated).
2. Don’t access sensitive company accounts from your home computer. If the unfortunate DevOps engineer had used a corporate laptop with appropriate protections in place (such as antimalware software that could detect the keylogger), the incident probably wouldn’t have escalated this far.
3. No security system, however well thought out, should ever be considered 100% secure. Thankfully, LastPass uses zero access encryption, or the already bad situation could have been much worse. Rigorous zero-access encryption(new window) remains the best way for companies to protect data.
What should LastPass have done better
LastPass did have compensating controls in place, but there are many areas where it could have done better.
1. Build systems designed to cope with the worst-case scenario. LastPass probably didn’t include state-level bad actors as part of its threat model. It’s true that designing a security system that is both usable and resistant to such threats is very hard, but given the hugely sensitive nature of the information that the service was specifically supposed to protect, LastPass clearly failed to properly address its threat model.
2. Use a more modern hashing algorithm to secure users’ password vaults. LastPass used PBKDF2(new window), which has now been superseded by more state-of-the-art algorithms such as bcrypt(new window) and Argon2(new window). PBKDF2 is relatively easy to brute force(new window) compared to these more modern alternatives, which means that even though user password databases were encrypted, this cryptographic oversight makes the password databases significantly easier to crack.
3. Encrypt all data. LastPass does encrypt data it considers to be highly sensitive, but it also leaves quite a bit of data unencrypted. Seemingly innocuous bits of information (such as saved URLs, which are not encrypted by LastPass) can be used to infer highly detailed information about you.
For example, if an attacker can see that you have passwords saved for an account with Grindr, gop.com, or even a Manga fan site, they’ll know a lot about you as a person, even if they can’t actually access the account. This information is potentially very damaging on its own, but may also allow the hackers to compromise your passwords using a highly personalized phishing attack(new window).
4. Communicate better with its users. LastPass waited until the Thursday before Christmas to quietly disclose that the hack it had suffered was far more severe, and even more damaging revelations were not disclosed until months later.This has led to a considerable backlash(new window) from within the LastPass community.
What can I personally do to protect myself?
In general, if you are a LastPass user, we suggest you update and change all of your passwords. Because of the weak encryption used, and the fact that the attacker now has unlimited time to crack your password database, you should assume that sooner or later, your password database can be cracked; if not now, then in the future when there are even more powerful computers.
Going forward, you can mitigate this risk by using stronger passwords, particularly for the master password for a password manager.
Or better yet, use a passphrase(new window). Your password manager is great for remembering passwords such as p@*(aF296Bu%, but human brains are not designed that way and you need to memorize your master password to securely access the rest of your computer-generated passwords.
A passphrase, which consists of multiple actual words, is much more secure than any single password that the human brain is likely to remember. Diceware(new window) is a great way to generate genuinely secure but memorable passphrases.
Simply put, security is difficult. On the defensive side, you need to block against all possible intrusions, while the attacker just needs to find a single hole. This is an asymmetry that tends to favor the attacker.
The best defense is to have a strong security culture, where it becomes a fully integrated part of a company’s DNA. Unfortunately, many of the companies out there today who are responsible for safeguarding very sensitive data, are not security and privacy-first companies, and are more susceptible to breaches as a result.
Cryptography is also hard, and doing it consistently properly requires years of experience and dedicated expertise, which many companies simply do not have. Transparency could also have helped with this; had LastPass been open source, perhaps some of its cryptographic weaknesses could have been found and fixed earlier. For these reasons, it will be hard to trust LastPass (or any other password manager, for that matter), which is not open source.
Password managers are increasingly important for internet users today, and now more than ever, it’s important that tech companies get them right.