LastPass customer password vaults stolen, targeted phishing attacks likely

The LastPass logo on a smartphone lying next to some bluetooth earphones
(Image credit: Getty Images)

LastPass customers have been warned to remain vigilant to a wave of phishing attacks after it was revealed that cyber criminals stole customers’ encrypted password vaults during a breach earlier this year.

In a blog post, the password manager said that hackers extracted a copy of backup customer vault data following the August attack by using cloud storage keys stolen from a LastPass employee.

LastPass revealed that this repository of customer passwords is stored in a “binary format” and contains both unencrypted data, such as website URLs, as well as encrypted data including website usernames and passwords, secure notes, and form-filled data.

The company said that cyber criminals also stole a significant volume of customer data, including names, email addresses, phone numbers, and some billing information.

"Once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the firm said in a statement.

CEO Karim Toubba insisted that only customers have the ability to decrypt protected passwords.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password,” he said.

Toubba also sought to quell ongoing fears that financial payment data was stolen in the attack.

“There is no evidence that any unencrypted credit card data was accessed,” he said in a statement. “LastPass does not store complete credit card numbers and credit card information is not archived in this could storage environment”

Phishing fears

This latest update from LastPass has raised serious concerns that stolen information could be leveraged by threat actors to target users en masse.

LastPass warned that hackers may attempt to use brute force attacks to guess master passwords, but noted that due to hashing and encryption methods employed by the service, it would be “extremely difficult”.

RELATED RESOURCE

Understanding the economics of in-cloud data protection

Data protection solutions designed with cost optimisation in mind

FREE DOWNLOAD

A key concern highlighted by both LastPass and security experts, however, is the potential for users to be targeted by sophisticated phishing campaigns in the wake of this news.

John Scott-Railton, senior security researcher at the University of Toronto's Citizen Lab, warned that the threat actor(s) behind the breach is “clearly well-resourced, capable, and strategic”.

“Latest LastPass breach may be worse than you think,” he said in a Twitter thread. “Attacker didn't just get encrypted passwords. They got unencrypted URLs.”

“I’m especially worried about high-value users and entities. Serious national security implications that probably need mitigating.”

Scott-Railton cited a separate thread on the incident which warned that although encrypted data was stolen in this incident, the websites that customers visited were not, meaning that users "should expect to get phishing emails” in the coming days and months.

It is believed that hackers will likely use this breach as a means to target users and encourage them to change passwords and click on malicious links.

“Be VERY careful about password reset alerts in these next few months,” the advice read.

LastPass issued a similar warning for users, noting that it expects customers to be targeted by phishing attacks, credential stuffing, and other brute force attacks “against online accounts associated with your LastPass vault”.

“In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” the company said.

Domino effect

The LastPass revelations appear to have sparked a domino effect among users of similar password management services. Some took to social media to ponder the potential exposure of rival password managers, that also use cloud storage, to similar attacks.

Responding to concerns relating to its own product on social media, 1Password confirmed that “all 1Password vault data is end-to-end encrypted” on user devices, distancing itself from the idea that it could also suffer a similar attack.

The firm added that “this means that even if our servers were breached, all the attackers would have is encrypted gibberish that is useless and unreadable”.

“An attacker would need both your 1Password account password and secret key to decrypt the data within it,” the company said.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.