LastPass customers have been warned to remain vigilant to a wave of phishing attacks after it was revealed that cyber criminals stole customers’ encrypted password vaults during a breach earlier this year.
In a blog post, the password manager said that hackers extracted a copy of backup customer vault data following the August attack by using cloud storage keys stolen from a LastPass employee.
LastPass revealed that this repository of customer passwords is stored in a “binary format” and contains both unencrypted data, such as website URLs, as well as encrypted data including website usernames and passwords, secure notes, and form-filled data.
The company said that cyber criminals also stole a significant volume of customer data, including names, email addresses, phone numbers, and some billing information.
"Once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the firm said in a statement.
CEO Karim Toubba insisted that only customers have the ability to decrypt protected passwords.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password,” he said.
Toubba also sought to quell ongoing fears that financial payment data was stolen in the attack.
“There is no evidence that any unencrypted credit card data was accessed,” he said in a statement. “LastPass does not store complete credit card numbers and credit card information is not archived in this could storage environment”
Phishing fears
This latest update from LastPass has raised serious concerns that stolen information could be leveraged by threat actors to target users en masse.
LastPass warned that hackers may attempt to use brute force attacks to guess master passwords, but noted that due to hashing and encryption methods employed by the service, it would be “extremely difficult”.
RELATED RESOURCE
Understanding the economics of in-cloud data protection
Data protection solutions designed with cost optimisation in mind
A key concern highlighted by both LastPass and security experts, however, is the potential for users to be targeted by sophisticated phishing campaigns in the wake of this news.
John Scott-Railton, senior security researcher at the University of Toronto's Citizen Lab, warned that the threat actor(s) behind the breach is “clearly well-resourced, capable, and strategic”.
“Latest LastPass breach may be worse than you think,” he said in a Twitter thread. “Attacker didn't just get encrypted passwords. They got unencrypted URLs.”
“I’m especially worried about high-value users and entities. Serious national security implications that probably need mitigating.”
Scott-Railton cited a separate thread on the incident which warned that although encrypted data was stolen in this incident, the websites that customers visited were not, meaning that users "should expect to get phishing emails” in the coming days and months.
It is believed that hackers will likely use this breach as a means to target users and encourage them to change passwords and click on malicious links.
“Be VERY careful about password reset alerts in these next few months,” the advice read.
LastPass issued a similar warning for users, noting that it expects customers to be targeted by phishing attacks, credential stuffing, and other brute force attacks “against online accounts associated with your LastPass vault”.
“In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” the company said.
Domino effect
The LastPass revelations appear to have sparked a domino effect among users of similar password management services. Some took to social media to ponder the potential exposure of rival password managers, that also use cloud storage, to similar attacks.
Responding to concerns relating to its own product on social media, 1Password confirmed that “all 1Password vault data is end-to-end encrypted” on user devices, distancing itself from the idea that it could also suffer a similar attack.
The firm added that “this means that even if our servers were breached, all the attackers would have is encrypted gibberish that is useless and unreadable”.
“An attacker would need both your 1Password account password and secret key to decrypt the data within it,” the company said.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
I love magic links – why aren’t more services using them?Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authenticationNews Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectorsNews Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwordsNews The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
