LastPass has just suffered a major breach, and is passing it off as much of nothing. Let’s dig into the details of what might be LastPass’ last gasp.
In my article “A LastPass Primer“, I talked about how the system worked, and why they were my password manager of choice. I’m starting to rethink that decision.
what happened
A little backstory: Back in August, LastPass reported that there had been a breech of its servers, and they didn’t believe any customer data had been compromised, but they were still investigating. Their words:
“…we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.”
Then on November 30th, they came back with this:
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
Was this “recently” the breech back in August, or was this something new? And what were these “certain elements” of customer information? Inquiring minds want to know.
Now, late in the afternoon on December 22nd this comes out:
We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.
No real information? Just a link to a blog post? Here’s what the post said:
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
Then on the 5th paragraph we get this:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
“website usernames and passwords”
Oh yeah, by the way. Bad guys stole all of your passwords. But there’s no need to worry…
To be clear, LastPass was storing my passwords on a third party server (I’m guessing AWS)!
Now they reassure us that no credit card information was stolen. It seems that they keep that data locked up good.
Makes one wonder what their priorities are.
back in the day
Now I have been both a user and advocate of LastPass since their beginning. The company was founded by Joe Siegrist in 2008, and I became a customer in 2009, so I have a good bit of history with them.
I have both read and listened to many interviews with him, and I believe that he always had the security of our passwords at heart.
And while they have had some security “issues” in the past, they seem to have handled them well.
Security History
In May of 2011, LastPass noticed an “anomaly” in their incoming network traffic. Even with no direct evidence that any customer data was compromised, they instantly took those servers offline and required everyone to reset their passwords.
In June of 2015, they revealed that “email addresses, password reminders, server per user salts, and authentication hashes were compromised”. But no passwords were stolen. They felt that even with the stolen data, it would be impossible to access the password vaults.
But that was then, this is now
In October of 2015, Joe sold LastPass to LogMein for $110 million. Since then there have been quite a few more security issues.
In July of 2016, a flaw in their browser extension was detected that could allow a malicious website to read passwords in plain text from a user’s vault. this was not disclosed to the public until LastPass fixed the flaw.
In March of 2017, a vulnerability was found in their Chrome extension. Also in March of that year another flaw was shown allowing remote code execution based on the user navigating to a malicious website.
In August 2019, a vulnerability in the LastPass browser extension was discovered in which Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site. A couple of weeks later LastPass publicly announced the vulnerability, acknowledging the issue was limited to the Google Chrome and Opera extensions only; nonetheless, all platforms received the vulnerability patch.
In 2021 it was discovered that the Android app contained third party trackers. Also, at the end of 2021, an article reported that LastPass users were warned that their master passwords were compromised. The company said that it was because users were reusing passwords, however many users said that their master password was unique to LastPass. The company has so far declined to comment any further.
But a few days later security researchers Bob Diachenko said he recently found thousands of LastPass credentials while going through Redline Stealer malware logs.
Do they know something they’re not willing to tell us?
What’s Next for LastPass?
In December of 2021, LogMein announced that LastPass was being spun off as an independent company. And now this major breach.
LastPass has not disclosed when the password theft was discovered, but given their history since LogMein purchased them, I wouldn’t be surprised if they held on to that information until right before Christmas when most businesses were either shut down or in the process of closing for the holidays.
Back under Joe’s tenure, I believe we would have been told about this as soon as they knew.
What am i going to do?
To be honest, I don’t know. I’ve got a lot of time and effort invested in the company (not financially), and I don’t know much about the security practices or history of the other password managers.
But I’m about to find out.
Tom Merritt, who I’ve been following about as long as I’ve been with LastPass, and who hosts my favorite podcast, The Daily Tech News Show, stated on his 12/23 show that he’s out. I kinda feel the same way. While I’m not too concerned about the bad guys breaking into my password vault, as they will go after the big companies and users with weak passwords first. And my password is very strong, plus I have Two Factor Authentication enabled on all of my important sites.
I’m just wondering if they are going to compensate us in any way. That would be a good gesture, but I’m not counting on it.
Overall, it’s the principal of the matter. LastPass had one job to do, protect our passwords. And they failed and failed big.
Stay tuned for my decision.