In a new statement, LastPass details how the attackers were able to breach systems and access customer data. Among other things, they successfully targeted the private computer of a DevOps developer.

Corporate customers are also affected

In the post, those responsible continue to unravel the incident. In August 2022, there was the first information that attackers were able to copy the source code from LastPass servers. At this time, the password manager providers ensured that there had been no access to customer data. This statement was still being made in September 2022, when it became clear that the attackers had access to the systems for four days. In December 2022, it became known that attackers were able to see customer data. These include LastPass’ crown jewels: customer password vaults.

There’s also bad news for corporate customers using federated login. In such a case, the “Hidden Master Password” consists of the components K1 and K2. As LastPass has supported, the attackers were able to capture K2. K1 is accessible to all company employees. As a result, an attacker would only need to compromise one employee’s account to gain access to all of a company’s LastPass data.

What happened?

It is known that the attackers were able to steal the login details of a LastPass employee in the first attack. However, the data is said to have been encrypted, so the company’s cloud storage was not easily accessible.

To get the key to the login data, the attackers are said to have hacked into the private PC of a DevOps developer. According to those responsible, they attacked a security hole in a media software package and then installed a keylogger on the computer. After the employee’s multi-factor authentication, they recorded the entered master password and were able to access the cloud storage. The attackers now had access to backups and other keys, among other things.

LastPass ensures that they have hardened their systems against new attacks. According to their own statements, they have tightened authentication procedures, among other things.

Are the passwords still secure?

So that attackers don’t have it easy, passwords are not stored in plain text in the vault, but the data is protected. To make the reconstruction as difficult as possible, a cryptographic hash function is used plus a salt value, which is applied multiple times.

LastPass claims that they use Password Based Bypass Function 2 (PBKDF2) for this. By default, LastPass uses 100 100 iterations of PBKDF2. SHA256 is used as the hash function. To make this combination as safe as possible, the Open Web Application Security Project (OWASP) recommends 600,000 retries. according to one LastPass Support Contribution Now follow this recommendation. However, for existing accounts, the number of iterations does not increase automatically.

Avoidable security risk

As reported by security researcher Vladimir Palant late last year, but this is not the case for all users. He claims he knows of cases where there are only 5000, 500, or even a single recurrence when using PBKDF2. Who uses the password manager you can adjust the value in your account.

LastPass responded to a specific request from heise Security about the use of PBKDF2 with a reference to a general statement and therefore did not take a direct position on the security issue.

(of)