Don't store seed phrases in LastPass!
LastPass has experienced significant breaches, most notably in 2022, which compromised millions of users' data. Below is a detailed breakdown of the hack, including how it happened, the data that was accessed, and the steps LastPass has taken to prevent similar breaches in the future.
Overview of the 2022 LastPass Breach:
How It Was Hacked:
- Initial Compromise: The hack started when cybercriminals gained access to a developer's system in August 2022. This was done by exploiting vulnerabilities in a third-party media software package* used by the employee. Through this, they managed to steal the developer's corporate credentials. This allowed the attackers to infiltrate LastPass' internal systems and gain access to sensitive information.
- Exploitation of Internal Systems: The attackers were able to move through LastPass' network and access its cloud infrastructure, hosted on Amazon Web Services (AWS). In January 2023, LastPass confirmed that the breach extended to encrypted user vaults, meaning attackers were able to exfiltrate this critical data.
- Breached Systems: The stolen data wasn't just related to user credentials; the attackers also compromised internal developer tools and source code repositories, which provided them with more information on how LastPass systems worked.
What Data Was Accessed:
- User Vault Data: The attackers gained access to encrypted user vaults, which could contain sensitive information like usernames, passwords, secure notes, and even credit card details. However, the data remained encrypted, making it difficult for attackers to immediately exploit it without additional information (like the master password).
- Developer and Company Information: Attackers also obtained access to the credentials of an internal DevOps engineer, which provided them with elevated access to LastPass systems. Additionally, internal source code and other proprietary information were compromised.
- Encrypted Passwords: While the vault data was encrypted using AES-256 encryption, the attackers could potentially try to decrypt it using brute force if they had the right tools. However, they still would have needed the master password to decrypt the stored passwords.
How the Data Was Used:
- Risk of Brute-Forcing: Since the vault data was encrypted, the attackers didn’t immediately gain plaintext passwords. However, they could attempt to brute-force the decryption of these vaults by using various techniques, particularly targeting weak or reused master passwords.
- Phishing and Social Engineering: Beyond brute-force attacks, the attackers may have used the stolen data to launch phishing or social engineering campaigns, targeting users with highly personalized attacks to steal the master password.
Steps Taken by LastPass to Prevent Future Breaches:
- Security Improvements: Following the breach, LastPass conducted a thorough internal investigation and audit. They implemented enhanced monitoring for suspicious activity and improved anomaly detection to prevent similar attacks in the future.
- Stronger Encryption and Key Management: LastPass fortified its encryption strategies and better secured its encryption keys. The company also reinforced its key management practices to prevent unauthorized access to encrypted data.
- Mandatory Multi-Factor Authentication (MFA): After the breach, LastPass mandated MFA for internal employees and encouraged users to enable it for their accounts. This step adds an additional layer of protection in case credentials are compromised.
- Zero-Trust Architecture: The company moved to a more robust zero-trust security model, which ensures that no system or user has implicit trust, even if they are within the company network.
How Users’ Information is Protected
- End-to-End Encryption (E2EE): LastPass employs AES-256 encryption, which ensures that users' data is encrypted before it leaves their device and remains encrypted while stored on LastPass servers. The decryption of this data only happens on the user’s device, meaning LastPass itself cannot access user vaults.
- PBKDF2 (Password-Based Key Derivation Function): LastPass uses PBKDF2 with 100,000 iterations to hash and secure the master password. This makes it extremely difficult for attackers to guess or brute-force the master password, even if they had access to hashed versions of it.
- Secret Key (Salted): In addition to the master password, each user has a unique secret key, which is never stored on LastPass servers. This key is used in combination with the master password to add another layer of encryption to user data. Without this key, an attacker cannot decrypt the vault, even if they have access to the encrypted data.
- Encryption of Data in Transit: All data transferred between the user’s device and LastPass servers is protected with SSL/TLS encryption. This ensures that no sensitive data can be intercepted by attackers while it is in transit.
Additional Insights from TomsGuide:
According to Tom’s Guide, in addition to the encrypted vault data, the breach led to significant financial implications. It was noted that millions of users’ data, including credit card and financial information, may have been vulnerable to theft, and the attackers likely had access to this data for an extended period before detection.
Furthermore, Tom’s Guide reports that although the attackers were able to access critical system data, LastPass maintained that their zero-knowledge architecture — which ensures LastPass doesn’t store or have access to user passwords — was still a significant protection layer. This framework makes it much harder for attackers to misuse stolen information without the corresponding decryption keys.
Conclusion:
The 2022 breach of LastPass underscores the importance of strong encryption, secure key management, and multi-factor authentication in protecting sensitive user data. Although the attackers gained access to encrypted vaults, the data was protected by AES-256 encryption, PBKDF2 hashing, and the use of secret keys, which ensured that the stolen information could not be immediately exploited. Since the breach, LastPass has implemented more stringent security measures, including mandatory MFA and enhanced monitoring, to better protect users' data in the future. However, this breach serves as a reminder that even the most sophisticated password managers can be targeted, and users must take steps to ensure their own security, such as using strong, unique passwords and enabling multi-factor authentication.
*The third-party media software package used by the employee that led to the initial breach in the 2022 LastPass hack has not been specifically named by LastPass or in publicly available disclosures. The company has described it as a "vulnerability in a third-party media software package," but the exact software involved has not been disclosed in detail. This lack of specific information likely stems from concerns over protecting the identity of the affected tool and preventing potential future exploits by other malicious actors.
In general, attackers often target widely used third-party software, particularly those with known vulnerabilities, to gain access to systems. In this case, the vulnerability was exploited to steal the developer’s credentials, which were then used to gain unauthorized access to.
