Business and personal users of the LassPass password management solution are being warned to take defensive action after the company acknowledged customer information and encrypted data they had stored in the service’s digital vault were copied by a hacker in a supply chain attack.
“Users should beware of sophisticated phishing attacks aimed at stealing their master password,” said Mike Walters, vice-president of vulnerability and threat research at Action1, a provider of patch management solutions. “An attacker can pretend to be LastPass, regulatory authorities, and other organizations and trick users into sharing their credentials. Remember, modern phishing can go beyond average emails and combine different communication channels, such as phone calls, SMS, messengers, and others.
“I recommend that all users change their master passwords and enforce password security best practices. It includes creating a strong master password at least 30 characters long, re-encrypting the password vault, and enabling multi-factor authentication (MFA).”
His advice comes after LastPass CEO Karim Toubba acknowledged that last August’s data breach was worse than he described earlier this month. A hacker accessed a third-party cloud-based storage service LastPass uses to store archived backups of its production data using information gained from an August attack.
After further investigation, the company realized that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backups that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
In addition, the hacker also copied an encrypted backup of customer vault data from the encrypted storage container. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said in a blog. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client” of a user.
“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” he maintained.
“This incident shows that an experienced attacker can exploit a company’s security vulnerabilities and steal sensitive customer data even if he has initially gained access to a certain part of the corporate infrastructure that is not directly related to this sensitive data,” said Walters.