personal information and passwords encrypted in nature
Since this summer, it was known that LastPass’s source code and specific technical data had been stolen. Master passwords, encrypted passwords, personal information, and the like have been protected during this announcement. It turns out that the situation is far from that simple.
The data recovered by the hackers in late November was used to gain access.” third-party cloud storage service “, this time with direct consequences for customers: the pirates had really made it ” access certain information “, without further details on the extent of the damage.
In an update released last night – the third since this summer – LastPass warns of a breach of customer data, both personal data and metadata: first and last name, company name, billing address, email, phone number or IP. There is so much information that allows you to set up phishing campaigns that you still need to be careful.
Data encrypted and unencrypted in nature
More seriously, customer safes “ encrypted containers – is stored in proprietary binary format “, without further details – may have been copied by a pirate. It contains both classic unencrypted data such as URLs, but above all very sensitive encrypted data that form the heart of the service: identifiers, passwords, secure records and form filling elements.
LastPass CEO Karim Toubba picked up a pen to deliver the bad news. He quickly clarified this these encrypted fields remain secure with 256-bit AES encryption “, WHO “ Using our Zero Knowledge architecture, it can only be decrypted with an encryption key derived from each user’s master password “. The latter means that the company has no view of user data.
What Toubba repeats: Note that the Master Password is never known to LastPass and is not stored or maintained by LastPass. Data encryption and decryption is performed locally by the LastPass client only “.
Everything is not clear yet
LastPass adds that there is no reason to believe that unencrypted credit card information was obtained, which is partial and stored in a cloud instance accessed by the hacker.
Furthermore, even if the encrypted user data is a priori unreadable, the operation is not theoretically impossible, but practically impossible, barring discovering a flaw in the algorithm… or recovering the user’s master password. If the master password is too easily guessed or has been used in other services, it should be changed immediately.
It is not known how many people the hacker copied or when this information belongs to. Given the significant amount of data recovered, the situation remains more serious than expected in any case. Nothing says the next update to the situation won’t come to darken the table further.
No action is officially recommended
According to LastPass, there are no recommended actions at this point other than being wary of phishing attacks and if your master password is very weak and/or used repeatedly.
LastPass reminds us of a few common sense rules: the company ” will never call, email or text you to verify your personal information. The company will never ask you for your master password unless you sign in to checkout from the LastPass client. “.
The editor also recommends that master passwords contain at least 12 characters with a variety of characters. They are also protected by, among other things, 100,100 iterations of the Password-Based Keying Function (PBKDF2). A number that users can also increase in account options. This would not be a bad thing, because the American NIST recommends 310,000 iterations for SHA256 used by LastPass (120,000 for SHA512).
LastPass claims that it would take millions of years to recover a master password with commonly used tools with a master password that meets the recommendations, and the company says it regularly tests its infrastructure. We recommend that you also enable two-factor authentication if you haven’t already enabled it. You can also use passwordless login with LastPass Authenticator, biometrics, or a security key.
The company says it has done a lot since August. A development environment under attack – trapping one of the LastPass developers as a reminder – “ completely decommissioned and rebuilt from scratch. Authentication mechanisms, processes and development machines have been modified and their security strengthened. However, this did not prevent a new attack at the end of November.
The analysis is still ongoing
Regarding recent developments, LastPass states that “ comprehensive analysis It is done for all accounts with unusual activity. This analysis is ongoing, which probably explains why we don’t yet know the number of people concerned. A little less than 3% of professional customers have already contacted to act on the configuration of their account, which is considered very light anyway.
LastPass reiterates that all relevant authorities have been notified and further information will be released at a later date. If there are actions to be taken, the interested parties will be contacted.
The fact is that the situation for LastPass is complicated, especially because of its brand image. Stealing their customers’ safes with encrypted passwords is a real blow. The company plays on transparency to reassure its customers, but the lack of accuracy at certain points and repeated incidents are not reassuring.