How did the LastPass break-in end? Did it even end?

Blog  — Tue 31 Jan 2023

In August 2022, LastPass, a digital password vault service, reported that it had been broken into. The latest announcement came just before the holidays. Meanwhile, it is almost February 2023. A good time to look back. At least, what is clear by now? And is it actually over yet?

August 2022

The first notification from LastPass was on Aug. 25, 2022. Customers were notified by email about a break-in into LastPass' systems. That break-in had then occurred two weeks earlier. Access by the perpetrators had been gained through an account held by a developer of LastPass. Access would have been limited to LastPass' development environment. Also, no sensitive data would have been leaked.

September 2022

On September 15th, an update appeared on LastPass' blog that did not otherwise receive much attention. In this update, LastPass admitted that software source code and technical information had been stolen. This obviously dovetailed with the idea that access had only been gained to the development environment. By security principles, the stolen source code should not be a problem. The technical information was plausible documentation about the software. So it seemed.

November 2022

On november 30th, 2022, clarification was again provided via the blog. LastPass indicated it had recently observed notable activity at a vendor, where LastPass purchased cloud storage. Storage of data on the Internet. It was reported that customer data had been captured. But once again it was stressed that passwords remained safe, because master passwords of safes were not captured. This is not possible, because they are not stored by LastPass. Only the vault owner, the user, has those and they remain on your own computer. This master password is essential in the algorithm to decrypt the vault data. At least that's nice.

December 2022

And then it was December 22. Probably not entirely coincidentally just before the holidays. LastPass once again came out with notice. This time a bit more extensive. Few words were previously written about the fact that copies of customer vault files were captured. It was only generally suggested that master passwords could not have been captured, and thus it was all safe. Yet those safe files were captured. Partly encrypted, partly not. But besides safe files, customer data such as IP addresses, e-mail addresses, invoices, first and last names and telephone numbers had also been captured.

January 2023

Radio silence. It's February 1 tomorrow and the LastPass blog has not been updated until just before Christmas. This is unusual, because despite the fact that most people totally missed the fact that LastPass put out quite an incident during the holidays, many questions remain. For example, LastPass suggested that the two break-ins in August 2022 and November 2022 were separate incidents. Yet it is more plausible that the November access was a direct result of lateral movement based on information gathered during the August break-in, as is often the case with digital intrusions such as this one.

It is also to LastPass's advantage to present the two as separate incidents. It's not pleasant to have to admit that the situation is out of control, and that the intrusion has been going on for months without LastPass really getting a handle on it. In contrast, it was claimed in September 2022 that the first incident was correctly completed and handled immediately.

Later, however, encrypted vaults and also unencrypted data were captured. This was not prevented, noticed too late and not stopped in time. In addition to the aforementioned personal data, it was then revealed that LastPass did not encrypt website addresses (URLs) and leaked them. Those addresses could be privacy-sensitive for some users.

For the most part, however, the stolen vaults were encrypted. This keeps usernames and passwords of accounts out of harm's way, for now. It is likely that the criminals behind this break-in are trying to gain access by means of bruteforce and dictionary attack angles. Because of modern encryption, other ways are thankfully out of the question, for now.

Still, it is possible that access to the vaults will be gained in the future. For example, if strong computers in the future manage to crack today's algorithms faster. After all, the vault files were stolen with the current algorithms, which cannot be modernized over time. Therefore, it is still advisable to change passwords and other sensitive data.

The follow-up?

In any case, we look forward to more follow-up from LastPass. Content, open and honest. Preferably without tricks like saving the bad news until a favorable time, downplaying what was captured or playing with words to give the illusion that it's all under control.

Everything has risks. Nothing is 100% secure. Forendox recommends using passphrases, i.e., longer than passwords. Thus, cracking through brute-force and/or dictionary attack angles is extremely time-consuming. Short passwords are an easier target. The difference can literally take years extra.

Passphrases are also easier to remember. Therefore, do not write them down anywhere else. In addition, use a different passphrase everywhere. However, if many accounts are involved, a digital password safe is the only sensible solution. Even now. That could be LastPass, Bitwarden or KeePass, for example. With modern strong encryption and a strong passphrase as the main password. If possible even with multiple authentication. After all, security is always only as strong as the weakest link.