



Password manager LastPass has faced criticism over a recent data breach that exposed user information, including unencrypted website URLs.

GoTo (formerly LogMeIn) subsidiary LastPass revealed last month that attackers stole sensitive personal customer information, including names, phone numbers and billing addresses.

On December 22nd, Password Manager published an updated blog post revealing the August security breach. LastPass CEO Karim Toubba wrote on August 25 that an “unauthorized party” compromised developer accounts to gain access to the LastPass development environment. As a result, “part of the source code and part of his LastPass proprietary technical information” was stolen.

An update on September 15th provided additional technical details and an update to the post on November 30th referenced a recent “security incident” that is currently under investigation. At the time, Toubba only said that unauthorized third parties used information obtained in his August 2022 breach to access “certain elements of customer information.” It was this incident that was detailed in an updated blog post on December 22nd.

According to the CEO, an unnamed attacker used source code and technical data stolen in the August breach to target another employee and steal credentials and keys. These keys, including dual storage container decryption keys and cloud storage access keys, were used to access and copy customer information from backups.

This customer data included “company names, end-user names, billing addresses, email addresses, phone numbers, and the IP addresses the customer used to access the LastPass service,” Toubba wrote. . The attacker also obtained a backup of the customer’s vault her data, including her encrypted website username and password, and unencrypted data such as her URL for the website.

While password theft is commonly thought of as a worst-case scenario for password managers, Toubba says that cracking a customer’s LastPass master password (required to crack encrypted website logins) requires He said it would take “millions of years.”

“These encrypted fields are protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using the Zero Knowledge architecture.” he writes “The Master Password is never known to his LastPass and is not stored or maintained by LastPass.”

Still, Toubba acknowledged in his post that unencrypted data obtained from LastPass business and personal customers can be used for social engineering and phishing attacks.

“It’s important to know that LastPass will never call, email, or send you a text message asking you to click a link to verify your personal information,” he wrote. . “LastPass will never ask for your Master Password unless you sign into your vault from the LastPass client.”

Criticism of LastPass

Despite LastPass’ attempts to reassure users, some in the information security industry have openly criticized the company’s response and security posture.

When 1Password CEO Jeff Shiner was asked if a LastPass breach was a worst-case scenario for password managers, he agreed.

“The challenge of taking a copy of the database is [the threat actor has] Copies of that information can be stolen offline,” he said. This is because it impacts the threat actor’s ability to decrypt copies of accounts. “

Some information security experts also questioned why LastPass chose to leave users’ website URLs unencrypted. Malwarebytes Malware Intelligence researcher Pieter Arntz wrote in a blog post earlier this month that security researchers are concerned about unencrypted URLs.

“It’s really hard to understand why LastPass doesn’t consider website URLs to be sensitive fields, and makes you wonder what the other unencrypted data is,” Arntz wrote. It added that targeted phishing attacks could turn LastPass users into “delicious prey.”

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, goes one step further and notes that website URLs may contain user account tokens, API keys, and credential data. bottom. “[The] The recent LastPass breach may be worse than you think,” he said on Twitter.

Customers are also complaining. Earlier this month, an anonymous Massachusetts-based LastPass customer of his filed a class action lawsuit against the company. The individual said he stored his private bitcoin key in his LastPass account and claimed that the attackers accessed the account and stole $53,000 of cryptocurrency around Thanksgiving.

The latest #LastPass breach may be worse than you think.

The attacker did more than just obtain the encrypted password.

They got an unencrypted URL.

Think about it: URLs containing account tokens, API keys, credentials, etc…

1/https://t.co/rahrJDk0gf pic.twitter.com/wiuNXJEFiO

John Scott-Railton (@jsrailton) Dec 23, 2022

Other identity and access management companies were also complicit in the LastPass breach.

On Dec. 28, 1Password published a blog post titled “Not in a Million Years. Cracking LastPass Passwords Might Take Much Less Time.” The post claims that LastPass’s “millions of years” claim is flawed because it “appears to be based on the assumption that LastPass users’ 12-character passwords were generated by a completely random process.” As they claim, LastPass master passwords are generated by users themselves. .

“Human-created passwords fall far short of that requirement,” writes Jeffrey Goldberg, the post’s author and 1Password’s principal security architect. “Humans are incapable of creating high-entropy passwords. Seemingly clever schemes that combine letters, numbers, and symbols to create passwords do more harm than good.”

According to Goldberg, password cracking systems are built to prioritize likely passwords first, and guessing LastPass’ master passwords 10 billion times “costs less than $100.” That’s it. LastPass isn’t the only password manager with a system focused on master passwords. So do many other password managers.

Goldberg compared LastPass’ master password system to 1Password’s “private key” system. This is his dash-separated, machine-generated 34-character key that works with the user’s account her password. Goldberg said private keys cannot be guessed and are never passed into or through the 1Password system, so 1Password customer data is completely protected in the event of a breach. increase.

Shiner said 1Password decided to publish the blog post to alleviate customer concerns.

“When a breach happens this close to home, customers generally become concerned or question password managers,” he said. “And we also get questions about how we are different. [competitors] and our security approach. Even if your data is compromised, you can be confident that your data will remain safe. I think this is important to make our customers feel at ease. “

TechTarget’s editorial team reached out to LastPass about the claims in this post, but the company declined to comment.

JD Sherman, CEO of password management company Dashlane, told TechTarget editors that his organization is confident in its security posture. But he said they learn from breaches and “practically test the precautions and security measures we take.”

Asked if he was concerned about how the breach would affect the password management industry and consumer trust, Sherman said his initial concerns were unfounded. said to have been proved.

“Awareness of such threats is growing,” he said. “And if you look at the growth in subscriptions and the number of inquiries from businesses, we’re seeing a really dramatic increase. Some of that may be changing in the usual buyer market right now. But Overall I think it’s this, it’s going to be a tailwind where people are [going to feel that they have] Start paying attention to this aspect of security that has been largely ignored so far. “

Moving to passwordless technology?

It is unclear how a LastPass breach will affect the password manager market in the long term. One authentication technology that can help limit the damage of such a breach is passwordless authentication, often in the form of FIDO-compliant physical security keys.

David Strauss, CTO of web hosting and content management company Pantheon, told TechTarget Editorial that he hopes passwords will one day be replaced by better alternatives.

“I hope to eventually do away with passwords in favor of better methods like FIDO’s Passkey. It’s the safest option to use.

Dashlane launched passkey support last year, and on Tuesday announced the appointment of a new Chief Product Officer (CPO), Donald Hasson, to lead the company’s passwordless push. 1Password, meanwhile, accelerated the former’s efforts to adopt Passkey by announcing the acquisition of authentication technology company Passage in November.

Similarly, LastPass launched LastPass Authenticator last summer. This is an option that gives users one-tap access to their password vault after verifying each device they trust with their Master Password once with her. Biometric and passkey integration is planned for the future.

1Password’s Shiner says it will take a long time, but it’s worth pushing people and businesses to passwordless authentication for both security and ease of use reasons.

“We’re pushing people and businesses down this passwordless path, and it’s been a multi-year journey that we can continue to help in the long term, both from a security and convenience standpoint. I think, and we’re trying to achieve that.”

“We see it as our job as password managers to help usher in this passwordless era,” said Sherman.

