The series of successive cyberattacks on LastPass continues, and while the investigation is ongoing, the company has shared its latest findings in a post on its support site.
It appears that cybercriminals were able to infiltrate the personal computer of an engineer-developer with access to a cloud storage environment shared by a select few from LastPass. This environment contained valuable information, including encryption keys for customer safes. The hackers, exploiting a vulnerability in the multimedia platform Plex, implanted keylogger-type malware in the engineer’s computer, allowing them to recover the technician’s password at the time of entry.
LastPass has since updated its security policy, including regular changes to sensitive credentials and authentication tokens, along with stricter alerts.
The extent of the damage goes beyond the initial assurance that customers’ passwords “remained securely encrypted.” The hackers gained access to personal information, metadata, user names, company names, billing addresses, emails, IP addresses, and telephone numbers of customers. They also accessed secure customer vaults containing encrypted data, including website usernames and passwords, URLs, security notes, forms data, and saved content.
Although LastPass reassures that encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password, the hack has exposed a significant amount of sensitive data. The company suggests there is no immediate risk for users, but it acknowledges that it would take considerable effort to guess master passwords.
The CEO of GoTo, the parent company of LastPass, disclosed that the hack extended beyond LastPass to five other services. The hackers obtained an encryption key for part of the backups stored with a cloud provider, accessing user names, encrypted passwords, product licenses, and multi-factor identification details. Affected customers have had their passwords reset, and accounts have been moved to a more secure platform.
To address the aftermath of the data leak, LastPass is decommissioning compromised developments, strengthening security measures, and recommending users change their master passwords and enable multi-factor authentication to avoid risks like credential stuffing.
While LastPass initially downplayed the severity of the situation, subsequent revelations have demonstrated a broader impact, seriously tarnishing the company’s image. The incidents highlight the vulnerability of password managers, prompting LastPass to take substantial steps to rebuild its security infrastructure and restore user confidence.