Password managers can be very useful when it comes to storing and keeping our login details safe in a world where we use more and more applications and web services. However, like any computer system, they are not infallible. LastPass is a clear example of this.
The software, which claims to be one of the most important password managers on the market, has suffered several security incidents, being those of this year the most serious. A group of anonymous cybercriminals has managed to get hold of a copy of customers’ encrypted password vaults.
A year to forget for LastPass
In the final stretch of 2022, and a few days before Christmas, the company It has been recognized the security breach in which not only client vaults have been exposed, but also other related information that was not encrypted. Now, the big question is how we got to this situation and what are the risks. Let’s see.
LastPass’s problems this year began in August, when its security systems were breached. The company announced at the time that “an unauthorized party” had used a compromised developer account to steal some of its app’s source code and technical information.
According to the incident reportuser data were not affected, but the malicious actors used the stolen information to target another LastPass employee. This one, precisely, had the access credentials for the LastPass external storage service.
In November, cybercriminals used the stolen credentials to access these backup volumes on servers outside of the LastPass production environment and made a copy of “certain items.” Now we discovered that those “certain elements” were the following:
- Password encrypted vaults
- Company names
- Usernames
- billing addresses
- Email addresses
- Telephone numbers
- Client IP addresses
- URL of the websites related to the data of the vaults
Encrypted vaults, but…
As we have mentioned throughout the article, password vaults are encrypted. Specifically, we are talking about a system of 256-bit AES protection. Technically, these can only be cracked with each user’s master password, a password that LastPass says the company does not have or store anywhere.
However, this scenario also has its risks, and the magnitude of these will depend on the strength of the users’ passwords. Although unlikely, attackers could use brute force to try to guess the master passwords to the vaults, a task that, it is worth noting, would require a great deal of time and computational power.
Starting in 2018, LastPass raised its requirements for setting master passwords, but before that change, users had the ability to create weaker passwords. If that is the case, the company recommends changing the passwords of all the websites where the service was used, although it would not be a bad option to also change the master password.
Stolen data can be used to mount phishing campaigns
But, not so fast, the risks do not end there. Cyber criminals still have a fair amount of information stolen from LastPass that is not encrypted that can be used to mount phishing campaigns. One of the most delicate elements for security, according to Citizen Labs cybersecurity researcherJohn Scott-Railton, are the unencrypted url.
These can provide malicious actors with important (and confidential) information to execute cybercrime. From the point of view of social engineering, let’s remember that it was the preferred method of attackers like Lapsus$, it is highly recommended to pay special attention to the received emails.
Criminals could, for example, impersonate certain services or web pages and, on the grounds of the LastPass security breach, asking users to change their passwords. If they fall for the trick, they would automatically become victims, because their login details would be captured.
It is necessary to remember that two-step verification, also known as 2FA, is a very important resource to avoid security problems. As an additional recommendation, it is better to use the alternative of an authenticator application before receiving codes by SMS, due to the risks of ‘SIM swapping’.
Images: LastPass | Pngall
In Xataka: I am responsible for IT security in my company and I have to deal with workers working from anywhere