LastPass customers have been warned to remain vigilant to a wave of phishing attacks after it was revealed that cyber criminals stole customers’ encrypted password vaults during a breach earlier this year.
In a blog post, the password manager said that hackers extracted a copy of backup customer vault data following the August attack by using cloud storage keys stolen from a LastPass employee.
LastPass revealed that this repository of customer passwords is stored in a “binary format” and contains both unencrypted data, such as website URLs, as well as encrypted data including website usernames and passwords, secure notes, and form-filled data.
The company said that cyber criminals also stole a significant volume of customer data, including names, email addresses, phone numbers, and some billing information.
"Once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the firm said in a statement.
CEO Karim Toubba insisted that only customers have the ability to decrypt protected passwords.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password,” he said.
Toubba also sought to quell ongoing fears that financial payment data was stolen in the attack.
“There is no evidence that any unencrypted credit card data was accessed,” he said in a statement. “LastPass does not store complete credit card numbers and credit card information is not archived in this could storage environment”
Phishing fears
This latest update from LastPass has raised serious concerns that stolen information could be leveraged by threat actors to target users en masse.
LastPass warned that hackers may attempt to use brute force attacks to guess master passwords, but noted that due to hashing and encryption methods employed by the service, it would be “extremely difficult”.
Understanding the economics of in-cloud data protection
Data protection solutions designed with cost optimisation in mind
A key concern highlighted by both LastPass and security experts, however, is the potential for users to be targeted by sophisticated phishing campaigns in the wake of this news.
John Scott-Railton, senior security researcher at the University of Toronto's Citizen Lab, warned that the threat actor(s) behind the breach is “clearly well-resourced, capable, and strategic”.
“Latest LastPass breach may be worse than you think,” he said in a Twitter thread. “Attacker didn't just get encrypted passwords. They got unencrypted URLs.”
“I’m especially worried about high-value users and entities. Serious national security implications that probably need mitigating.”
Scott-Railton cited a separate thread on the incident which warned that although encrypted data was stolen in this incident, the websites that customers visited were not, meaning that users "should expect to get phishing emails” in the coming days and months.
It is believed that hackers will likely use this breach as a means to target users and encourage them to change passwords and click on malicious links.
“Be VERY careful about password reset alerts in these next few months,” the advice read.
LastPass issued a similar warning for users, noting that it expects customers to be targeted by phishing attacks, credential stuffing, and other brute force attacks “against online accounts associated with your LastPass vault”.
“In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” the company said.
Domino effect
The LastPass revelations appear to have sparked a domino effect among users of similar password management services. Some took to social media to ponder the potential exposure of rival password managers, that also use cloud storage, to similar attacks.
Responding to concerns relating to its own product on social media, 1Password confirmed that “all 1Password vault data is end-to-end encrypted” on user devices, distancing itself from the idea that it could also suffer a similar attack.
The firm added that “this means that even if our servers were breached, all the attackers would have is encrypted gibberish that is useless and unreadable”.
“An attacker would need both your 1Password account password and secret key to decrypt the data within it,” the company said.
