IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

LastPass customer password vaults stolen, targeted phishing attacks likely

The latest fallout from the password manager's August security nightmare will probably see attackers deploying sophisticated methods to acquire decryption information

LastPass customers have been warned to remain vigilant to a wave of phishing attacks after it was revealed that cyber criminals stole customers’ encrypted password vaults during a breach earlier this year.  

In a blog post, the password manager said that hackers extracted a copy of backup customer vault data following the August attack by using cloud storage keys stolen from a LastPass employee.  

LastPass revealed that this repository of customer passwords is stored in a “binary format” and contains both unencrypted data, such as website URLs, as well as encrypted data including website usernames and passwords, secure notes, and form-filled data.  

The company said that cyber criminals also stole a significant volume of customer data, including names, email addresses, phone numbers, and some billing information. 

"Once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the firm said in a statement

CEO Karim Toubba insisted that only customers have the ability to decrypt protected passwords.  

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password,” he said. 

Toubba also sought to quell ongoing fears that financial payment data was stolen in the attack.  

“There is no evidence that any unencrypted credit card data was accessed,” he said in a statement. “LastPass does not store complete credit card numbers and credit card information is not archived in this could storage environment” 

Phishing fears 

This latest update from LastPass has raised serious concerns that stolen information could be leveraged by threat actors to target users en masse. 

LastPass warned that hackers may attempt to use brute force attacks to guess master passwords, but noted that due to hashing and encryption methods employed by the service, it would be “extremely difficult”.  

Related Resource

Understanding the economics of in-cloud data protection

Data protection solutions designed with cost optimisation in mind

Whitepaper cover with title below a gradient orange pixelated banner and text and graph belowFree Download

A key concern highlighted by both LastPass and security experts, however, is the potential for users to be targeted by sophisticated phishing campaigns in the wake of this news.  

John Scott-Railton, senior security researcher at the University of Toronto's Citizen Lab, warned that the threat actor(s) behind the breach is “clearly well-resourced, capable, and strategic”.  

“Latest LastPass breach may be worse than you think,” he said in a Twitter thread. “Attacker didn't just get encrypted passwords. They got unencrypted URLs.” 

“I’m especially worried about high-value users and entities. Serious national security implications that probably need mitigating.” 

Scott-Railton cited a separate thread on the incident which warned that although encrypted data was stolen in this incident, the websites that customers visited were not, meaning that users "should expect to get phishing emails” in the coming days and months.  

It is believed that hackers will likely use this breach as a means to target users and encourage them to change passwords and click on malicious links.  

“Be VERY careful about password reset alerts in these next few months,” the advice read.  

LastPass issued a similar warning for users, noting that it expects customers to be targeted by phishing attacks, credential stuffing, and other brute force attacks “against online accounts associated with your LastPass vault”.  

“In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” the company said.  

Domino effect 

The LastPass revelations appear to have sparked a domino effect among users of similar password management services. Some took to social media to ponder the potential exposure of rival password managers, that also use cloud storage, to similar attacks.

Responding to concerns relating to its own product on social media, 1Password confirmed that “all 1Password vault data is end-to-end encrypted” on user devices, distancing itself from the idea that it could also suffer a similar attack.

The firm added that “this means that even if our servers were breached, all the attackers would have is encrypted gibberish that is useless and unreadable”. 

“An attacker would need both your 1Password account password and secret key to decrypt the data within it,” the company said. 

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

GoTo admits hackers stole customer backups in LastPass breach
hacking

GoTo admits hackers stole customer backups in LastPass breach

25 Jan 2023
LastPass admits 'elements' of customer data accessed in breach
hacking

LastPass admits 'elements' of customer data accessed in breach

1 Dec 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Building a better password strategy for your business
Whitepaper

Building a better password strategy for your business

26 Oct 2022

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023