A major hack affecting password manager giant LastPass appears much worse than first thought. In an update announcement two days before Christmas, LastPass CEO Karim Toubba admitted the attackers were able to successfully copy a backup of customer vault data. With that data in hand, the attackers can potentially access users’ entire collection of passwords and other data stored with LastPass if they can find a way to guess a user’s master password.
Trying to prevent an immediate spike in heart attacks, Toubba cautioned it would be, “extremely difficult” to brute force guess master passwords for customers who use the company’s default settings and best practices. For those users, it could take attackers “millions of years” to crack those codes using “generally-available password-cracking technology,” according to the CEO. LastPass says it should not have access to users’ master passwords.
That comforting reassurance doesn’t necessarily apply though for users with weaker master passwords. In those cases, LastPass advised users to go in and change the passwords of all the websites they have stored which could mean a grueling, laborious day of frantically resetting account information awaits. And while it may be true strong master passwords could prove challenging to guess, even the strongest passwords could be at risk if they were used on another site that was previously breached. There’s no shortage of previously hacked passwords just sitting on dark web markets. Affected LastPass customers may also find themselves awash in annoying phishing attempts trying to trick them into unwittingly handing over their keys to the kingdom.
In addition to the passwords, Toubba said the stolen vault data includes, “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” along with unencrypted URLs. Sophisticated attacks, The Verge notes, could use information conveyed through the sites a user visits to craft more convincing phishing campaigns.
LastPass did not immediately respond to Gizmodo’s request for comment.
For a company whose primary service revolves around collecting and protecting passwords in one secure place, this is just about as bad as it gets. LastPass first disclosed the recent attacks in a blog post late last month. At the time, the company cryptically said that the attacker was able to access “certain elements” of “customers’ information,” without providing more detail. The company went on to say no customer passwords were affected by the incident, which is technically true, but as we now know, only tells part of the story.
Making matters worse, this most recent hack appears to have been made possible by a previous incident occurring just six months ago. In that case, the company says the attacker appears to have stolen, “source code and technical information,” from its development environment and used it to target an employee to obtain their credentials.
Look, in a digital world requiring users to hold dozens upon dozens of credentials, password managers are increasingly a security must. At the same time though, that high concentration of sensitive information makes password manager sites some of the most mouth-watering targets for bad actors. LastPass should have seen this coming and should have disclosed these details to the customers sooner if the findings were available.