LastPass is a freemium password manager that stores encrypted passwords in the cloud, originally developed by the company Marvasol, Inc.
Developers password manager LastPass, which is used by more than 33 million people and more than 100.000 companies, notified users about an incident in which attackers managed to access backups of storage with user data from service.
The data included information such as username, address, email, phone, and IP addresses from which the service was accessed, as well as unencrypted site names stored in the password manager and logins, passwords, form data, and encrypted notes stored on these sites.
To protect logins and passwords of the sites, AES encryption was used with a 256-bit key generated using the PBKDF2 function based on a master password known only to the user, with a minimum length of 12 characters. Encryption and decryption of logins and passwords in LastPass is done only on the user side, and guessing the master password is considered unrealistic on modern hardware, given the size of the master password and the applied number of iterations of PBKDF2 .
To carry out the attack, they used data obtained by the attackers during the last attack that occurred in August and it was carried out by compromising the account of one of the service developers.
The August attack resulted in the attackers gaining access to the development environment, application code and technical information. Later it turned out that the attackers used data from the development environment to attack another developer, for which they managed to obtain access keys to cloud storage and keys to decrypt data from the containers stored there. The compromised cloud servers hosted full backups of the worker's service data.
The disclosure represents a dramatic update to a loophole that LastPass disclosed in August. The publisher acknowledged that the hackers "took parts of the source code and some proprietary technical information from LastPass." The company said at the time that customer master passwords, encrypted passwords, personal information and other data stored in customer accounts were not affected.
256-bit AES and can only be decrypted with a unique decryption key derived from each user's master password using our Zero Knowledge architecture,” explained LastPass CEO Karim Toubba, referring to the Advanced Encryption Scheme. Zero Knowledge refers to storage systems that are impossible for the service provider to crack. The CEO continued:
It also listed several solutions that LastPass took to strengthen its security after the breach. Steps include decommissioning the hacked development environment and rebuilding from scratch, maintaining a managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been compromised.
Given the confidentiality of the data stored by LastPass, it is alarming that such a wide range of personal data has been obtained. While cracking password hashes would be resource intensive, it is not out of the question, especially given the method and ingenuity of the attackers.
LastPass customers should ensure they have changed their Master Password and all passwords stored in your vault. They should also ensure that they are using settings that exceed the default LastPass settings.
These configurations scramble stored passwords using 100100 iterations of the Password Based Key Derivation Function (PBKDF2), a hashing scheme that can make it impossible to crack long, unique master passwords, and the randomly generated 100100 iterations is woefully under OWASP-recommended threshold of 310 iterations for PBKDF000 in combination with the SHA2 hash algorithm used by LastPass.
LastPass customers they should also be very vigilant about phishing emails and phone calls purporting to be from LastPass or other services that seek sensitive data and other scams that exploit your compromised personal data. The company also offers specific guidance for enterprise customers who have implemented LastPass federated login services.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.