LastPass Posts Update on Recent Security Incident
LastPass posted an update on their blog about the recent security incident involving unauthorized access to a third-party cloud-based storage service, where LastPass stores archived backups of production data. Probably not the kind of news users of LastPass want to hear just before Christmas. Some questions I have from their post that I would like to highlight.
cloud-based storage used for various purposes such as storing backups and regional data residency requirements…the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
Sounds like LastPass probably uses AWS or a similar service to store backups of users data. This is pretty common, but why were the backups not encrypted? I am not talking about the user vaults being encrypted, why was the whole backup not encrypted? This sounds to me like a mistake on LastPass to not encrypt data that they are sending to an outside data center. Not a good look.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
Some good news and some bad news in this statement. Good news that the website usernames and passwords, secure notes, and form-filled data should all still be encrypted and inaccessible unless the hacker can brute force the master password. Not such good news that the website URL’s were not encrypted giving the hacker knowledge of websites and email addresses they can then use to try and brute force their way into accounts.
I like LastPass, in fact I use LastPass but I am on high alert now for phishing emails and have already changed my master password. There is no doubt that this is a failure on the actions of LastPass to not encrypt their backups.
With incidents like this I can see why people would be looking at other services, like SplashID. This gives you some questions you might want to ask SplashID if you decided to go with them, are their backups fully encrypted?
To bad LastPass had to mess up to remind people to encrypt your backups!