Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Cloud Data Storage Security

LastPass: Hackers Stole Customer Vault Data In Cloud Storage Breach (bleepingcomputer.com) 38

Posted by BeauHD from the latest-developments dept.
LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today. "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass. If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added. "Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."
This discussion has been archived. No new comments can be posted.

LastPass: Hackers Stole Customer Vault Data In Cloud Storage Breach More

LastPass: Hackers Stole Customer Vault Data In Cloud Storage Breach

Comments Filter:

  • Worse than you thought (Score:2, Interesting)

    by Anonymous Coward
    At first, you might think "It's encrypted with my private key *and* it's stored in a proprietary binary format".

    Hopefully no one saved their DNC login credentials alongside all their furry porn creds. That could be embarrassing and immediately leakable. Sounds like site URLs and user info were clear-text.

    Next, they probably got the code to handle that proprietary binary format, so that's one less safeguard that will be removed in short-order.

    After that's done, it's a simple matter of throwing dictio

  • Some of the stolen vault data is "safely encrypted"

    I feel safe now, this was only a matter of time. I keep my passwords in an encrypted file on my local PC that. I never used these password managers and being in the cloud just increases the risk. You might as well use a postit in a locked draw :)

  • This must be leak / customer data lost / hack number 2 or 3, at least.

  • So they post a media release -- containing worse news -- days before Xmas. (?)
    Were they hoping the broader media wouldn't pick-up this announcement? Or that no one would be around to read it?

    Now *that* I don't like.

    Given they have no knowledge of our passwords, I was willing to overlook this breach.
    But the timing of this release stinks. I'll be moving to the paid BitWarden in a few months when my LastPass subscription expires.
    When I cancel my subscription I hope they ask "Why?" ... I'm one of those idiots w

  • This bullshit by the staff at a company where they should all know better, and where it's probably regulated and forbidden by law to allow production data in developer environment, is why I quit the IT security industry a year ago. No-one in these companies, or any in fact, gives a damn about good security.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Indeed. This is some high-grade incompetence at work. In well-run environments, there is a prohibition against that. The only place where it is outright forbidden is probably regulated industries though, like banking. I know examples of that.

  • This is not reassuring that the stores can't be cracked. "However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass." Few used LastPasses recommended best practices because they recommend "at least 12 characters long and contain letters, numbers, and special characters." And we have know since the 80s that humans can't remember these passwords. XKCD https://xkcd.com/936/ [xkcd.com] tells us how to do secure passwords. So now LastPass has leak

  • dictionary attacks explained (Score:5, Informative)

    by FeelGood314 ( 2516288 ) on Friday December 23, 2022 @12:22AM (#63152082)
    Assume the password stores are encrypted in counter mode with all the stores starting with the same counter. This is likely the way last pass does encryption because it allows random access to the store. In counter mode the master password is hashed to create an AES key, a counter is then encrypted and XORed with the first block of what you want to encrypt, then the counter is incremented, encrypted and XORed with the next block. If I want to decrypt just block 355 I can add 355 to the original counter, encrypt this with the key and XOR it with cipher block 355 and I will get the original 355 block.

    As an attacker I will look for a block that has a large number of bits that are common to all plain text key stores.. Maybe a block that has a version number and some known formatting like a type and a length field, spaces or even just ascii where I know the high bit is 0. I just need about 40 bits of one block.
    Next I get a list of a few hundred billion common passwords. These are combinations of pet names, colours, kids, months, names etc, plus common substitutions @ for a, ! for i, people also commonly pad passwords with 123
    I encrypt the counter of my chosen block with all the hundreds of billions of passwords, XOR each result with the known bits for that block and then mask out the unknown bits (set them to zero), I then sort the list.
    next I take the target block from my stolen key stores, mask out the bits in the block which I don't know and sort the key stores by the result.
    I can now quickly run through both lists in order looking for a match. Each time I fine match I can be reasonably confident that I have the master password for that key store.

    • It would be nice if they added three additional columns. A 256 bit salt, a SHA-256 bit hash (encrypted) of all the previous stuff on the row, and a checksum (which doesn't have to be cryptographically secure, but good enough to check damage) as the final item. The outer checksum is something that could be run on the database backend just to tell if there is corruption or damage to rows, as a way to ensure integrity. The inner SHA256 hash ensures that nothing has been tampered with, even if the checksum w

    • Assuming you can associate a vault to a user and that user uses the email address they used with lastpass as the email address for logging into most sites. The known plaintext attack could be on the username and not the password. That would speed things up no?

    • Re: (Score:2)

      by Isao ( 153092 )
      "I encrypt the counter of my chosen block with all the hundreds of billions of passwords"

      Since LP is correctly using PBKDF2, assuming the default of 100,100 rounds, each guessed encryption has to be done 100K times. That's 2x10^16 tries. Assuming 1 billion attempts per second, that's 3.2 million years to completion, or 1.6 million years for 50% likelihood of random match. Sufficient to the task.

      The URLs should still have been encrypted.

      • "I encrypt the counter of my chosen block with all the hundreds of billions of passwords"

        Since LP is correctly using PBKDF2, assuming the default of 100,100 rounds, each guessed encryption has to be done 100K times. That's 2x10^16 tries. Assuming 1 billion attempts per second, that's 3.2 million years to completion, or 1.6 million years for 50% likelihood of random match. Sufficient to the task.

        The default for PBKDF2 is 100,000 or 10^5 and 100 billion is 10^11. So 10^16 hashes. At 1 billion hashes a second that's 10^7 seconds or 115 days. But a billion hashes a second isn't that much if I have a lot of money I would just rent the computing power and do it all in a day. If your password store was stolen and your password was in a my dictionary your store is already broken.

  • How many of those master passwords are 123456?

  • So, OK they did not get folks master passwords.. but with enough data to identify/ contact them how long before high value targets start seeing really sophisticated spear phishing attacks to get in so they can access the master passwords?

    Probably already started.

    I know that done right these cloud based wallets can be really convenient and secure but they still just make me nervous ... Maybe I just don't get the kids these days and what I'm doing is the digital equivalent of my grandma who lived through the

  • So all passwords and user names are encrypted with my master password. If the attacker happened to also know my username and password associated with the same email for hotcookies.com thanks to a separate leak, would it compromise all other usernames and passwords?
  • The point is that LastPass and similar services will be always the week link.

    LastPass has to store the full text of your passphrases to other sites. These passphrases are encrypted, but the encrypted blob still contains the full passphrases. As the article says, soon as the thieves brute force and guess your master passphrase, they will be able to see all your passphrases to other sites in clear text and use them for logins.

    On the other hand, slashdot and other sites can store only salted peppered has

  • > " in a proprietary binary format that contains both unencrypted data, such as website URLs"

    I posted about the URL's on the last story.

    This metadata leak is what caused me to leave LastPass several years ago, thanks to an intrepid whistleblower on Reddit. FWIW I informed TWiT about this while they were still hawking LastPass because they have influence in the security community (to no avail).

    Many people counter-claimed that unencrypted URL's was fixed not long after I left. I didn't see any official c

  • This is why I will never recommend web browser-based password vault services. I only recommend Keepass.

Slashdot Top Deals

PL/I -- "the fatal disease" -- belongs more to the problem set than to the solution set. -- Edsger W. Dijkstra, SIGPLAN Notices, Volume 17, Number 5

Close