Last Thursday LastPass updated their 25 August security incident bulletin with additional details on what customer information had been exposed and additional details of the follow-up breach in November of this year. The investigative team discovered that the threat actor used information stolen in the August breach to target an employee to access their cloud-based storage systems. These systems store encrypted backups of customer account information, which the threat actors were able to acquire decryption keys for. Additionally, the backups contain customer vault data. LastPass reports that this vault data is a combination of unencrypted fields such as URLs and encrypted fields such as usernames and passwords. The encryption method for the encrypted fields uses the customer’s master password, which means these fields are protected from the threat actor by the strength of the individual user’s master password.
The primary risk introduced by this breach is the combination of the unencrypted metadata with customer account information. With those two pieces of information, malicious actors can put together a profile of websites the exposed customers have accounts on, combine that with open source intelligence (OSINT) from social media, and perform activities such as spearphishing, vishing, or other social engineering techniques against employees. Additional social engineering awareness training may be effective over the next couple months to help mitigate risk to companies that use LastPass.
The secondary risk is brute-force cracking of the master password. Because of the nature of LastPass’s encryption process, access to vaults only requires the master password. This means that the strength of the vault’s security is only as strong as the master password. If it is not strong, a hash cracking program may be able to quickly crack the password and give an attacker access to the vault. Even if the password is strong, companies should rotate their master passwords anyways.
Regardless of the mitigations adopted, the answer to this breach is not to abandon password managers, as they are by far the best solution available to the weakness inherent in passwords for authentication. LastPass, while they have been in the news recently for security breaches, have already taken steps to tighten up their security, and will likely continue to do so in response to the follow-up breach. Considering this, migrating away from LastPass should be heavily weighed against the operational cost of changing workflows for users, as the additional security from using another password manager may not improve security much. If the master password being the single point of failure for vaults is a concern, password management solutions such as 1Password utilize a master password and secret key combination for encryption, which not only requires both for vault access but also forces additional strength.