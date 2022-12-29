LastPass is one of the most popular password management programs, it is available in both a free version, with a limited set of features, and a paid version.

Last August, the company that develops the software announced that it had suffered a security breach: attackers gained access to some components of the development environment after compromising a developer’s account. According to information shared at the time of the incident, the attackers had stolen portions of the source code and some proprietary technical information.

Lastpass announced additional containment and mitigation measures and new security procedures, and engaged an outside firm to investigate the case. But he stressed that the users’ master passwords had not been compromised.

Only now, in an update released just before Christmas, has it revealed that the attackers are in possession of personal information belonging to customers. The information obtained in August allowed cybercriminals to conduct a new attack against another employee and obtain the credentials and keys used to decrypt some cloud storage volumes.

The cloud storage service is physically separated from the production environment, but the potential damage for Lastpass users could be even greater than what was admitted in August: the attackers, in fact, would have been able to access company and end-user names, addresses billing information, emails, telephone numbers and IP addresses from which customers accessed the service.

The attackers also managed to copy a backup of customer “vault” data that is stored in a proprietary binary format. The backup contains both unencrypted data (e.g. website URLs) and encrypted sensitive data (e.g. usernames and passwords used on websites, secure notes, and data used for autofilling web forms). “These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” the company says. “Please note that your master password is never known to LastPass and is not stored or managed by LastPass. Data encryption and decryption is performed only on the local LastPass client.”

What are users at risk?

The risk to customers is that attackers may attempt to conduct brute-force attacks to crack the master password and decrypt the copies of the data in the vault copies obtained during the attack.

LastPass specified that the hashing and encryption algorithms used are extremely robust and it is difficult for attackers to guess the Master passwords for customers using complex passwords. But accounts with simpler passwords and some business users, who would have already been alerted by the company, could be at risk.

LastPass has confirmed that to date the attackers have not had access to unencrypted credit card data as it is not stored in the cloud storage that was hacked.

What information did the new update give us? Let’s try to read between the lines of the company’s communication.

First, it should be noted that the two events, the August breach and this event are deeply related. The second violation was only possible thanks to the information obtained from the first, highlighting problems in the management of the first incident.

Another element that emerges from the update provided by LastPass is the lack of encryption of the URLs of users’ websites. This information is valuable to attackers who could use it for spear-phishing attacks by learning about users’ interests across the sites they visit.

The third aspect that emerges from the update provided by LastPass is that the company stores users’ IP addresses. This information could be used to profile an active user. It is worth remembering that the European Court of Justice in 2016 established that the dynamic IP address is, under certain conditions, comparable to personal data and could be configured as an indirect identification of online users. This data is now in the hands of attackers with obvious repercussions on user privacy.

A passage from the press release deserves attention: “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices”. This sentence, on closer inspection, shifts the responsibility for any future violations onto the users themselves, who would be attributable to not having used adequate passwords. Since 2018, LastPass requires the use of at least 12 characters, but some online users confirm that they use shorter length passwords chosen before and have not been notified of the change so far. And in this case there would be a fault: not of the users, but of the company, which would not have checked compliance with the specifications established for the passwords.