LastPass Shouldn't Be Trusted With Your Passwords

LastPass, the popular password manager, is out of good will. Ever since the company first disclosed a breach in August, it has slowly provided consumers with drips of information, and the new details that do come out increasingly paint a picture of a company that should not be trusted with your passwords.

On Monday, LastPass published a blog post which provided more information on that breach, which it is now calling “Incident 2,” because the hacker leveraged its initial access to then steal data.

“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities,” LastPass wrote.

The hackers managed to access LastPass’ corporate vault by targeting the home computer of one of four engineers who had access to decryption keys needed to access cloud data storage where sensitive information was kept. The hackers did this by exploiting a vulnerability in a third-party media software package, which Ars Technica later reported to be Plex. From here, the hacker installed a keylogger, captured the engineer’s master password, bypassed the company’s multi-factor authentication protections, and accessed the corporate vault. In there, the hacker stole the keys needed to access “LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the blog reads. 

The post shows that the hacker against LastPass was resourceful and persistent, but also that LastPass was not treating its own crown jewels with the serious security practices it should have. A LastPass engineer was accessing critical services from their home computer and network. LastPass had difficulty distinguishing between the activity of the worker and that of the hacker. The sensitive information—in this case, customers’ password vaults that need the user’s master password to decrypt, but could theoretically be brute forced at some point—were stored less in a bank vault and more in a closet.

“4 people who have access to ‘the keys to the kingdom’. At least 1 of them was accessing them from a home computer. For how long without anyone noticing? If that didn’t raise flags, then it won’t for an attacker either,” the pseudonymous security researcher MG tweeted after LastPass published its blog post. “Helping them harden their home network is nice, but there needs to be some big cultural improvements & better controls/detections.”

In an August blog post, LastPass said a hacker compromised a developer account and stole portions of company source code and some “proprietary LastPass technical information.” Crucially, LastPass spokesperson Nikolett Bacso Albaum told Motherboard in a statement at the time “We have no evidence that this incident involved any access to customer data or encrypted password vaults.”

Then in December, the story changed. In a new blog post, LastPass said the hacker “was also able to copy a backup of customer vault data from the encrypted storage container.” LastPass stressed that customers’ website usernames and passwords were encrypted, and could only be decrypted with the individual customer’s master password. But as LastPass acknowledges, the hacker may attempt to brute force these passwords. LastPass says that would be “extremely difficult.” With the latest information about targeting the engineer’s home computer, we now know just how determined this hacker was, though. In that December blog post, LastPass said it had decommissioned the compromised developer environment and built it again from scratch.

Now, the Monday blog post provides the extra details about how the hackers compromised the LastPass engineer. Investigations take time, but it is now more than 6 months since the initial breach. The recent disclosure of exactly how the breach happened is useful. However the details are even more concerning.

Even before this latest blog post, some security researchers had already recommended ditching LastPass. Jeremi Gosney, a member of the core development team for password cracking software Hashcat, previously supported LastPass, he said in a lengthy Mastodon post in December. That changed. Issues Gosney flagged included LastPass suffering a total of seven major security breaches in the last ten years, ignoring vulnerability reports, and how LastPass keeps your vault encryption key in memory.

Companies get hacked all the time. Sometimes the companies are under-resourced, or face an attacker that genuinely outwitted them. Some breaches are mostly inconsequential, dealing with accounts for a particular, and not that important, website. But password management companies are not ordinary tech companies or sites. They are the custodians of their customers’ passwords that in turn can be used to completely pry open their digital lives. These are peoples’ most valuable secrets, and should be treated as such. For a password manager, you shouldn’t expect anything less than world class. Especially when you’re paying for the service, which is the case with many LastPass customers (a change the company did in 2021, which made not paying for the service incredibly inconvenient.).

At a minimum, LastPass customers should change any passwords they stored inside the service, as well as their master password which is used to access this information. They should start with their most sensitive accounts first. Unfortunately, this is likely to be a time-consuming process. Beyond that, it’s time to find another password manager altogether.

Plex, the media software used to compromise the LastPass engineer, told Motherboard in a statement that “We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported following responsible disclosure, we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released. And when we’ve had incidents of our own, we’ve always chosen to communicate them quickly.”

“We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above. Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure,” the statement added.

LastPass did not respond to a request for comment.

Update: This piece has been updated to include a statement from Plex.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.