Recently, password management company LastPass suffered a data breach. Yesterday, they reported new details about their investigation of the breach. These details indicate impact for customers of LastPass. We are sending this Threat Response to give LastPass customers some guidance on how to assess their risk and take appropriate steps. If your company does not use LastPass, you can skip the rest of this Threat Response.
LastPass offers a password manager that is used by private individuals and companies. Passwords are stored in a so-called vault, that is encrypted using the master password of the user. The vault is stored on the systems of LastPass and on the user’s endpoint.
In August, LastPass suffered a data breach where information about their internal systems was stolen. In November, the attacker presumably used this information to gain further access into a cloud storage provider used by LastPass. Yesterday, LastPass concluded that the attacker gained access to information about customers (including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses) and also copies of vaults that were made for backup purposes.
Customers of LastPass should consider their password vaults stolen, and information about their LastPass usage stolen as well. The direct impact of having vaults stolen is limited but significant: inside the vault, the URLs of the websites that the user stored credentials for, are not encrypted. So someone who has access to the vault, even an encrypted vault, can read all the URLs the user has stored inside. This may include URLs to internal systems and URLs that include access tokens or API keys.
To our best knowledge and own research, “notes” on login items and “secure notes” are encrypted inside the password vault.
If the attacker is able to guess the password to a vault, of course the impact is much bigger: the attacker gains access to all items in the vault, including all usernames and passwords.
Password vaults are encrypted with the user’s master password. The encryption key is derived from the password in such a way that brute-force guessing all possible passwords is not feasible. Therefore, an attacker who wants to gain access to a vault is likely to perform a smarter attack by using dictionaries of common passwords, common words and words specific to the season and the company. They will then generate variations on these passwords by applying prefixes and suffixes that people often use to make their password satisfy complexity requirements.
LastPass offers administrators the option to set password policies, but by default no restrictions on passwords are in place for Business accounts.
Because of a combination of these facts, Northwave believes the risk to consist of two things:
- Users inside your company having passwords that can be guessed using the above approach. Their vaults could be opened by an attacker that uses this approach.
- Targeted phishing based on the leaked company details and URLs inside vaults.
Northwave considers a password “guessable” in this context if it:
- Is shorter than 12 characters
- Is between 12 and 18 characters but contains dictionary words or words related to your company
- Is 18 characters or longer but is based on a single dictionary word
To best mitigate the risk, all users should change all passwords that were stored in their vault at the time of the breach. However, for most companies this is not a feasible option. Instead, to decrease the mentioned risks, the following steps can be taken:
- Inform your users about the LastPass breach and warn them about phishing in the coming months. Even more than normally, they should be aware not to enter usernames/passwords on websites they arrived at from email links, but browse to those websites themselves.
- Have all users assess their LastPass passwords for guessability. If their password is guessable, have them change their master password immediately, and also passwords of the systems you deem critical.
What should you do?
Northwave recommends following the above steps to make sure that the risk of login items leaking is minimised.
What will Northwave do?
Northwave will monitor any developments regarding this breach. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.