LastPass says employee’s home computer was hacked and corporate vault taken

14383 shaares
5331 private links

14383 shaares · 5331 private links

Filters

Links per page

20 50 100

LastPass says employee’s home computer was hacked and corporate vault taken | Ars Technica

ikjadoon

What I don't understand is how any of this could grant access to actual end-user data. From what I know of their design, LastPass's master vault passwords are split - by definition, LastPass is only supposed to have a part of that key; the other half is only known to the end user's device(s). LastPass is never by design supposed to have the full master vault keys. Unless... they do...?

Ditto with unencrypted vaults; those are only ever supposed to exist on end-user devices in-memory, per their own service descriptions. It's one of their selling points. How could LastPass even have unencrypted vault copies to expose? Their own developer vaults, sure; but not end-user vaults. All a bad guy could ever manage to get, absolute worst case, would be an end-user's encrypted vault and half of a key. Supposedly...??

I'm genuinely curious now.

There are two separate vault breaches here.

1) LastPass internally uses LastPass to keep their Amazon S3 login information. This internal LastPass Vault itself the logins to LastPass' internal Amazon account. One LastPass dev had access to this internal dev vault and was allowed to install Plex, which had a major security vulnerability. The hackers installed a keylogger onto that developer's PC and extracted that dev's Master Password and MFA code to the LastPass internal vault. Thus, the LastPass internal vault was immediately decrypted. Because they stole that dev's Master Password + MFA.

If hackers install a keylogger onto a developer's system, then hackers can steal passwords and immediately decrypt any of that user's vaults. That LastPass dev had nobody else's Master Password.

2) Well, that dev's vault was damn valuable. Because now the hackers used that developer's now-decrypted Amazon S3 login and extracted 30 million encrypted consumer vaults stored on Amazon S3 (because LastPass backed up encrypted consumer vaults to Amazon S3). This is all the consumer data.

TL;DR: the hackers keylogged the Master Password of a LastPass employee, not of any consumers. So that LastPass employee's vault was immediately decrypted. Essentially, the LastPass dev accidentally gave away access to his entire PC & work credentials.

Encrypted LastPass vaults aren't safe by default, however. If your vault had low iteration counts (e.g., 1 or 500) and a short, non-machine-generated Master Password plus stored juicy things the hackers might want (crypto logins, bank logins), then your vault is more likely a higher priority to be guessed / brute-forced.

A helpful note: some people keep saying "But the accounts had AES-256! Nobody can crack that!" Imagine your LastPass Vault has 100-feet steel walls (that's AES-256) and a locked door (that's the Master Password).

The hackers will not try to drill through the massive walls; they will try billions or even trillions of keys on the door.
February 28, 2023 at 4:38 am

passwords · infosec

February 28, 2023 at 6:28:06 PM UTC · permalink

https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

Filters

Links per page

20 50 100