in ,

LastPass reveals how it got hacked — and it’s not good news

Password manager LastPass had an especially awful year since several hacking instances exposed severe flaws in its ostensibly rock-solid security. Now that we are aware of every detail of those attacks, the information is really amazing.

It started in August 2022, when LastPass disclosed that a threat actor had stolen the source code for the application. In a subsequent, follow-up assault, the hacker combined this data with details from a another data breach, then took advantage of a flaw in a remote-access tool used by LastPass staff members. Hence, they were able to set up a keylogger on the senior engineer’s work computer.

Once the keylogger was installed, the hackers were able to capture the engineer’s LastPass master password as it was being typed, giving them access to the worker’s vault and all of the information it held.

They exported the vault’s contents using that access. The decryption keys required to decrypt client backups kept in LastPass’s cloud storage system were tucked away among the data.

That’s significant since LastPass stored crucial database backups and production backups on the cloud. Also, a sizable amount of confidential client information was taken, albeit it doesn’t seem the hackers were able to decode it. What was stolen is described in full on a LastPass support website.

Questionable transparency

Fortunately for LastPass users, it appears that the most private information of users, including (most) email addresses and passwords, was encrypted with a zero-knowledge approach. This indicates that they were encrypted secretly by LastPass using a key created from each user’s master password. These decryption keys were not kept anywhere by LastPass, so when the hackers acquired the data from LastPass, they were unable to obtain them.

Yet, a lot of crucial material was stolen by danger actors. These includes configuration information, API secrets, customer metadata, and backups of LastPass’s multi-factor authentication database. In addition, it appears that other products besides LastPass were also compromised.

According to LastPass, the second attempt was difficult to identify because it was conducted using real employee login information. When the company’s AWS Guard Duty Alerts system alerted it that someone was attempting to use its Cloud Identity and Access Management roles to undertake illicit behavior, the company finally noticed something was amiss.

The criticism that LastPass has received for how it handled the attacks in recent months is not going to abate in light of the most recent information. One security firm even went so far as to advise users to switch to another password manager because LastPass was unreliable.

According to reports, LastPass is currently attempting to prevent search engines from indexing their attack support sites by inserting “meta name=”robots” content=”noindex”>” code to the pages. That won’t help consumers (or the general public) learn what transpired and scarcely seems to be done in the spirit of openness and accountability. On the business blog, nothing has been written either.

Finding a different programme could be preferable if you use LastPass. Fortunately, there are several alternative excellent password managers available that can effectively safeguard your sensitive data.