The famous LastPass password management service is in bad shape. While the activity of the American company is to protect its customers from data leaks by securing their passwords, the firm is in turmoil after a computer hack which is turning into a disaster. The attack was even listed by Wired in the top of the worst hacks of 2022.
A four-day intrusion
For LastPass, the trouble started in August. The firm deplores at this time a first computer intrusion. If the company then seeks to calm things down, noting that its products and services work normally, it admits however that parts of its source code have leaked.
Then, in a later message, LastPass clarified that the attacker was able to remain on its network for four days, without proof of possible access to customer data or encrypted password vaults.
After investigation, the company believes that the malicious hacker was able to enter the network by posing as a developer, thus bypassing multi-factor authentication.
Massive data leak
But two new messages, in November and at the end of December, prove that the incident is far from over for LastPass.
The last message, published a few days before Christmas, is the most worrying. Via a third-party cloud storage service, the hacker was able to get his hands on customer data, such as email addresses, IP addresses or telephone numbers, as well as encrypted password vaults .
As admitted by LastPass, the attacker can therefore attempt to recover passwords by testing all possible combinations on the fly. Due to the encryption used (AES 256 bits), it “would be extremely difficult” to do so for Internet users who have followed the recommendations in terms of password strength, however specifies the company. It would then, adds LastPass, “millions of years” for an attacker “to guess your master password”.
Controversy
Reassuring assertions yet disputed by several experts in the sector. This mention of millions of years of computation to identify the target’s password “appears to be based on the assumption that the user’s 12-character password was generated by a completely random process”, notes Jeffrey Goldberg , the security boss of a competing service, 1Password. However, he adds, “passwords created by humans are far from meeting this requirement”.
As noted by The Verge, other specialists, such as security researcher Wladimir Palant, have also castigated omissions in LastPass’ communication. For the latter, the company’s argument aims first of all to blame any setbacks on its customers who would not have used a strong master password.
The latter are also invited by LastPass to urgently change their passwords for third-party services.
Recurring problems
If LastPass is criticized so much, it is because it is starting to accumulate a large number of computer security problems. According to Jeremi Gosney, the firm, which he accuses of ignoring the community of computer security researchers, has been the victim of seven major security breaches in 10 years.
In 2021, for example, some users’ master passwords were exposed following a credential stuffing attack, according to LastPass. The year before, the company had experienced a major breakdown. And in 2019, a major security issue was discovered, just like in 2017 and 2016.
Suffice to say that confidence in the LastPass service is shaken to say the least. This explains the calls and guides for changing the password manager, an essential tool for computer security whose use is recommended by Anssi.