Wednesday, May 22, 2024

LastPass Hack: Attackers Hacked DevOps Developer’s Private PC


In a new statement, LastPass details how the attackers were able to breach systems and access customer data. Among other things, they successfully targeted the private computer of a DevOps developer.

In the post, those responsible continue to unravel the incident. In August 2022, there was the first information that attackers were able to copy the source code from LastPass servers. At this time, the password manager providers ensured that there had been no access to customer data. This statement was still being made in September 2022, when it became clear that the attackers had access to the systems for four days. In December 2022, it became known that attackers were able to see customer data. These include LastPass’ crown jewels: customer password vaults.

There’s also bad news for corporate customers using federated login. In such a case, the “Hidden Master Password” consists of the components K1 and K2. As LastPass has supported, the attackers were able to capture K2. K1 is accessible to all company employees. As a result, an attacker would only need to compromise one employee’s account to gain access to all of a company’s LastPass data.

It is known that the attackers were able to steal the login details of a LastPass employee in the first attack. However, the data is said to have been encrypted, so the company’s cloud storage was not easily accessible.

To get the key to the login data, the attackers are said to have hacked into the private PC of a DevOps developer. According to those responsible, they attacked a security hole in a media software package and then installed a keylogger on the computer. After the employee’s multi-factor authentication, they recorded the entered master password and were able to access the cloud storage. The attackers now had access to backups and other keys, among other things.

LastPass ensures that they have hardened their systems against new attacks. According to their own statements, they have tightened authentication procedures, among other things.

So that attackers don’t have it easy, passwords are not stored in plain text in the vault, but the data is protected. To make the reconstruction as difficult as possible, a cryptographic hash function is used plus a salt value, which is applied multiple times.

LastPass claims that they use Password Based Bypass Function 2 (PBKDF2) for this. By default, LastPass uses 100 100 iterations of PBKDF2. SHA256 is used as the hash function. To make this combination as safe as possible, the Open Web Application Security Project (OWASP) recommends 600,000 retries. according to one LastPass Support Contribution Now follow this recommendation. However, for existing accounts, the number of iterations does not increase automatically.

As reported by security researcher Vladimir Palant late last year, but this is not the case for all users. He claims he knows of cases where there are only 5000, 500, or even a single recurrence when using PBKDF2. Who uses the password manager you can adjust the value in your account.

LastPass responded to a specific request from heise Security about the use of PBKDF2 with a reference to a general statement and therefore did not take a direct position on the security issue.





Updated OWASP Recommendation. LastPass’ response to this is mentioned in the body of the text. The importance of the hack for corporate clients is described.


To the home page

Ebenezer Robbins
Ebenezer Robbins
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.

Share post:


More like this

How to Sell CS:GO Skins for Real Money

CS:GO skins have become not just an ordinary design...

Decoding The Diversity: A Guide To Different Types Of Horse Races

Horse racing reaches 585 million households worldwide, enjoying immense...

Maximizing Efficiency: How Our Cloud Services Revolutionized Operations for Small Businesses

Small businesses constantly seek innovative solutions to streamline operations...

Big Data for Musicians: The Game Changer!

In the dynamic realm of the music industry, Viberate...