Friday, December 13, 2024

LastPass Hack: Attackers Hacked DevOps Developer’s Private PC

Date:

In a new statement, LastPass details how the attackers were able to breach systems and access customer data. Among other things, they successfully targeted the private computer of a DevOps developer.

In the post, those responsible continue to unravel the incident. In August 2022, there was the first information that attackers were able to copy the source code from LastPass servers. At this time, the password manager providers ensured that there had been no access to customer data. This statement was still being made in September 2022, when it became clear that the attackers had access to the systems for four days. In December 2022, it became known that attackers were able to see customer data. These include LastPass’ crown jewels: customer password vaults.

There’s also bad news for corporate customers using federated login. In such a case, the “Hidden Master Password” consists of the components K1 and K2. As LastPass has supported, the attackers were able to capture K2. K1 is accessible to all company employees. As a result, an attacker would only need to compromise one employee’s account to gain access to all of a company’s LastPass data.

It is known that the attackers were able to steal the login details of a LastPass employee in the first attack. However, the data is said to have been encrypted, so the company’s cloud storage was not easily accessible.

To get the key to the login data, the attackers are said to have hacked into the private PC of a DevOps developer. According to those responsible, they attacked a security hole in a media software package and then installed a keylogger on the computer. After the employee’s multi-factor authentication, they recorded the entered master password and were able to access the cloud storage. The attackers now had access to backups and other keys, among other things.

LastPass ensures that they have hardened their systems against new attacks. According to their own statements, they have tightened authentication procedures, among other things.

So that attackers don’t have it easy, passwords are not stored in plain text in the vault, but the data is protected. To make the reconstruction as difficult as possible, a cryptographic hash function is used plus a salt value, which is applied multiple times.

LastPass claims that they use Password Based Bypass Function 2 (PBKDF2) for this. By default, LastPass uses 100 100 iterations of PBKDF2. SHA256 is used as the hash function. To make this combination as safe as possible, the Open Web Application Security Project (OWASP) recommends 600,000 retries. according to one LastPass Support Contribution Now follow this recommendation. However, for existing accounts, the number of iterations does not increase automatically.

As reported by security researcher Vladimir Palant late last year, but this is not the case for all users. He claims he knows of cases where there are only 5000, 500, or even a single recurrence when using PBKDF2. Who uses the password manager you can adjust the value in your account.

LastPass responded to a specific request from heise Security about the use of PBKDF2 with a reference to a general statement and therefore did not take a direct position on the security issue.

updates

02/28/2023

15:26

Clock

Updated OWASP Recommendation. LastPass’ response to this is mentioned in the body of the text. The importance of the hack for corporate clients is described.


(of)

To the home page

Ebenezer Robbins
Ebenezer Robbins
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.

Share post:

Popular

More like this
Related

Practice Acrylic Nail Techniques Without Needing a Fake Hand

When you're starting your journey with acrylic nails, practice...

Inside the World of Common Snapping Turtles: Behavior and Habitat

The common snapping turtle (Chelydra serpentina) is one of...

How to Use Video Marketing to Promote B2C Products?

Video marketing has emerged as a powerful tool for...

Adapting to Change: The Future for Leopard Tortoise Environments

Leopard tortoises, known for their striking spotted shells and...