Password manager LastPass is facing criticism over a recent data breach that exposed user information, including unencrypted website URLs.
LastPass, a subsidiary of GoTo (formerly LogMeIn), disclosed last month that a threat actor stole significant personal customer information, including names, telephone numbers, billing addresses and more.
The password manager published an update on Dec. 22 to its blog post disclosing August's security breach. On Aug. 25, LastPass CEO Karim Toubba wrote that an "unauthorized party" gained access to the LastPass development environment by compromising a developer account. As a result, "portions of source code and some proprietary LastPass technical information" were stolen.
A Sept. 15 update provided additional technical details, while a Nov. 30 update to the post referenced a recent "security incident" that was currently under investigation. At the time, Toubba said only that an unauthorized party had leveraged information obtained in the August 2022 breach to gain access to "certain elements of our customers' information." It was this incident that was detailed in the Dec. 22 blog post update.
According to the CEO, an unnamed threat actor used stolen source code and technical data from the August breach to target another employee and steal credentials and keys. These keys, which included dual storage container decryption keys and a cloud storage access key, were used to access and copy customer information from backup.
This customer data, Toubba wrote, included "company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service." The threat actor also obtained a backup of customer vault data that included encrypted website usernames and passwords as well as unencrypted data like website URLs.
Though password theft would generally be considered a worst-case scenario for a password manager, Toubba said it would take "millions of years" to crack a customer's LastPass master password -- which is necessary to crack the encrypted website logins.
"These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture," he wrote. "As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass."
Even still, the unencrypted data obtained from LastPass' business and personal use customers can be utilized in social engineering and phishing attacks, which Toubba acknowledged in the post.
"It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information," He wrote. "Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password."
Despite LastPass' attempt to reassure users, some in the infosec industry publicly criticized the company's response as well as its security posture.
Asked whether the LastPass breach was a worst-case scenario for a password manager, 1Password CEO Jeff Shiner concurred.
"The challenge with taking a copy of the database means that [the threat actor has] that copy of that information offline," he said. "So not only can they attempt to brute force it at their own leisure, but unfortunately, things like changing the master password of the account -- while still obviously recommended -- is not going to have an impact on the threat actor's ability to decrypt their copy of the account."
Some infosec experts also questioned why LastPass chose to leave users' website URLs unencrypted. In a blog post earlier this month, Pieter Arntz, malware intelligence researcher at Malwarebytes, wrote that security researchers were concerned about the unencrypted URLs.
"It is indeed hard to understand why LastPass would not consider website URLs sensitive fields and it makes you wonder what the other unencrypted data is," Arntz wrote, adding that targeted phishing attacks could make LastPass users "juicy prey."
John Scott-Railton, a senior researcher with Citizen Lab at The University of Toronto, went a step further, noting that website URLs can sometimes contain user account tokens, API keys and credential data. "[The] latest LastPass breach may be worse than you think," he said on Twitter.
Customers have also vented their frustrations. Earlier this month, an anonymous LastPass customer based in Massachusetts filed a class action lawsuit against the company. The individual said they stored Bitcoin private keys in their LastPass account and claimed that a threat actor accessed the account and stole $53,000 in cryptocurrency around Thanksgiving.
Latest #LastPass breach may be worse than you think.— John Scott-Railton (@jsrailton) December 23, 2022
Attacker didn't just get encrypted passwords.
They got unencrypted URLs.
Think: URLs with account tokens, API keys & credentials, etc...
Competitors weigh in
Other identity and access management companies weighed in on the LastPass breach.
1Password published a blog post on Dec. 28 titled "Not in a million years: It can take far less to crack a LastPass password." The post argues that LastPass' "millions of years" argument is flawed because it "appears to rely on the assumption that the LastPass user's 12-character password was generated through a completely random process," but LastPass master passwords are generated by the users themselves.
"Passwords created by humans come nowhere near meeting that requirement," wrote post author and 1Password principal security architect Jeffrey Goldberg. "Humans just can't create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, numbers, and symbols do more harm than good."
Goldberg said password cracking systems are built to prioritize likely passwords first, and that ten billion guesses against a LastPass master password "would cost less than $100." LastPass is not the only password manager with a master password-focused system; many other password managers do as well.
Goldberg compared LastPass' master password system to 1Password's "Secret Key" system, which is a machine-generated 34-character key separated by dashes that works with the user's account password. Goldberg said that because the Secret Key is not guessable and is never passed to or through 1Password systems, 1Password customer data would be fully protected in the event of a breach.
Shiner said 1Password decided to publish the blog post in part to alleviate customer concerns.
"Breaches that hit close to home like this cause customers to have concerns with password managers in general or have questions about it," he said. "And we also get questions about how we're different from [competitors] and our security approach. We can say with confidence that if our data were breached that the data would remain secure. That's something that I think is important for us to reassure our customers on."
TechTarget Editorial asked LastPass about the post's assertions, but the company declined to comment.
JD Sherman, CEO of password management company Dashlane, told TechTarget Editorial his organization is confident about its security posture. However, he said they would try and learn from the breach as well as "battle test the precautions and security measures that we take."
Asked whether he was concerned about what the breach meant for the password management industry and consumer confidence, Sherman said he was initially concerned, but those worries have proven unfounded.
"The awareness around threats like this has gone up," he said. "And if you look at subscription growth and the number of inquiries we're getting from businesses, we've seen a really dramatic increase. Now some of that could just be shifting around in the normal buyer marketplace. But I think this, overall, is going to be a tailwind where people are [going to feel that they have] to start paying attention to this aspect of security, which has largely been ignored."
Shifting to passwordless tech?
It's unclear what effect the LastPass breach may have long-term on the password manager market. One piece of authentication technology that could help limit the damage of breaches like this is passwordless authentication, often seen in the form of FIDO-compliant physical security keys.
David Strauss, CTO of web hosting and content management company Pantheon, told TechTarget Editorial that he hopes passwords will one day be replaced by better alternatives.
"I'm hoping we eventually retire passwords in favor of superior methods like FIDO's Passkeys. Until then, the safest option is using a password manager that generates and syncs unique passwords for every website," he said.
Dashlane launched support for passkeys last year and announced Tuesday that it had appointed a new chief product officer, Donald Hasson, to lead the company's passwordless push. 1Password, meanwhile, announced in November it had acquired authentication technology company Passage to accelerate the former's push into passkey adoption.
LastPass last summer, similarly, launched the LastPass Authenticator, an option that allows users to gain one-tap access to their password vault after verifying each trusted device once with their master password. Biometric and passkey integration is planned for the future.
1Password's Shiner said that while it will take a long time, it is worth driving people and businesses toward passwordless authentication for both security and ease of use reasons.
"We are trying to drive people and businesses toward this passwordless path. And I think that while it's a multi-year path, it's something that over the long term can continue to help from both a security and convenience perspective -- which is ultimately what we're trying to accomplish."
"I think it's our job as password managers to help usher in this passwordless era," Sherman said.
Alexander Culafi is a writer, journalist and podcaster based in Boston.