LastPass hacked 🔐🎭

Cliquez ici pour lire en français

LastPass is an american password manager that was created in 2010. Today it is one of the most used password managers worldwide. Recently it has been the victim of two major attacks in which sensitive data was at stake.

How does LastPass work ? 🔒

The principle of LastPass is simple. It takes care of creating, storing and automatically entering passwords. In addition to passwords, other information such as addresses and banking information can be saved. You don’t have to remember anything except your master password. This password manager is a kind of safe in which you will find all the logins and passwords that you have stored. And so to access it you will need a master password. This is the only one you will have to memorize. You also have the possibility to share your passwords with other LastPass users.

LastPass is available as a browser extension or a computer application. If this is your first installation, LastPass will naturally not know your passwords. So you’ll have to teach it. There are two ways to do this: you can enter them manually via the LastPass interface, or you can let LastPass save them automatically as you go along, which is the recommended solution and is enabled by default. Every time you enter your username and password on an online site, LastPass will automatically prompt you to save this information. The next time you visit the same site, LastPass will automatically fill in this information for you.

How are your information protected ?🗝️

In terms of security, the passwords in the safe are protected by strong security measures and protocols. LastPass uses:

• The AES (Advanced Encryption Standard) method, which is an encryption standard,
• MFA (Multi-Factor Authentication) or multiple authentication. It is a security process that allows to confirm the identity of a user. Indeed, he will have to connect in several ways so that the verification can be done.

The password encryption method is local. In other words, it is done on your machine. Afterwards, this encrypted data is stored in the cloud.

At the moment, it should be noted that LastPass has been the victim of two hacks; the first one in August 2022 and the second one in late November of the same year. Indeed, hackers were able to take possession of the passwords of several users. This leads us to question the robustness of the security measures and protocols used by LastPass.

What do we know about the attacks on LastPass ? 🎭

Following these two attacks, an investigation was conducted to discover the various security flaws that allowed hackers to seize this wealth of data. The manager shared the result of this research recently.

During the first attack, hackers were able to access LastPass’ source code as well as several sensitive information from one of their employees’ computers.

Regarding the second attack, the flaw was located on the computer of a DevOps engineer. This engineer had the ability to access a shared cloud storage environment from his personal computer. From there, the hackers were able to take possession of sensitive data present on the Amazon Web Services (AWS) cloud servers: usernames, passwords, emails, etc.

After analysis, LastPass realized that the second attack was unfortunately made possible by the first. That is to say, the data stolen in the first attack facilitated most of the second. So what was the vulnerability detected on the DevOps engineer’s personal computer that allowed the hackers to infiltrate the system?

Does Plex have something to do with it ?💻

You will understand. Plex is a streaming platform, where you can find movies, TV shows, sports and also music. It is possible to install this application on various devices.

The link between Plex and this attack is the following: This employee had this application installed on his computer. After taking control of his computer, the hackers detected a vulnerability in the Plex code. Note that this platform was the victim of an attack last August that resulted in 15 million stolen passwords.

The hackers installed keystroke loggers on the engineer’s machine, malicious software that can recover everything the user enters. They were able to retrieve the credentials giving access to the shared Amazon Cloud Storage (AWS), thus the company’s safe. And there the whole thing was won for them or almost.

Several alerts from Amazon Web Services regarding suspicious or unauthorized actions were reported to the company. From that moment on, LastPass was able to detect the attack and thwart it. Otherwise, the hackers would have gone unnoticed.

The password manager claims to have made its system even more robust to avoid such incidents in the future.

While password managers are a convenient way to safeguard our passwords, these attacks are a reminder that they are not foolproof either.

Do you use a password manager? Do you think your passwords are safe? Tell us all about it in comments 😉

Sources: clubic, LastPass