LastPass learned lessons from two 2022 hacks

LastPass learned lessons from two 2022 hacks
LastPass learned lessons from two 2022 hacks

At the end of 2022, LastPass was targeted by two cyberattacks. After investigation, it turned out that these two intrusions were linked. As a result of this combination of attacks, cybercriminals managed to steal a wealth of data on LastPass users. Above all, the hackers took off with backup encryption keys user safes.

Pointed out for its negligence, LastPass has taken steps to improve the security of its password manager. The publisher now forces its users to configure a master password containing at least twelve characters. LastPass also wanted to ensure that double authentication was properly configured for all its customers.

Also read: The App Store authorizes a potentially dangerous clone of LastPass

URL addresses finally encrypted

Most recently, the password manager announced encryption of all URLs stored in the safes of its customers. In a press release published on May 22, 2024, LastPass explains that it can “Securely encrypt all URL-related fields in your vault without any adverse user experience.” When users visit a website, LastPass checks the URL of that site and compares it to those stored in the user’s password vault. If LastPass finds a match, it will offer to automatically fill in the credentials, namely username and password, to log in to the site.

Since its inception in 2008, LastPass did not encrypt stored URLs. To explain this failure, the company points the finger the technological limits of the time. Sixteen years ago, it was not possible to encrypt all addresses without degrading service performance. The process required a lot of computing power and memory. Faced with these “IT constraints”, LastPass abandoned the idea of ​​encrypting URLs. Over time, the constraints disappeared, allowing the publisher to add encryption.

Potentially sensitive information

Furthermore, the publisher assures that it has “invested a lot of time and effort to strengthen our security” during “last 18 months”. This is therefore a new response to the cyberattacks suffered at the end of 2022. During the intrusions, the attackers in fact managed to steal the list of unencrypted URLs stored in its customers’ safes. This list of addresses gives valuable information to hackers wishing to use the stolen information to orchestrate other attacks.

As LastPass notes, URLs “contain details about the nature of the accounts associated with your stored credentials (e.g. banking, email, social media)”. Clearly, the hackers knew directly which services they must attack if they succeed in decrypting the passwords. Moreover, it turned out that the LastPass hack resulted in the hacking of several cryptocurrency wallets. According to Brian Krebs, a cybersecurity expert, $35 million in cryptocurrencies were also stolen thanks to data stolen from LastPass.

This is why the publisher has made every effort to add URL encryption. This measure should allow “to improve confidentiality” of LastPass customers, says the press release. The encryption will be done in several stages. Initially, around July 2024, LastPass will encrypt “automatically have the primary URL fields for existing accounts stored in their vaults, as well as any new accounts.” Then, the password manager will encrypt the remaining address fields during the second half of the year. LastPass specifies that the user does not have to do anything to benefit from this improved security.

-

-

NEXT Good deal – The Netatmo connected object Connected thermostatic heads for radiators Additional “5-star” valve at €59.99 (-22%)