Millions of passwords stolen from LastPass earlier than company disclosed: Report

A hacker stole a file from password manager LastPass that contained the passwords of 30 million users and 85,000 companies. LastPass reported on December 22 that the hacker gained access to sensitive information, but the theft happened months earlier, Follow the Money (FTM) reported.

The hacker copied a database from LastPass. “This is potentially one of the most valuable stolen databases of all time: users - and there are millions of them - have often stored dozens of passwords,” FTM said.

The password manager hasn’t been very forthcoming with information about the hack, despite reporting on it four times. In August, CEO Karim Toubba said a hacker gained access to the company’s development space through an employee’s account. According to Toubba, the hacker’s activities were “limited,” and LastPass customers didn’t have to worry or take any action.

In mid-September, LastPass said that an internal investigation revealed the hacker had access to its system for four days but didn’t do anything serious. End-November, the company reported that the cyberattack was somewhat serious after all - the hacker had accessed “certain elements of client information.” But LastPass insisted that there was no reason to worry.

And then, on December 22, three days before Christmas, LastPass announced that the hacker stole password vaults and copied company names, usernames, billing addresses, email addresses, phone numbers, and IP addresses.

Still, LastPass insisted that there was no major cause for concern. As long as customers had a good master password, their passwords were safe, the company said. Cracking a 12-character password would take millions of years using “generally available technology,” LastPass said.

Ethical hacker Ricky Gevers was flabbergasted by the LastPass communications about this hack. “It seems to say: everything is safe, don’t worry,” Gevers told FTM. “That’s what I believed, as did many other people. But if you look closer, it says something else.” If the hacker cracked your master password, they had access to all the passwords you saved with the password manager.

The hacker didn’t need a private key, which customers are supposed to keep on their own devices. And unlike what many users thought, their personal password vault was not a fully encrypted folder but a text document with a few encrypted fields, according to FTM.

FTM also pointed out that by still claiming that the passwords are safe if people used a good master password, LastPass is shifting the responsibility to its users. All is well as long as YOU made sure your master password was secure. If the hacker got hold of your passwords, you should have had a better master password, is the message.

According to the investigative journalists at FTM, services designed to make devices safer are remarkably often unsafe, usually because they prioritize convenience over security. Consumers forget that their data is extremely valuable. There’s a reason that “if it’s free, you are the product” has become a cliche.

And password managers are wonderful tools for profiling users, Bart Jacobs, professor of privacy and identity at Radboud University, said to FTM. “The information about who logs in to which website and when is worth money,” Jacobs said. And that is precisely the information that is unencrypted in the LastPass vault. “

LastPass now seems willing to provide further information about the hack to users, but only in a physical meeting, and if the invitees sign a nondisclosure agreement beforehand, FTM reports based on an email sent to a Dutch IT manager.