User:AmyMarchiando/draft

On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected. The company blog said, "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."{{cite web |url=https://blog.lastpass.com/2015/06/lastpass-security-notice/ |title=LastPass Security Notice |last=Siegrist |first=Joe |date=10 July 2015 |website=blog.lastpass.com |publisher=LogMeIn}}{{cite web |url=https://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/ |title=Hack of cloud-based LastPass exposes hashed master passwords |last=Goodin |first=Dan |date=June 15, 2015 |website=Ars Technica |publisher=Condé Nast}}

In 2021, it was discovered that the Android app contained third-party trackers.{{Cite web |last=Anderson |first=Tim |date=25 February 2021 |title=1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app? |url=https://www.theregister.com/2021/02/25/lastpass_android_trackers_found/ |access-date=31 August 2023 |website=The Register |language=en}} Also, at the end of 2021, an article at the site BleepingComputer reported that LastPass users were warned that their master passwords were compromised.{{cite web |last1=Gatlan |first1=Sergiu |title=LastPass users warned their master passwords are compromised |url=https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/ |website=BleepingComputer |access-date=28 December 2021}} {{highlight| The discussion [https://en.wikipedia.org/wiki/Wikipedia:Reliable_sources/Noticeboard/Archive_4#The_Register here] suggests Wikipedia considers The Register to be generally not reliable. The second sentence cited to TheBleepingComputer is misleading. It makes it sound like LastPass users received real notifications from LastPass that their master passwords were actually compromised. What the article says is that hackers sent fake notifications to users inferring their password was compromised as part of a phishing strategy. I don't think this is very historically significant, as hackers are always doing this.}}

In August 2022, a hacker stole a copy of a customer database, and some copies of the customers' password vaults. The stolen information includes names, email addresses, billing addresses, partial credit cards and website URLs. Some of the data in the vaults was unencrypted, while other data was encrypted with users' master passwords.

The security of each user's encrypted data depends on the strength of the user's master password, or whether the password had previously been leaked, and the number of rounds of encryption used. Details of the number of rounds for each customer was stolen. Some customer vaults were more vulnerable to decryption than others. {{highlight|The cited source does say the encryption is derived from the user's master password, but the rest of this seems to be the author's own analysis cited to LastPass' website. This seems like UNDUE detail cited to a primary source as well.}}

LastPass revealed this through a series of blog posts and reports from August 25, 2022,{{cite web |last1=Toubba |first1=Karim |title=Notice of Recent Security Incident |url=https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ |website=LastPass Blog |access-date=26 August 2022}} and by notifying customers. In November 2022, LastPass assured users that passwords stored with the service were still secure.{{Cite web |title=Lastpass says hackers accessed customer data in new breach |url=https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-accessed-customer-data-in-new-breach/ |first=Sergiu |last=Gatlan |date=2022-11-30 |website=BleepingComputer |language=en-us}} LastPass offered more comprehensive advice to individual customers{{cite web |title=Security Bulletin: Recommended Actions for Free, Premium, and Families Customers - LastPass Support |url=https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers |website=support.lastpass.com |access-date=2023-03-05 |language=en}} and business users{{cite web |title=Security Bulletin: Recommended Actions for LastPass Business Administrators - LastPass Support |url=https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators |website=support.lastpass.com |access-date=2023-03-05 |language=en}} in March 2023. {{highlight|This is all true, but it's all cited to LastPass.com, making it UNDUE. Just saying LastPass blogged about the breach doesn't really seem historically significant.}}

The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According the reports, the stolen info did not include a plain text copy of the user's master password.

The threat actor first gained unauthorized access to portions of their development environment, source code, and technical information through a single compromised developer's laptop. LastPass responded by re-building their development environment and rotating certificates.{{cite web |last1=Toubba |first1=Karim |title=Security Incident Update and Recommended Actions |url=https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/ |website=The LastPass Blog |access-date=2023-03-05 |date=1 March 2023}} The actor, however, used the information to target and hack the computer of a senior DevOps engineer, and used a key logger to obtain that engineer's master password. The actor then gained access to an encrypted corporate vault, which was shared between just four engineers. That vault contained keys to S3 buckets of the backups to customer files.{{cite web |last1=Goodin |first1=Dan |title=LastPass says employee's home computer was hacked and corporate vault taken |url=https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ |website=Ars Technica |access-date=2023-02-28 |language=en-us |date=28 February 2023}} The actor obtained the user database of August 14, 2022, and several password vault backups taken between August 20 and September 16, 2022.{{Cite web |title=What data was accessed? - LastPass Support |url=https://support.lastpass.com/help/what-data-was-accessed |access-date=2023-03-05 |website=support.lastpass.com |language=en}}

LastPass's December report suggested that, if customers had selected a strong master password and elected, under the account's advanced settings, to uses the many thousands of rounds of PBKDF2-HMAC-SHA-256 encryption (600,000 iterations recommended by OWASP, as of 2023),{{Cite web |title=Password Storage - OWASP Cheat Sheet Series |url=https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html |access-date=2023-02-03 |website=cheatsheetseries.owasp.org}} it would take millions of years to decrypt the passwords. Prior to June 2012, customers had by default a single PBKDF2-HMAC-SHA-256 hash applied to their master password, with site usernames and passwords encrypted with the weak AES-ECB cipher mode. The default iteration count that was later increased for new customers to 500 encryption cycles, then later increased to 5000. By February 2018 the default for new customers was 100,100 iterations, a minimum master password length of 12 characters, and the stronger AES-CBC cipher mode employed.{{cite web |last1=Toubba |first1=Karim |title=Notice of Recent Security Incident |url=https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ |website=The LastPass Blog |access-date=2022-12-22 |date=22 December 2022}}{{Cite web |last=Palfy |first=Sandor |date=2018-07-09 |title=LastPass BugCrowd Update |url=https://blog.lastpass.com/2018/07/lastpass-bugcrowd-update/ |access-date=2023-02-03 |website=The LastPass Blog |language=en-US}}{{Cite web |title=Increase your Lastpass Password Iterations {{!}} Dominion Digital Services |url=https://domdigital.com.au/increase-your-lastpass-password-iterations |access-date=2023-02-03 |language=en-AU}} Old customers using old defaults may not have had their encryption rounds increased, nor have been forced to use a long password. {{highlight|This is a lot of detailed technical information cited almost exclusively to LastPass.com. The only other citation is to [https://domdigital.com.au/increase-your-lastpass-password-iterations a vendor website]. Also, a lot of this content (and tone) isn't in the cited sources. For example, none of the sources call the AES encryption standard weak or say the option for higher encryption standards are buried in the advanced settings. This is the author of this paragraph adding their own analysis.}}

Commentators expressed concerns that if a user's master password was weak or leaked,{{cite web |last1=Goodin |first1=Dan |title=LastPass users: Your info and vault data is now in hackers' hands |url=https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/ |website=Ars Technica |access-date=2022-12-22 |language=en-us |date=22 December 2022}} the encrypted parts of the customer's data could be decrypted.{{cite web |last1=Sharwood |first1=Simon |title=LastPass admits attackers copied password vaults |url=https://www.theregister.com/2022/12/23/lastpass_attack_update/ |website=www.theregister.com |access-date=2022-12-27 |language=en}} Initially, LastPass stated no action was necessary for the majority of its customers, but other sources recommended changing all passwords and vigilance against possible phishing attacks.{{cite web |last1=Goodin |first1=Dan |title=LastPass users: Your info and password vault data are now in hackers' hands |url=https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/ |website=Ars Technica |access-date=2022-12-27 |language=en-us |date=22 December 2022}}{{cite web |title=LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all… |url=https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/ |website=Naked Security |access-date=2022-12-28 |date=23 December 2022}} Some sources criticized LastPass's response,{{Cite web |last=Palant |first=Wladimir |date=2022-12-26 |title=What's in a PR statement: LastPass breach explained |url=https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/ |access-date=2022-12-28 |website=Almost Secure |language=en-us}} and raised additional concerns over the number of rounds of encryption that were required. {{highlight|This sentence is uncited and appears to be the same as the prior paragraph in terms of someone adding their own analysis.}}

A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe.{{cite web |last1=Kan |first1=Michael |title=LastPass Faces Class-Action Lawsuit Over Password Vault Breach |url=https://www.pcmag.com/news/lastpass-faces-class-action-lawsuit-over-password-vault-breach |website=PCMAG |access-date=2023-01-06 |language=en}} Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks.

In September 2023, a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen from over 150 victims since December 2022. The link was made due the fact that almost all victims were LastPass users.{{Cite web |last=Weatherbed |first=Jess |date=2023-09-07 |title=LastPass security breach linked to $35 million stolen in crypto heists |url=https://www.theverge.com/2023/9/7/23862658/lastpass-security-breach-crypto-heists-hackers |access-date=2023-09-08 |website=The Verge |language=en-US}}

{{reflist}}