LastPass Time Bomb Breach: they definitely win the Grinch that stole Christmas in 2022. December 22nd LastPass finally admitted the full extent of their security breaches that started in August. This hackjob will affect a lot of businesses and consumers. LastPass deliberately announced this just before Christmas to minimize media coverage and access to lawyers.
If you have a LastPass account there are steps you need to take.
LastPass Time Bomb Breach
LastPass (started in 2008) is a popular cloud based password manager for consumers, businesses and enterprises. In August they cryptically announced that their development environment was hacked but no client data was exposed. In November LastPass changed their story slightly admitting that customer account information might have been accessed. December 22nd LastPass admitted that not only was all their customer account information accessed but also whole customer password vaults. LastPass also admitted they hadn’t encrypted everything in the customer vaults. And LastPass won’t tell you if your vault was stolen.
LastPass’s really slimy blog about the breach crowed about what they had encrypted leaving out some very important details and downplayed a lot of security concerns.
First, LastPass claimed that as long as your master password is 12 characters or longer you don’t need to do anything. However they don’t enforce a 12 character password on users.
Second, they claim they utilize “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password”. Lots of holes in that statement. First 100,100 iterations of PBKDF2 is not a stronger than typical implementation, 300,100 is standard. Further, most older LastPass accounts don’t have even 100,100 iterations. 5,000 is common and ever lower have been reported. This setting is deep in the advanced settings. Their own Account Security Centre which is supposed to warn you about problems does not check the iteration level on the account. The average person simply does not know about these things. This is something LastPass should have enforced on every account and at a higher level.
Why do the iterations count? The more iterations, the harder and longer it will be for the hackers to crack your master password and open your vault.
Changing your LastPass master password now will make no difference. Changing the iterations now will make no difference. Hackers can decrypt your vault on the settings it had when it was stolen. Adding MFA to LastPass now will keep the hackers from logging in as you to see if you have made changes.
Ticking Time Bomb
It’s a time bomb. The fewer iterations you have on your account, the faster hackers can crack your vault from the date it was stolen.
Further the hackers have all your customer account details including your email address, address and billing information. Plus all the web site urls in your account and the user name attached to it. Unbelievably LastPass did not encrypt that information. See sample below.
Why does that matter? Now hackers have two very useful bits of information: where you have an account (like Amazon for example) plus your user name. They can start trying to brute force that account but also spoof the account to get you login information. Example: send an email that looks it came from Amazon to make you enter in your account details.
I will get back to the LastPass December blog but first some steps to defuse the bomb.
First Steps To Defuse
Some steps you should take now:
- Change your passwords without using LastPass. I’m loathe to recommend anything right now but 1Password is the most average person friendly cloud based password manager. The best ones are too technical for 99% of the population and too cumbersome particularly if you’re running a business on top all your personal accounts.. Be careful when searching for alternatives as there is lot of misinformation about password managers and bad actors (like LastPass).
- Enable MultiFactor Authentication on key business accounts like email, banking, web site access and social media accounts.
- Watch for updates on this story. I will be updating this story next month with more information.
The LastPass Announcement
Several things really frosted me reading that blog from LastPass. LastPass attempted to blame on the customers if they didn’t use a really long password or didn’t have the iterations set long enough. LastPass should have enforced those onto the accounts. Their blog was full of omissions and half truths as brilliantly skewered by Vladmir Palant’s What’s In A PR Statement. I really expected the LastPass CEO to end with the words “and may the odds be ever in your favor”.
LastPass says that only 3% of business accounts had low iterations or low master password length and they’ve contacted them about next steps. I know of business accounts with low iterations who have not been contacted. And what about all the consumer accounts? I can foresee a flood of social media account hacks because of this.
Definitely there will be more information in January. Tick, tick, tick.