π¨ LastPass is at it again
LastPass, the cloud password manager, announced they were breached. Again.
LastPass, the password manager service, announced that there were breached again.
From The Vergeβs story
If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadnβt deleted it before this fall, your password vault may be in hackersβ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that βas an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.β
LastPass has been terrible at security over the past few years! This is almost the worst that can happen to a password manager service, Iβd be panicking if I were their CEO or CISO at the moment.
Breaches happen.. but the way LastPass has handled this (and earlier breaches) is a case study on how not to handle breach disclosures. They had a breach in August 2022, and are now saying attackers used data from that breach to target an employee to attack again in November 2022 - this time stealing encrypted password vaults!
Not only the timing and manner of their disclosure is horrible (at Christmas when most IT departments/folks are on vacation), their recommendation is to change each and every password in your vault (and since the URLs are unencrypted, attackers have an easier way targeting specific high-reward website accounts).
And it doesnβt end hereβ¦ in theory a breach like this should not matter, because your vault is encrypted with a strong encryption algorithm, which canβt be brute forced in a practical amount of timeβ¦. thatβs what youβd expect. Sorry, not the case here! Lastpass uses a custom version of PBKDF2 encryption algorithm with 100,100 iterations (the more the better).. but also still allows the ones with fewer iteration (pre 2018 accounts have 5000 iterations as reported by Verge). So attackers have a good chance of breaking cypto on many of the stolen vaults.
Itβs also worth noting that if you have an older account (prior to a newer default setting introduced after 2018), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses βa stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,β but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.
This is just great. LastPass users, time to change all your passwords and switch to 1Password or Bitwarden.
π Security Wale is a blog about cloud, cybersecurity, and in between - written by Aditya Patel. This is a passion project, where Aditya shares his learnings, opinions and rants from over a decade of working in the IT industry in United States. For a living, currently, he protects βοΈ cloudy things at Amazon/AWS. Earlier, Aditya has done software security consulting, masters in Information Security from Johns Hopkins, and computer science engineering. To support this effort, consider subscribing (itβs free) and spreading the word.