LastPass, the password manager service, announced that there were breached again.

From The Verge’s story

If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn’t deleted it before this fall, your password vault may be in hackers’ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

LastPass has been terrible at security over the past few years! This is almost the worst that can happen to a password manager service, I’d be panicking if I were their CEO or CISO at the moment.

Breaches happen.. but the way LastPass has handled this (and earlier breaches) is a case study on how not to handle breach disclosures. They had a breach in August 2022, and are now saying attackers used data from that breach to target an employee to attack again in November 2022 - this time stealing encrypted password vaults!

Not only the timing and manner of their disclosure is horrible (at Christmas when most IT departments/folks are on vacation), their recommendation is to change each and every password in your vault (and since the URLs are unencrypted, attackers have an easier way targeting specific high-reward website accounts).

And it doesn’t end here… in theory a breach like this should not matter, because your vault is encrypted with a strong encryption algorithm, which can’t be brute forced in a practical amount of time…. that’s what you’d expect. Sorry, not the case here! Lastpass uses a custom version of PBKDF2 encryption algorithm with 100,100 iterations (the more the better).. but also still allows the ones with fewer iteration (pre 2018 accounts have 5000 iterations as reported by Verge). So attackers have a good chance of breaking cypto on many of the stolen vaults.

It’s also worth noting that if you have an older account (prior to a newer default setting introduced after 2018), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.

This is just great. LastPass users, time to change all your passwords and switch to 1Password or Bitwarden.

📕 Security Wale is a blog about cloud, cybersecurity, and in between - written by Aditya Patel. This is a passion project, where Aditya shares his learnings, opinions and rants from over a decade of working in the IT industry in United States. For a living, currently, he protects ☁️ cloudy things at Amazon/AWS. Earlier, Aditya has done software security consulting, masters in Information Security from Johns Hopkins, and computer science engineering. To support this effort, consider subscribing (it’s free) and spreading the word.