Friday, December 23, 2022

LastPass Breach

Dan Goodin:

LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment and “took portions of source code and some proprietary LastPass technical information.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected.

[…]

The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

Update (2022-12-26): evan j:

I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation.

This is the worst breach LastPass has had. By a lot.

The key difference is that customer vaults were accessed this time, which are kept in a completely separate database.

[…]

URLs aren’t encrypted. This has been a well reported criticism of the product.

But it allows an attacker to see what vault entries are associated with which sites.

Overall. I think OG users of LP are at greater risk for targeted attacks than newer. I don’t think we’ll see widespread vaults being cracked, but targeted attacks are very possible with a user’s entire vault

Cryptopathic (via Hacker News):

I think the situation at @LastPass may be worse than they are letting on.

On Sunday the 18th, four of my wallets were compromised. The losses are not significant.

Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

Naz Markuta (via Hacker News):

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.

Tavis Ormandy (via Dare Obasanjo):

Things start to go wrong when you want integration with other applications, or when you want data synchronized by an untrusted intermediary. There are safe ways to achieve this, but the allure of recurring subscription fees has attracted businesses to this space with varying degrees of competence. I’m generally skeptical of these online subscription password managers, and that’s going to be the focus of the rest of this article.

[…]

I often say that “use a password manager” is bad advice. That’s because it’s difficult to tell the difference between a competent implementation and a naive one. The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference? For that reason, I think “use a password manager” is so vague that it’s dangerous.

[…]

My primary area of interest is how remote attackers can interact with your password manager.

[…]

An attacker (or malicious insider) in control of the vendor’s network can change the code that is served to your browser, and that code can obviously access your passwords. This isn’t farfetched, altering the content of websites (i.e. defacement) is so common that it’s practically a sport.

Bruce Schneier:

But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

Update (2022-12-29): Jeremi M Gosney:

But things change, and in recent years I found myself unable to defend LastPass. I can’t recall if there was a particular straw that broke the camel’s back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass[…]

[…]

So, why do I recommend Bitwarden and 1Password? It’s quite simple[…]?

Jeffrey Goldberg:

LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. Their notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. In this article, I’ll explore the LastPass claim and unique 1Password features that protect you — now and in the event of a similar breach.

[…]

One of the things that sets 1Password apart is the Secret Key. A year ago I explained how your Secret Key protects you in the event the data we hold is captured by an attacker.

I like the idea of the Secret Key, however it only protects against a breach where the stored encrypted data is stolen. If the server is compromised, all bets are off because the Web client could be secretly modified to steal the Secret Key stored in your browser:

One thing I find annoying is that you can’t manage your account purely in the application, but have to touch the web interface with its “code directly downloaded from 1Password’s server” model.

Update (2023-01-25): Anyjohndoe1 (via Hacker News):

For those that may not have seen it, since instead of a new post they “updated” the one from November…Looks like it’s even worse than they first let on—now not just LastPass, but a bunch of their other products. Oh, and encrypted backups from some of those services—and an encryption key for some of said backups.

Comments RSS · Twitter · Mastodon

Leave a Comment