Friday, December 23, 2022

LastPass Breach

Dan Goodin:

LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment and “took portions of source code and some proprietary LastPass technical information.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected.


The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

Update (2022-12-26): evan j:

I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation.

This is the worst breach LastPass has had. By a lot.

The key difference is that customer vaults were accessed this time, which are kept in a completely separate database.


URLs aren’t encrypted. This has been a well reported criticism of the product.

But it allows an attacker to see what vault entries are associated with which sites.

Overall. I think OG users of LP are at greater risk for targeted attacks than newer. I don’t think we’ll see widespread vaults being cracked, but targeted attacks are very possible with a user’s entire vault

Cryptopathic (via Hacker News):

I think the situation at @LastPass may be worse than they are letting on.

On Sunday the 18th, four of my wallets were compromised. The losses are not significant.

Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

Naz Markuta (via Hacker News):

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.

Tavis Ormandy (via Dare Obasanjo):

Things start to go wrong when you want integration with other applications, or when you want data synchronized by an untrusted intermediary. There are safe ways to achieve this, but the allure of recurring subscription fees has attracted businesses to this space with varying degrees of competence. I’m generally skeptical of these online subscription password managers, and that’s going to be the focus of the rest of this article.


I often say that “use a password manager” is bad advice. That’s because it’s difficult to tell the difference between a competent implementation and a naive one. The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference? For that reason, I think “use a password manager” is so vague that it’s dangerous.


My primary area of interest is how remote attackers can interact with your password manager.


An attacker (or malicious insider) in control of the vendor’s network can change the code that is served to your browser, and that code can obviously access your passwords. This isn’t farfetched, altering the content of websites (i.e. defacement) is so common that it’s practically a sport.

Bruce Schneier:

But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

Update (2022-12-29): Jeremi M Gosney:

But things change, and in recent years I found myself unable to defend LastPass. I can’t recall if there was a particular straw that broke the camel’s back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass[…]


So, why do I recommend Bitwarden and 1Password? It’s quite simple[…]?

Jeffrey Goldberg:

LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. Their notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. In this article, I’ll explore the LastPass claim and unique 1Password features that protect you — now and in the event of a similar breach.


One of the things that sets 1Password apart is the Secret Key. A year ago I explained how your Secret Key protects you in the event the data we hold is captured by an attacker.

I like the idea of the Secret Key, however it only protects against a breach where the stored encrypted data is stolen. If the server is compromised, all bets are off because the Web client could be secretly modified to steal the Secret Key stored in your browser:

One thing I find annoying is that you can’t manage your account purely in the application, but have to touch the web interface with its “code directly downloaded from 1Password’s server” model.

Update (2023-01-25): Anyjohndoe1 (via Hacker News):

For those that may not have seen it, since instead of a new post they “updated” the one from November…Looks like it’s even worse than they first let on—now not just LastPass, but a bunch of their other products. Oh, and encrypted backups from some of those services—and an encryption key for some of said backups.

Update (2023-03-01): Filipe Espósito (Hacker News):

Now LastPass has revealed that the incident was caused by credentials stolen from a DevOps engineer.

As shared in a blog post (via ArsTechnica), there was a coordinated attack in August 2022 in which hackers were able to access and steal data from Amazon AWS cloud servers. More specifically, the credentials for the servers were stolen from a DevOps engineer who had access to cloud storage at the company. This made it more difficult for LastPass to detect the suspicious activity.

Interestingly, ArsTechnica heard from sources that the engineer’s computer was hacked through a vulnerability found in the Plex media platform. Twelve days after the LastPass attack, Plex confirmed that it had also suffered an attack that resulted in 15 million users’ passwords being stolen.

Update (2023-09-08): Brian Krebs (via Nick Heer):

Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.


Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.


LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”

But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.


A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

But some customers were not upgraded to more iterations and may have had it set to only 1.

Comments RSS · Twitter · Mastodon

Leave a Comment