Popular password management company LastPass has been under the pump this year, after the network was hacked back in August 2022.
Details on how the attackers first got in are still scarce, with LastPass’ first official commentary cautiously stating the following:
[A]n An unauthorized party gained access to parts of the LastPass development environment through a single compromised developer account.
A follow-up announcement about a month later was similarly inconclusive:
[T]The threat actor gained access to the development environment using the compromised developer endpoint. Although the method used for the initial compromise of the endpoint is inconclusive, the threat actor has used its persistent access to impersonate the developer once the developer is successfully authenticated using multi-factor authentication.
There’s not much left in this paragraph if you drain on the terms, but the key phrases seem to be a “hacked endpoint” (in plain English this probably means: Malware-infected computer), and “persistent access” (meaning: Scammers can come back later at their leisure).
2FA doesn’t always help
Unfortunately, as you can read above, two-factor authentication (2FA) did not help with this particular attack.
We’re guessing this is because LastPass, in common with most businesses and online services, doesn’t require 2FA for literally every connection where authentication is required, but only for what you might call raw authentication.
To be fair, many or most of the services you use, including your employer, generally do something similar.
Typical 2FA exemptions, intended to reap most of its benefits without paying a very high price for inconvenience, include:
- Performing a full 2FA authentication only occasionally, Such as requesting new codes only once every few days or weeks. Some 2FA systems may offer you the option to “remember me for X days”, for example.
- 2FA authentication required only for the initial login, Then allowing a kind of “single sign-on” system to automatically authenticate you to a wide range of internal services. In many companies, logging into your email often gives you access to other services like Zoom, GitHub, or other systems you use often.
- Issuance of “bearer access tokens” for automated software tools, Based on occasional 2FA authentication by developers, testers, and engineering staff. If you have an automated build and test script that needs to access different servers and databases at different points in the process, you don’t want to constantly interrupt the script to wait for another 2FA code to be written.
We haven’t seen any evidence…
In a fit of confidence that we suspect LastPass now regrets, the company initially said, in August 2022:
We have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
Of course, “we saw no evidence” isn’t a very strong statement (not least because stubborn companies can make it true by intentionally failing to look for evidence in the first place, or by letting someone else gather evidence and then deliberately refusing to look at it), Although that’s often what any company can honestly say in the immediate aftermath of a breach.
However, LastPass investigated, and felt it could submit a final claim by September 2022:
Although the threat actor was able to access the development environment, our system design and controls prevented the threat actor from accessing any client data or encrypted password stores.
Unfortunately, this claim turned out to be very bold.
The attack that led to the attack
LastPass admitted early on that the scammers “took parts of the source code and some technical information of LastPass”…
… and it now appears that some of the stolen “technical information” was sufficient to facilitate a follow-up attack disclosed in November 2022:
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to access certain items of our customers’ information.
To be fair to LastPass, the company hasn’t reiterated its original claim of not stealing password vaults, referring only to the theft of “customer information.”
But in its previous breach notifications, the company has spoken carefully Customer data (Which makes most of us think of information like address, phone number, payment card details, etc.) and Encrypted password vaults as two distinct categories.
But this time, it turns out that “customer information” includes customer data, in the above sense, and password databases.
Not literally on the night before Christmas, but dangerously close to it, LastPass admitted that:
The threat actor copied information from the backup containing basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers were accessing LastPass.
Loosely speaking, scammers now know who you are, where you live, what computers you have on the Internet, and how to contact you electronically.
The threat actor was also able to backup customers’ vault data.
So, scammers did steal these password vaults after all.
Interestingly, LastPass has now also admitted that what it describes as a “password vault” is not actually a mixed BLOB (a funny word for large binary object) consist only and entirely of encrypted, and therefore incomprehensible, data.
These “vaults” include unencrypted data, apparently including the website URLs that come with every encrypted username and password.
Thus, now scammers not only know where you and your computer live, thanks to the leaked billing and IP address data mentioned above, but they also have a detailed map of where you go when you’re online:
[C]Customer vault data […] They are stored in a proprietary binary format that contains unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
LastPass didn’t provide any other details about the unencrypted data that was stored in these “vault” files, but the words “like website URLs” definitely indicate that URLs aren’t the only information the scammers obtained.
The good news
The good news, LastPass continues to insist, is that the security of passwords backed up in your vault file should be no different than the security of any other cloud backup you encrypted on your computer before you uploaded it.
According to LastPass, the confidential data it backs up for you never exists in unencrypted form on LastPass’ private servers, and LastPass does not store or see your master password.
So, says LastPass, your backup password data is always uploaded, stored, accessed, and downloaded in encrypted form, so that scammers still need to crack your master password, even though they now have the mixed password data.
As far as we can tell, passwords added to LastPass in recent years use a hashable and extensible storage system that comes close to our own recommendations, using the PBKDF2 algorithm with random salts, SHA-256 as the internal hashing system, and 100100 iterations.
LastPass did not, or could not, in its November 2022 update say how long it took for the second wave of fraudsters to access its cloud servers after the first attack on its development system in August 2002.
But even assuming the second attack occurred immediately but wasn’t noticed until later, the criminals would have had at most four months to try to crack the master passwords to anyone’s stolen safe.
It is therefore reasonable to conclude that users who deliberately chose easy-to-guess or early-to-crack passwords are at risk, and that anyone who has had trouble changing their passwords since the breach was announced has gone ahead as scammers.
Don’t forget that length alone is not enough to guarantee a decent password. Indeed, anecdotal evidence suggests so
12345678 And the
123456789 More common these days than
1234, possibly due to the length restrictions imposed by today’s login screens. And remember, password cracking tools do not start from
AAAA Go ahead like an alphanumeric odometer to
ZZZZ...ZZZZ. They try to rank passwords in order of their probability of being chosen, so you have to assume they’ll “guess” long but human-friendly passwords like
BlueJays28RedSox5! (18 letters) long before they get to it
MAdv3aUQlHxL (12 characters), or so
ISM/RMXR3 (9 letters).
what should be done?
Back in August 2022, we said this: If you want to change some or all of your passwords, we won’t talk about it. [… But] We don’t think you need to change your passwords. (For what it’s worth, this also doesn’t apply to LastPass.)
That was based on LastPass’ assertions, not only that backup password vaults were encrypted with passwords known only to you, but also that those password vaults were never accessed anyway.
Due to a change in the LastPass story based on what you’ve discovered since then, we now suggest that you do so. Change your passwords if you reasonably can.
Note that you need to change the passwords stored within your vault, as well as the master password for the vault itself.
This is so that if scammers crack your old master password in the future, the stash of password data they’ll uncover will be outdated and therefore useless – like a hidden pirate chest full of banknotes that are no longer legal tender.
While you’re at it, why not take a chance to make sure Improve any weak or reused passwords in your list at the same timesince you’re changing it anyway.
Oh, and one more thing: an appeal to X-Ops teams, IT staff, system administrators, and technical writers everywhere.
When you want to say you’ve changed your passwords, or recommend that others change theirs, can you stop using the misleading word rotateand simply use the most obvious word changes instead of?
Don’t talk about “credential rotation” or “password rotation”, because the word rotateespecially in computer science, involves a structured process that ultimately involves repetition.
For example, on a committee with a rotating chair, everyone gets a chance to lead the meetings, on a predetermined cycle, say Alice, Bob, Cracker, Dongle, Mallory, Susan…and then Alice again.
And in machine code, the
ROTATE The instruction explicitly generalizes the bits in the register.
If you are
ROR (this means that Go left or Go to the right In Intel notation) enough times these bits will revert to their original value.
This is not at all what you want when you start changing your passwords!
What happens if my password manager is hacked?
Whether you’re a LastPass user or not, here’s a video we created with some tips on how to reduce your disaster risk if you or your password manager gets hacked. (Click the gear while playing to turn on subtitles or to speed up playback).
Why ‘rotate’ isn’t a good synonym for ‘change’
Here it is
ROTATE (More precisely, the
ROL) Help in real life on 64-bit Windows.
If you compile and run the code below (we used the easy, simple, free link from GoTools)…
…then you should get the output below:
Rotated by 0 bits = C001D00DC0DEF11E Rotated by 4 bits = 001D00DC0DEF11EC Rotated by 8 bits = 01D00DC0DEF11EC0 Rotated by 12 bits = 1D00DC0DEF11EC00 Rotated by 16 bits = D00DC0DEF11EC001 Rotated by 20 bits = 00DC0DEF11EC001D Rotated by 24 bits = 0DC0DEF11EC001D0 Rotated by 28 bits = DC0DEF11EC001D00 Rotated by 32 bits = C0DEF11EC001D00D Rotated by 36 bits = 0DEF11EC001D00DC Rotated by 40 bits = DEF11EC001D00DC0 Rotated by 44 bits = EF11EC001D00DC0D Rotated by 48 bits = F11EC001D00DC0DE Rotated by 52 bits = 11EC001D00DC0DEF Rotated by 56 bits = 1EC001D00DC0DEF1 Rotated by 60 bits = EC001D00DC0DEF11 Rotated by 64 bits = C001D00DC0DEF11E
You can change the direction of rotation and the amount by shifting
ROL to me
RORand set the number
4 On this line and the next line.
#LastPass #Finally #Acknowledges #Scammers #Theyve #stolen #password #vaults #all..