https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/ Almost Secure * Home * Articles * Categories * About * * [ ] Read More >> [ ] How did LastPass master passwords get compromised? 2021-12-29 lastpass/security/password-managers 7 mins 10 comments A number of LastPass users recently received an email like the following, indicating that someone else attempted to log into their account: Email with the LastPass header: Login attempt blocked. Hello, Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. Was this you? The mail is legitimate and has been sent out by the LastPass service. The location however was typically very far away from the user's actual location, e.g. in a country like Brazil or India. Yet this isn't merely an attempt to guess the password, as LastPass will only send a mail like this one if the correct master password is provided in the login attempt. One affected user created a thread on Hacker News and at least a dozen others chimed in with similar experiences. This indicates that a large-scale attack is underway, with the total number of affected users being quite significant. As online password managers go, a user's master password is the most critical piece of information. So the important question is: how do the attackers know the master passwords? There are some explanation being discussed: credential stuffing, phishing, malware, LastPass compromise. As I know a thing or two about LastPass, I'll write down how likely these are and why. TL;DR: It appears that LastPass infrastructure has been compromised, all other explanations being rather unlikely. And, surprisingly, it isn't given that the attackers actually know these master passwords. Contents * Credential stuffing * Phishing * Malware * LastPass compromise * Pass the hash Credential stuffing The Hacker News thread prompted AppleInsider to write about this issue. The article quotes a LastPass spokesperson with the following statement: LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services Credential stuffing attacks are quite common and rely on password reuse: a password leaked by one service happens to be used for another service as well. But is password reuse likely when talking about a password manager whose entire goal is eliminating password reuse? With LastPass having a history of downplaying security issues, we should take their statement with a grain of salt. Several affected Hacker News users claim (and I believe them) that their master password has not been reused anywhere. Worse yet, several users reported changing their master password in response to the notification, yet getting notified about another login attempt with the new master password shortly afterwards. A tweet by Valcrist @Valcristerra: Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on? If true (and I have little reason to doubt this statement), this completely rules out credential stuffing as the attack vector here. Update (2021-12-30): LastPass published an expanded statement that I was unaware of at the time of writing. It also claims that credential stuffing is the source of the issue but has an important addition: Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. This seems to indicate that the email messages were mistakenly triggered by login attempts with incorrect password. This would be good news and make the rest of this article obsolete. But note how they say "likely" here. If they found and fixed a bug in the email notification mechanism, why don't they just state so? Unfortunately, this kind of statement sounds like they still don't have a clue about what's going on but want to calm the crowd nevertheless. Phishing Phishing, mentioned as another possible explanation, is quite unlikely for the same reason. The suspicion here is that the users have been lured to a fake LastPass login page and entered their master password there. While this is also a common attack, it cannot explain repeated login attempts after a master password change. Also, several affected LastPass accounts haven't been in use for at least a year. This means that the phishing attack must have happened at least a year ago in this case. Yet anybody collecting passwords via phishing would have attempted to use them as soon as possible. The longer they wait, the more likely the user will recognize their mistake and change the password. Malware As it seems that the attackers react to changes, some people concluded that they are indeed being watched. The options are a malicious (or severely vulnerable) browser extension or a standalone application compromising the entire system. This explains at least how the attackers would get the new master password after a change. This theory is also unlikely however, for multiple reasons. First of all, malware provides a level of access that makes hacking LastPass accounts unnecessary. If it can intercept or extract the LastPass master password, it can do the same for all other passwords as well. Logging into LastPass accounts is simply an additional step, one that unnecessarily exposes the entire campaign. It's also notable that the attacks here are thwarted by rudimentary protection based on geographical location. Why would attackers who control user's browser or their entire system run into this trap? They could log into LastPass from the user's own browser instead. Better yet: they could hijack the existing LastPass session. Last time I checked these took two whole weeks to expire. Finally, there is the question of timing. Malware can only steal a password when that password is used. Yet some affected accounts were abandoned, last used more than a year ago. Did the attackers collect credentials and thoroughly prepare over a lengthy period of time? It doesn't look like that. These attacks aren't sophisticated, or they wouldn't attempt to log into accounts of US users from Brazil. With real preparation they wouldn't repeatedly run against this geographical protection. LastPass compromise As far as I can tell, this only leaves the option that LastPass itself has been compromised. But this option also raises questions: not even LastPass servers are supposed to know users' master passwords. Master password is only ever transmitted as a hash, one that is difficult to reverse. My initial suspicion was that someone abused the vulnerability I described in this post from 2018. The issue allowing websiteBackgroundScript.php to be loaded by any website was obvious enough that someone could have discovered it independently from me. And cracking the master password when hashed with merely 5,000 PBKDF2 iterations (LastPass default before 2018) is totally possible. However, this option is ruled out by the fact that users also reported brand new accounts being affected, as well as recently changed master passwords. The new default (100,000 iterations) makes recovering master passwords from hashes require considerably more resources, too much for unsophisticated attackers to pull off such a large-scale attack even in case of another similar data leak. But that's assuming that LastPass servers are in fact unaware of your master password. LastPass users will often enter their master password into web pages hosted on lastpass.com, even when using the browser extension. This is a design flaw, as there is no real way of verifying that the password is never sent out unhashed. It is for example possible that some logging functionality inadvertently sent the plaintext password to a server. And with log4j vulnerabilities being actively exploited right now, someone might have compromised the very server receiving this data. I tried logging into LastPass via the web interface and couldn't see any unexpected data being transmitted. This doesn't prove anything of course, as some other form might be the culprit here. Or this functionality might only be enabled for US users for example. But there is also another explanation, one that doesn't require LastPass to know the unhashed master password. Pass the hash It is in fact not given that the attackers know the master password. That's because LastPass authentication (unlike proper PAKE protocols) is vulnerable to pass the hash attacks. The same master password hash is used each time to log in, so the attackers might have used that hash rather than the master password itself. And lifting that hash from some LastPass server should be much easier than getting your hands on the unhashed master password. So one can log in using only the master password hash, and what then? Once logged in, attackers can download https://lastpass.com/ getaccts.php which holds all of account's data. This gives them the addresses of websites but the corresponding user names and passwords cannot be decrypted without knowing the master password. It doesn't mean that this attack is worthless however. Once the attackers have the data, they can spend all eternity bruteforcing the master password locally. They can even prioritize the accounts holding passwords to more valuable websites. So this might very well be what happened here. See Also: * Should you be concerned about LastPass uploading your passwords to its server? * Is your LastPass data really safe in the encrypted online vault? * LastPass: Security done wrong * More Last Pass security vulnerabilities * PfP: Pain-free Passwords security review Comments * zakius 2021-12-29 23:32 so in systems where pass the hash is possible database basically contains a plaintext password being a jumbled mess of bytes seeded by the user intended password, did I get that right? Wladimir Palant 2021-12-30 07:58 Yes, that sounds about right. * mike epson 2021-12-30 15:49 If LastPass is setup with Google authenticator would this prevent any unauthorized login attempts? Wladimir Palant 2021-12-30 17:09 I've never had a proper look at their MFA implementation. If implemented correctly - sure, it would prevent such attacks and is very much recommendable for this very reason. * Michael 2021-12-30 16:05 Since the password should never reach the server, is it possible that the captured hash could be used to decrypt the database? Or is a separate hash and/or a different browser-side salt used for that purpose? Even if the latter is true, the page receiving the hash for unlocking the password file could theoretically have been compromised as well. I guess we'll know for sure if we ever get reports of affected users having Lastpass-generated account passwords compromised. Wladimir Palant 2021-12-30 17:11 Yes, the captured hash can be used to bruteforce the master password. This takes considerable time (that's the purpose of PBKDF2 used here) but as I said: the attackers could decide which accounts are worth the effort. * I told you so 2021-12-30 15:56 Use LastPass instead of local KeePass (or XYZ). It's safe. Trust me. Give me your money. We know what we do. Wladimir Palant 2021-12-30 17:14 Well, local password managers have their own share of issues, particularly when browser integration is involved. And the attack surface of online password managers can be minimized. It isn't black and white. It's rather that LastPass has numerous design issues and little interest in addressing them. * Michael E 2021-12-30 18:35 I've read that LastPass doesn't hold the unhashed master password. But I've also read that they offer ways to recover your account if you forget the password, unlike bitwarden. To me that indicates that they do in fact have unhashed master passwords.. Or what am I missing? Wladimir Palant 2021-12-30 19:37 They have a recovery mechanism called One Time Passwords (OTP). These OTPs hold the encryption key necessary to decrypt your data without a master password. Cryptographically this approach is sane, there are some problematic implementation details however. You can read about it under https://palant.info/2018/07/09/ is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/, the section titled "A few words on backdoors." * Michael 2021-12-30 18:18 Might be nice to update your article after LastPass confirmed the emails were sent erroneously by their system and their was no hack. Especially your tl;dr piece and title are now more clickbate than actually true. Wladimir Palant 2021-12-30 19:39 Yes, I want to update the article. They didn't actually state that the mails were sent out erroneously however, they said "likely." In this context that's synonymous with "we don't really know but we'll claim it anyway." * John 2021-12-30 19:00 Thanks for this insightful post. Just to confirm... assuming someone has MFA in place and has recently updated their master password, they should not be vulnerable to previously captured hashes, and due to MFA, it is unlikely some could have previously captured getaccts.php. Is that all correct? Wladimir Palant 2021-12-30 19:40 Yes, that's correct. * Mahesh 2021-12-30 19:41 Thank you for a well written article that is intelligible even to a non technical person like me. I have used LastPass for a long time, and therefore, am very interested in keeping up with any security issues related to LastPass. I use Google authenticator for MFA. I sure hope that is enough to keep my account safe from hacking. I don't know what else to do, or whether any other password manager is any less vulnerable than LastPass * Niki 2021-12-30 20:52 There is, of course a very simple reason too. I actually did this to myself, and had a panicky few minutes before I figured out it was me. I went shopping on a global Amazon EU site to see what was available to Europeans and not to Northern Ireland even though still in the EU customs union (the answer - a LOT!). I then tried to use LastPass for my Amazon password, no go. It was several hours later that I got the email, by which time I'd initially forgotten I'd even tried to log on whilst VPNed into an EU country Wladimir Palant 2021-12-30 21:03 Someone already brought up VPN as a possibility on Hacker News. However: no, the IP addresses mentioned don't belong to a VPN. And several accounts affected haven't been in use at all: no legitimate logins whatsoever, over VPN or otherwise. * Mosh 2021-12-30 21:10 Were there actually any breached credentials? Wladimir Palant 2021-12-30 21:25 Who knows? I don't know any more than what's said in the article. Leave a comment Name * [ ] Email [ ] Only if you want to be notified about my reply. Website [ ] Message * You can use Markdown syntax here. [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] By submitting your comment, you agree to your comment being published here under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License. Submit * * * * * * Impressum Privacy Policy Creative Commons Attribution-ShareAlike 4.0 International License Content under CC BY-SA 4.0 license Powered by Hugo | Theme is MemE