https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/ Almost Secure * Home * Articles * Categories * About * * [ ] Read More >> [ ] What's in a PR statement: LastPass breach explained 2022-12-26 lastpass/security/password-managers 10 mins 14 comments Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren't amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face. Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn't want to mention. Screenshot of the LastPass blog post: Update as of Thursday, December 22, 2022. To Our LastPass Community, We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation. Let's start with the very first paragraph: In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation. In fact, this has little to do with any commitment. LastPass is actually required by US law to immediately disclose a data breach. We'll soon see how transparent they really are in their statement. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. LastPass is trying to present the August 2022 incident and the data leak now as two separate events. But using information gained in the initial access in order to access more assets is actually a typical technique used by threat actors. It is called lateral movement. So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people's data is now gone. Yes, this interpretation is far less favorable of LastPass, which is why they likely try to avoid it. Note also how LastPass avoids mentioning when this "target another employee" happened. It likely did already before they declared victory in September 2022, which also sheds a bad light on them. The cloud storage service accessed by the threat actor is physically separate from our production environment. Is that supposed to be reassuring, considering that the cloud storage in question apparently had a copy of all the LastPass data? Or is this maybe an attempt to shift the blame: "It wasn't our servers that the data has been lifted from"? To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. We learn here that LastPass was storing your IP addresses. And since they don't state how many they were storing, we have to assume: all of them. And if you are an active LastPass user, that data should be good enough to create a complete movement profile. Which is now in the hands of an unknown threat actor. Of course, LastPass doesn't mention this implication, hoping that the less tech-savvy users won't realize. There is another interesting aspect here: how long did it take to copy the data for millions of users? Why didn't LastPass detect this before the attackers were done with it? We won't learn that in their statement. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. Note how LastPass admits not encrypting website URLs but doesn't group it under "sensitive fields." But website URLs are very much sensitive data. Threat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort. Never mind the fact that some of these URLs have parameters attached to them. For example, LastPass will sometimes save password reset URLs. And occasionally they will still be valid. Oops... None of this is new of course. LastPass has been warned again and again that not encrypting URLs and metadata is a very bad idea. In November 2015 (page 67). In January 2017. In July 2018. And that's only the instances I am aware of. They chose to ignore the issue, and they continue to downplay it. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture. Lots of buzzwords here. 256-bit AES encryption, unique encryption key, Zero Knowledge architecture, all that sounds very reassuring. It masks over a simple fact: the only thing preventing the threat actors from decrypting your data is your master password. If they are able to guess it, the game is over. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. Unless they (or someone compromising their servers) decide to store it. Because they absolutely could, and you wouldn't even notice. E.g. when you enter your master password into the login form on their web page. But it's not just that. Even if you use their browser extension consistently, it will fall back to their website for a number of actions. And when it does so, it will give the website your encryption key. For you, it's impossible to tell whether this encryption key is subsequently stored somewhere. None of this is news to LastPass. It's a risk they repeatedly chose to ignore. And that they keep negating in their official communication. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. This prepares the ground for blaming the customers. LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn't follow their best practices. We'll see below what these best practices are and how LastPass is actually enforcing them. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls. Sounds reassuring. Yet I'm aware of only one occasion where they adjusted their defaults: in 2018, when I pointed out that their defaults were utterly insufficient. Nothing changed after that, and they again are falling behind. Now to their password best practices: Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing. If you are a LastPass customer, chances are that you are completely unaware of this requirement. That's because LastPass didn't ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it. So LastPass required twelve characters for the past four years, but a large portion of their customer base likely still uses passwords not complying with this requirement. And LastPass will blame them should their data be decrypted as a result. To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. Note "stronger-than-typical" here. I seriously wonder what LastPass considers typical, given that 100,000 PBKDF2 iterations are the lowest number I've seen in any current password manager. And it's also the lowest protection level that is still somewhat (barely) acceptable today. In fact, OWASP currently recommends 310,000 iterations. LastPass hasn't increased their default since 2018, despite modern graphics cards becoming much better at guessing PBKDF2-protected passwords in that time - at least by factor 7. And that isn't even the full story. In 2018 LastPass increased the default from 5,000 iterations to 100,100. But what happened to the existing accounts? Some have been apparently upgraded, while other people report still having 5,000 iterations configured. It's unclear why these haven't been upgraded. In fact, my test account is also configured with 5,000 iterations. There is no warning when I log in. LastPass won't prevent me from changing this setting to a similarly low value. LastPass users affected don't learn that they are at risk. But they get blamed now for not keeping up with LastPass recommendations. Update (2022-12-27): I've now seen comments from people who have their accounts configured to 500 iterations. I'm not even sure when this was the LastPass default, but they failed to upgrade people's accounts back then as well. And now people's data leaked with protection that is factor 620 (!!!) below what OWASP currently recommends. I am at loss of words at this utter negligence. In fact, there is so far one confirmed case of an account configured with 1 (in words: one) iteration, which was apparently the LastPass default before they changed to 500. I'll just leave this standing here. If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. I'll translate: "If you've done everything right, nothing can happen to you." This again prepares the ground for blaming the customers. One would assume that people who "test the latest password cracking technologies" would know better than that. As I've calculated, even guessing a truly random password meeting their complexity criteria would take less than a million years on average using a single graphics card. But human-chosen passwords are far from being random. Most people have trouble even remembering a truly random twelve-character password. An older survey found the average password to have 40 bits of entropy. Such passwords could be guessed in slightly more than two months on the same graphics card. Even an unusually strong password with 50 bits of entropy would take 200 years on average - not unrealistic for a high value target that somebody would throw more hardware on. Another data point to estimate typical password strength: a well-known XKCD comic puts a typical "strong" password at 28 bits of entropy and a truly strong diceware password at 44 bits. Guessing time on a single graphics card: on average 25 minutes and 3 years respectively. The competitor 1Password solves this issue by adding a truly random factor to the encryption, a secret key. Some other password managers switched to key generation methods that are way harder to bruteforce than PBKDF2. LastPass did neither, failed to adjust parameters to modern hardware, and is now preparing to blame customers for this failure. There are no recommended actions that you need to take at this time. This is just gross negligence. There certainly are recommended actions to take, and not merely for people with overly simple master passwords or too low number of iterations. Sufficiently determined attackers will be able to decrypt the data for almost anyone. The question is merely whether it's worth it for them. So anybody who could be a high value target (activists, dissidents, company admins etc.) should strongly consider changing all their passwords right now. You could of course also consider switching to a competitor who in the case of a breach will be more concerned about keeping you safe than about saving their face. We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations. Presumably, that's the accounts configured with 5,000 iterations, these are at risk and LastPass can easily determine that. But why notify only business customers? My test account for example is also configured with 5,000 iterations and I didn't receive any notification. Again, it seems that LastPass attempts to minimize the risk of litigation (hence alerting businesses) while also trying to prevent a public outcry (so not notifying the general public). Priorities... See Also: * What data does LastPass encrypt? * LastPass has been breached: What now? * How did LastPass master passwords get compromised? * Should you be concerned about LastPass uploading your passwords to its server? * Is your LastPass data really safe in the encrypted online vault? Comments * Shree 2022-12-27 07:21 Hi bro, i am very appreciated from your article, thankyou for all the point you written hardly. * Mark 2022-12-27 02:44 "But website URLs are very much sensitive data. Threat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort." Just to harp on that a bit more, merely knowing where users have registered accounts can be used for blackmail (such as the fallout from the Ashley Madison breach years ago), discrimination (are you a member of the 'wrong' special interest group's forum?), or governmental persecution (China and North Korea, among others, come to mind). The fact that LastPass considers that non-sensitive information really does set the stage for understanding their philosophy here. * Sean 2022-12-27 01:13 Thank you for this great summary. I got very similar "vibes" from it but this breaks it down in a very succinct and clear way. I've had a LastPass account for a long time and was very surprised to see that my account was still at 5,000 iterations; I am someone who absolutely would have changed this if warned and was able to find it and change it once I was aware of it. I also thought based on their defaults that 100,100 was sufficient; thank you for alerting me to that being wrong as well. It's unfortunate because it's such a hassle, but I've got to move myself and my family off of LastPass ASAP. * Keith 2022-12-27 09:54 Thank you for this timely information. I have been a LastPass user for a very long time and I was concerned by the breach. When I got the second notification I reviewed my settings. My account was set to 100,100 itinerations and I have 2 factor turned on. I first heard about LastPass from the podcast Security Now and decided to use it per the host vetting of it in the early days. I also knew to reset itineration from 5,000 to 100,100 and enable 2FA from recommendation of Steve Gibson, one of the podcast hosts. It is a daunting task to move because of the number of passwords stored and that most of them are long generated passwords I can't possibly remember. I always set master password to 12+ characters of all types but in a way I can remember it. My main concern about moving to new password manager is I don't want to migrate to a worst one. * Simon 2022-12-27 15:16 Moving away from LastPass shouldn't be too hard: most competitors will have a migration tool of some sort. But if you consider your credentials compromised, then that's where the real hassle starts: for some services, changing the password is easy (I think LastPass even had (has?) a tool for that), but for some it's manual and tedious... Thanks for a great breakdown of the weasel words! I almost got got by the it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. but thanks to you I now know it's not that simple! FFS, they had one job.... * Kumaravel 2022-12-27 12:45 Thank you for breaking down the press release. * Akos 2022-12-27 15:43 If they only store password hashes, they have no way to know neither the amount of iterations used for generation, nor the length of your password. So they can't really warn you about these. They could force you to rotate though. The rest of the article is valid and solid, thanks. Wladimir Palant 2022-12-27 16:15 They store the number of iterations in their database, there is even a public API call anyone could use to check the iterations count for any account if they know the email address. So LastPass could easily send an email to anyone who has 5,000 iterations configured. As to password complexity: presumably (hopefully) they don't store that. This is something that is normally checked when users log in. That's the point where the password is known, and their app could warn the user. Which they really should have implemented at least four years ago. * Jojomonkey 2022-12-27 16:12 Thanks. What's your best recommendation on where LP customers should consider migrating to? Thanks again! Wladimir Palant 2022-12-27 16:17 I am really the wrong person to ask for recommendations. I wrote my own password manager because I was unhappy with the available options. So far the only solution that I looked into and could actually recommend was 1Password. However, a security researcher I very much respect is highly dissatisfied with their vulnerability handling. * Eetu 2022-12-27 17:13 I was wondering if you have any opinions about the super-admin user capabilities and password recovery... Because lastpass website says super-admin can reset user master-passwords without losing data... https:// support.lastpass.com/help/ what-is-the-encryption-process-when-a-super-admin-resets-a-master-password Not to mention the master-passwords can apparently be recovered using SMS... (so is it possible to decrypt the vault data anyway?) https://blog.lastpass.com/2022/03/ forgot-your-password-your-guide-to-lastpass-account-recovery/ It also says admin can view master-passwords. But I think it is a mistake in their article... https://support.lastpass.com/help/ enterprise-admin-management-of-master-passwords-lp010025 Wladimir Palant 2022-12-27 17:54 I've never looked into LastPass' business offerings, so I don't know any technical details. From the documentation however, the implementation of super-admin capabilities makes sense. The consequence of course is: a company administrator can always access the passwords for all users. This isn't really unusual in a corporate environment. For this breach, this makes super-admins high-value targets however. If someone can decrypt a super-admin's vault, they will be able to get the admin's private key. With that they can retrieve the encryption key for each user and no longer need to bruteforce. And the attackers should see from the data both who is a super-admin and how many users they will get by decrypting their data - neither information can be encrypted. Great for prioritizing attacks. This SMS recovery isn't quite as bad as you think. It works via the Recovery OTP that is stored in your LastPass browser extension. I wrote about it here: https://palant.info/2018/07/09/ is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/# a-few-words-on-backdoors. I mentioned email as an additional verification step they require, but apparently SMS will work as well. No, admins cannot view master passwords, that's not what the article you link to says. They can see when the master password was last changed, and they can force a user to change their password. They still won't know what that password is. * Mogreen 2022-12-27 18:10 Thanks for working through the PR fluff and breaking it all down. As a LP customer hoping you can help with some question: 1 - My master password is 17 characters - should I be worried at this time - assume I am not a high value target , just a regular person 2 - Now that the horse has left the barn , besides changing all of my passwords (big pain) and leaving LP , is there anything else to be done ? Wladimir Palant 2022-12-27 18:41 In https://palant.info/2022/12/23/ lastpass-has-been-breached-what-now/ I wrote: "If you are a regular "nobody": access to your accounts is probably not worth the effort." I already have to correct this slightly however: check your iterations count. If it's set to 5000, the effort of decrypting your data is much lower and you might get targeted after all. Note that a long password isn't always a safe password, particularly if it is made up of dictionary words or something similarly predictable. Also, the more time passes, the more likely it is even for those "unattractive" vaults to be decrypted. You should keep that in mind and at some point change the password at least for the valuable accounts (online banking, shopping websites). For most people there is no urgency, it's just better to be safe than sorry. The only other precaution I can think of is: expect phishing emails. They now know where you have your accounts. They might attempt to trick you into giving away your LastPass password, and they might do the same with the other services you use. * Chris 2022-12-27 20:16 I logged in and my account was set to 500 iterations, which likely means I have been using LastPass for a very very long time. Wladimir Palant 2022-12-27 20:21 Oh... My... God... I am speechless... * Scott 2022-12-27 20:42 Thanks very much. The delta between what LP said and your explanation is, as a customer, very scary. LP should have said that we will obfuscate the situation to the highest degree possible. Thanks again. On the semi+plus side, my iterations was set to 100,100. * particles 2022-12-27 20:50 I shared this on Mastodon but I checked my mom's account and her account reported having the iteration count set to 1. Bug or not, I think this is pretty unacceptable. We spent most of Christmas changing her passwords. Wladimir Palant 2022-12-27 21:47 Yes, 1 iteration was reportedly LastPass' default before they increased it to 500, which was the default before they increased it to 5,000, which was the default before they increased it to 100,100. I was wondering whether there are any accounts around that still use that value. Thank you for confirming... * Chris 2022-12-27 21:40 Thank you for this! Given that LP is now a no-go and you mentioned that a security researcher you trust doesn't recommend 1Password either, do you have any article recommendations for a comparison infosec-wise for the remaining password manager options? Wladimir Palant 2022-12-27 21:58 I don't. Leave a comment Name * [ ] Email [ ] Only if you want to be notified about my reply. Website [ ] Message * You can use Markdown syntax here. [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] By submitting your comment, you agree to your comment being published here under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License. Submit * * * * * Impressum Privacy Policy Creative Commons Attribution-ShareAlike 4.0 International License Content under CC BY-SA 4.0 license Powered by Hugo | Theme is MemE