[HN Gopher] Notice of Recent Security Incident [updated]
___________________________________________________________________
Notice of Recent Security Incident [updated]
Author : mikece
Score : 191 points
Date : 2022-12-22 19:07 UTC (3 hours ago)
(HTM) web link (blog.lastpass.com)
(TXT) w3m dump (blog.lastpass.com)
| SoftTalker wrote:
| I use a PGP encyrpted files on my local computer.
|
| https://www.passwordstore.org/ actually.
|
| I don't trust any cloud-hosted password manager.
| drexlspivey wrote:
| What if you want to log in from your phone?
| SoftTalker wrote:
| I don't do that.
|
| I have a gmail account tied to my phone (Android) and I've
| logged into that once and it just stays logged in. I don't
| use that account for anything else.
|
| I don't really do anything else on my phone that requires a
| login.
| jozvolskyef wrote:
| That's the exact setup I use on my main phone. There's also
| https://github.com/android-password-store/Android-
| Password-S..., which I use on throwaway phones.
| dimgl wrote:
| > I don't do that.
|
| So your solution is unreasonable for 95% of consumers.
| Nice.
| _Algernon_ wrote:
| Considering they answered a question, and weren't trying
| to provide a solution to 100% of consumers I don't see
| how its a problem warranting your response.
| dspillett wrote:
| But likely 100% of the 1 user they were trying to
| support.
|
| And given the varied needs of people, a suggestion that
| is reasonable to 5% of them is not bad going. And even
| 0.001% of them is infinity more than all the alternatives
| you've suggested in this thread thus far :-)
| larrybud wrote:
| I'm not sure if you're trolling or not, but let's play this
| out. You really don't use your phone for any of the
| following? (Web or app)
|
| Online banking
|
| Online shopping
|
| Social media
|
| Airlines, hotels, or other Tavel bookings
|
| Online news sources requiring accounts Eg hacker news, NYT,
| etc
|
| Medical / pharmacy
| SoftTalker wrote:
| Correct. I do all of those things, but on my computer.
| Aside from not really trusting my phone, I find having a
| full sized screen and a real keyboard makes things
| immensely easier.
|
| I use my phone mainly for text/SMS, and navigation/maps
| while driving, maybe watching YouTube if I need to kill
| some time. I don't really do social media at all.
| officeplant wrote:
| As someone who finally moved to a bank that actually has
| web access/ phone app in 2020, its perfectly possible to
| live without using your phone for anything on that list.
| Hell I didn't start using my phone for
| medical/banking/travel stuff until 2020 and onward.
|
| It's inconvenient, but possible. I'm in my 30's and I
| just largely avoided needing any of that because I live
| in a rural area and don't travel much. Of course I don't
| miss my old local bank at all.
| Strum355 wrote:
| There are android apps specifically for this that can fetch
| from a git repo and you can input your GPG password, with
| autofill and all
| leonsmith wrote:
| https://github.com/mssun/passforios which also uses the
| safari password manager flow so its pretty seamless
| CommitSyn wrote:
| Welp, looks like they were able to copy vaults to crack and,
| worse yet, they have the unencrypted URLs to choose what to
| target.
|
| > The threat actor was also able to copy a backup of customer
| vault data from the encrypted storage container which is stored
| in a proprietary binary format that contains both unencrypted
| data, such as website URLs, as well as fully-encrypted sensitive
| fields such as website usernames and passwords, secure notes, and
| form-filled data. These encrypted fields remain secured with
| 256-bit AES encryption and can only be decrypted with a unique
| encryption key derived from each user's master password using our
| Zero Knowledge architecture. As a reminder, the master password
| is never known to LastPass and is not stored or maintained by
| LastPass. The encryption and decryption of data is performed only
| on the local LastPass client. For more information about our Zero
| Knowledge architecture and encryption algorithms, please see
| here.
| tokenfg wrote:
| 'form-filled data' includes 'Payment cards' section I believe,
| which should then make securing your cards an even larger
| priority than having to change your passwords
| idatum wrote:
| LastPass is an enormous target, obviously. And, I guess, the
| inevitable has happened: Encrypted trove of passwords is "out
| there".
|
| Let's assume one's master password is strong. And that LastPass
| knows how to encrypt data. We're really down to whether 256-bit
| AES can be brute forced, right? And I guess understanding
| phishing attacks.
|
| I mean, yes, wouldn't it be great of LastPass took the measures
| with its development environment years ago? So put another way:
| Lack of operational excellence hopefully is made for in strong
| encryption. I hope.
| WhatsName wrote:
| contains both unencrypted data, such as website URLs,
|
| No I think this is the worst that could have happened short
| of loosing the clear-text passwords. Noone is going to stop
| the attackers from looking for high-value login URLs and than
| spear-phish the password for the offline vault.
|
| Forcing a password reset onto customers is not going to help
| LastPass here.
| rob74 wrote:
| Hm, with all that talk about "zero knowledge architecture", I
| thought your vault file would be encrypted "in one piece", not
| just the passwords. If they have the URLs in clear text, that's
| not really zero knowledge, now is it? And why do they need the
| URLs anyway, when I can share the passwords just fine from my
| local PC? Statistics?!
| hbn wrote:
| Why do people use password managers that store all the data on
| their own servers? Having a centralized database filled with full
| login information for hundreds of thousands of accounts across
| all your users (and accounts users clearly care about, mind you,
| otherwise they wouldn't go out of their way to use a password
| manager) makes for such an obvious jackpot attack vector that
| causes situations like this.
|
| I've used Enpass for years now which lets you sync your password
| database to DropBox, Google Drive, iCloud, etc. So I still have
| to protect whichever cloud storage account I'm syncing with, but
| at least it's not an obvious place to find passwords for
| thousands of users. And if someone did have access to my Google
| or Apple account, they could reset a lot of my logins anyway.
|
| And I know this isn't technically as safe as the self-hosted
| options, but it offers the same convenience as LastPass without
| the obvious painting-a-target-on-your-own-back by handing all
| your passwords over to The Passwords Store.
| camel_Snake wrote:
| Just chiming in to say I've been satisfied as an Enpass user as
| well. Felt like a good middle-ground to me and I bought the app
| before the restructured their pricing model so I was
| grandfathered in.
| rangersanger wrote:
| * * *
| d2049 wrote:
| Similar to "not your keys, not your crypto" is there not an
| analogy to be made for passwords? Genuinely interested in the
| reasoning of people who store their passwords in a cloud service
| they don't control.
| alanfranz wrote:
| It's your keys. The master password is yours only. Plaintext
| passwords don't exist in remote services; basically they're a
| specialized version of a storage system (Dropbox?Google Drive?
| S3?) optimized for password entry sharing between devices,
| versioning, etc.
| wmf wrote:
| This will keep going until there exists a cloud backend that
| you do control. People won't go back to non-cloud.
| jackson1442 wrote:
| @dang, could the title be updated to indicate that this is
| another update to the existing blog post? Currently reads like
| it's a new incident, not the aug2022 incident.
| iLoveOncall wrote:
| It absolutely is a new incident. LastPass is in PR damage
| control mode and trying to make it seem like accessing those
| backups was inevitable after their source code theft, but it's
| not the fucking case.
|
| This is yet another failure on LastPass' end. The only thing in
| common is the attacker, that's it.
| dang wrote:
| Sure, I've added "[updated]" above.
| ghostpepper wrote:
| They updated the fifth paragraph down to mention that encrypted
| passwords and unencrypted metadata has been stolen - in my mind
| that practically qualifies as a new incident
| heluser wrote:
| Not surprising to see another LastPass incident but I wonder why
| nowadays anyone would choose LastPass over 1password
| CookieCrisp wrote:
| I switched to 1password after this breach was first announced,
| but I find it a lot more annoying to use (and I found Bitwarden
| even worse). Granted, nowhere near as annoying as the breach.
| Lastpass got in my way a lot less frequently though.
| bryfb wrote:
| I certainly wouldn't choose LastPass over 1Password, but given
| 1Password is deprecating local storage I wouldn't recommend
| 1Password anymore either.
| heluser wrote:
| I used to have a local only manager but then, obviously,
| syncing becomes a problem. And then it becomes a choice
| between syncing an encrypted blob using your own solution
| (potentially not very secure) vs using a provider who still
| treats your data as an encrypted blob with no access to the
| data and tries to do it securely. I think the provider is
| still more secure (again assuming the 1password access model
| not talking about LastPass-like providers) plus much more
| convenient. So if not 1password what would be a
| recommendation assuming syncing is required?
| AdmiralAsshat wrote:
| Why in God's name would they store the URLs unencrypted? Even if
| they don't crack the account password, you've just given the
| attackers a lovely dossier of every place I've ever visited
| frequently enough to make an account. And this is _far worse_
| than simply doing reverse-lookups of my email address across site
| breaches, since I use multiple email addresses and alias-only
| logins.
|
| Nice. Fucking. Job.
| edsimpson wrote:
| Does anyone know if bitwarden encrypts the URL? A quick search
| of their docs didn't turn anything up.
| sliken wrote:
| Each unique Bitwarden account has an encryption key derived
| from your Master Password, according to the methods defined
| in Encryption. This encryption key is used to encrypt all
| Vault data.
|
| From: https://bitwarden.com/help/account-encryption-key/
|
| Seems crazy for anyone to keep using LastPass
| joenathanone wrote:
| Not to mention some of the saved URLs may include sensitive
| information in the URL query string, including things like
| email address, physical address, etc...
| meroje wrote:
| Presumably this would be to ease looking up individual items
| but 1password has been able to encrypt those since 2012. Nice
| indeed
| jasonhansel wrote:
| Also: thanks to "forgot my password" features, if someone gets
| your email password, they can now find and access all your
| (non-2FA-enabled) accounts.
| mjsweet wrote:
| I just went into my old lastpass account to try and wind down the
| account, delete everything, and then close the account.
|
| No option to "select all" in the list so I resorted to clicking
| the check box on by one down the page. I accidentally slightly
| clicked outside a check box... guess what? Everything gets
| deselected.
|
| Start over.
|
| Ok start again, maybe I want to list in alphabetical order rather
| than group by category to minimise mistakes. Whoops, selecting
| that option deselects everything in the list.
|
| 300 odd deleted in batches of 30-40.
|
| When a company's whole application is covered in anti-patterns
| and dark UX to make it as hard as possible to leave then
| companies like this deserve to die.
|
| Deleting the account is a bit tricky too.
|
| 1. Go into account settings in the top right drop down 2. In the
| Links area click on "My Account" which spawns a new browser
| window 3. Click the red "Delete or Reset Account", you can't miss
| all the red buttons 4. You can either reset your account or
| delete, choose delete 5. A modal will appear telling you stuff,
| enter your master pw, a reason why your leaving and then click
| delete 6. You will be asked twice if you really really want to do
| this 7. Press ok
| drewnick wrote:
| I also did not have a "Select all" box but was able to check
| the first entry, scroll down, hold shift, and check the last
| box which then selected all items in between. So I removed all
| of 600 of my accounts in about 20 seconds. Hope this helps
| someone.
| phillipseamore wrote:
| Something like this might work, open DevTools and do: document.
| querySelectorAll('[type="checkbox"]').forEach(function(el)
| {el.checked=true;})
| robszumski wrote:
| It's become so clear that users of a SaaS deserve more control
| how their data is used and stored.
|
| You should absolutely be able to crypto-shred your data from
| such an important service. This experience sounds awful.
| flandish wrote:
| I had migrated away a year or so ago. Tried to log in to
| confirm, it did not work. Tried password reset. No reset
| email. So that's good... I guess.
|
| I remember deleting my acct. not sure if I manually deleted
| entries _before_ though.
|
| That said - if a data breach includes backup access... is
| your account ever really deleted?
| invalidator wrote:
| I did it in the web UI in a couple minutes with down-space-
| down-space-down-space....
|
| Also make sure to go to Advanced Options, View Deleted Items,
| and purge them from there.
| rob74 wrote:
| I don't think that's dark UX, it's just shitty UI design. What
| bugs me the most about LastPass is how it tries to be so damned
| _helpful_ and offers to fill in credentials on sites that they
| clearly don 't belong to, or offers to save credentials on a
| site where I alredy clicked "don't save" 1000 times, no really,
| I _don 't want to_ save my private passwords in my company
| vault thank you very much, why the f$%& don't you have a "don't
| bug me again" checkbox in this sh*$$y popup?!
| snailmailman wrote:
| Wow. This is basically the worst case scenario. Attackers got
| access to the vaults themselves? While they are encrypted, it all
| depends on how secure your master password is now. Because the
| brute-forcing has almost certainly already begun.
|
| I switched away from lastpass to Bitwarden a while ago, and have
| changed many of my passwords since then. But I'll probably rotate
| most of my passwords anyway, out of an abundance of caution.
| FatActor wrote:
| This is not the worst case scenario.
|
| This is literally the _best_ case hack scenario.
|
| Why? Because we already know that encrypting something using
| their strategy is essentially uncrackable.
|
| AES256 is quantum resistant.
|
| The worst case would be silent exfiltration from the LastPass
| application via malware to steal user master passwords.
|
| In the security game, the crypto is the strongest part, the
| crypto-system is the weakest part.
| lowapm wrote:
| I agree this isn't the worst-case as you mentioned above.
| However, it is far from the best case scenario which is
| closer to "only fake testing vault data was exposed".
|
| The vault leak is acceptable in terms of Lastpass's formal
| threat model but could still result in real user pain e.g.
| targeted spear phishing using plaintext fields like URLs, or
| compromise for users with weak passwords.
| CookieCrisp wrote:
| While I agree with your main point, I think confirmation that
| the URLs weren't encrypted and that they can all be tied to
| your Lastpass signup information is far from "best case"
| panarky wrote:
| Lastpass called storing URLs in plaintext their "Zero
| Knowledge Architecture".
|
| "Zero Knowledge" should join "Full Self Driving" in the
| malicious marketing hall of fame.
| Dykam wrote:
| Which is a shame, because zero-knowledge actually can
| mean something. But it's yet another term with actual
| value hijacked for marketing.
| FatActor wrote:
| I missed that part. What is the problem about URL exposure?
|
| EDIT: all three replies to this comment are about sex-
| shaming people via their email address, ip, home address.
| hardly pearl clutching. go to DefCon some day, you'll see
| how that information is basically for sale legally, let
| alone on the darkweb.
|
| i don't have a horse in this race because i use my own
| password storage software but the amount of FUD in this
| thread is cray cray.
| [deleted]
| sockaddr wrote:
| Probably that now it is known that people with a lastpass
| account of email address X also have an account at
| login.furriesindiapers.com or something really insane
| like dailywire.com
| phillipseamore wrote:
| Or worse... find everyone that has a
| "WePostDamningInformationAboutOurDictator.com/wp-admin"
| URL
| sockaddr wrote:
| Yeah, yikes.
| phillipseamore wrote:
| With a list of names, billing addresses, email addresses,
| telephone numbers, IP addresses (sounds like it's a list
| since the user first started to use LP) along with URLs
| having a 99.9% probability of the individual having an
| account at the URL... that can be pretty much
| catastrophic. Create a list of OnlyFans subscribers, or
| if there is a subdomain used for OF creators you can
| compile a list of them. Any service that uses unique
| subdomains (like the users username) means you can
| connect usernames with individuals and so on.
| g_p wrote:
| Since they're tied to people's account details, address
| and similar, I'd imagine quite aggressive blackmail
| opportunities going forward if the data gets to the hands
| of criminals.
|
| Think postal letter named and addressed, giving your
| email, and the adult (or other embarrassing) sites you
| were a member of listed on the letter, along with details
| of a bank account to make immediate payment to...
|
| Also, you may be able to identify people working for
| certain high profile orgs (defence contractors, etc) and
| target them further if you can gleam from URLs they have
| access to internal systems by specific URL.
| poglet wrote:
| > that contains both unencrypted data, such as website
| URLs, as well as fully-encrypted sensitive fields such as
| website usernames and passwords, secure notes, and form-
| filled data.
| hunter2_ wrote:
| I wonder why URLs would be unencrypted given that all the
| other things are encrypted. I guess browser integration
| relies on it?
| micahcc wrote:
| right, they need to know whether to offer you a password
| or not regardless of whether you have re-locked
| phillipseamore wrote:
| That doesn't require it to be stored in the clear on the
| server. Extensions/apps could keep a domain list (don't
| see why they need full URLs) in memory after lock.
| alexhjones wrote:
| I might be misunderstanding, but if the url was
| adobe.com, then it would be possible to find the
| corresponding password from that adobe breach for the
| same email address (not trivial, but if someone moves in
| the right circles I assume they could get a whole host of
| the big breaches in a searchable format).
|
| A subset of users might have reused the breached
| password(s) for their lastpass master password.
|
| Not sure if you could also feed the breached passwords
| into the brute force tool to give it a headstart, in case
| they did a slight variation on a breached password for
| the lastpass master password.
| randerson wrote:
| Any information that helps an attacker craft a more
| targeted attack is useful to the attacker. With URL
| exposure the attackers now have a comprehensive list of
| services that a person depends on and where further data
| about them is stored.
| bushbaba wrote:
| These services should automate the reset of your passwords each
| month. Would make such an attack less impactful
| haunter wrote:
| Theoretically this can happen to Bitwarden Web Vault too, right?
| Unless I self host it of course
| jupp0r wrote:
| What makes you think that it couldn't happen to your self
| hosted vault?
| sliken wrote:
| Sure, but it's 100% encrypted, not some silly case where things
| like URLs are in plaintext.
| blakesterz wrote:
| It's not clear to me, does this mean EVERYONE that uses LastPass
| got hit or some subset of users?
| dangero wrote:
| _To further increase the security of your master password,
| LastPass utilizes a stronger-than-typical implementation of
| 100,100 iterations of the Password-Based Key Derivation Function
| (PBKDF2), a password-strengthening algorithm that makes it
| difficult to guess your master password. You can check the
| current number of PBKDF2 iterations for your LastPass account
| here._
|
| I just checked my account and it says 5000 not 100,100 -- there's
| no way I would go in and change that setting, so this is pretty
| disingenuous. They must have changed defaults at some point
| tokenfg wrote:
| Mine was set to 5000 too, which is the old default. Does this
| make the vault data significantly more vulnerable?
| snailmailman wrote:
| From what I understand, yes. PBKDF2 is the algorithm that
| goes from password->key. This key is then used to encrypt the
| vault. Guessing the key itself is impossibly difficult.
| Attackers will instead try to guess the password, run their
| guess through several thousand rounds of PBKDF2, and attempt
| to use those keys to decrypt the vault.
|
| The algorithm is designed to be run in iterations to be
| tunable. more rounds takes a lot longer. this makes for both
| a slower login, but also slower brute-force attempts for the
| attacker. The attacker can likely still generate guesses in
| parallel, but each individual password guess will take
| considerably longer against more iterations.
|
| Lastpass changed the old default for a good reason. I'm
| surprised they didn't update all accounts to at least the new
| default.
| snailmailman wrote:
| I do think the default a long time ago used to be very low. I
| know I went in at account creation and set it to something way
| higher than it's default at the time.
|
| Looking now though, it says 100100 for me. But i also know i
| changed my master password at some point, so maybe i got reset
| to the current default.
| g_p wrote:
| According to [1], there were 5,000 client-side rounds of
| SHA256 in key derivation in June 2015.
|
| It does sound like a missed opportunity to have an at-login
| upgrade mechanism to upgrade KDF rounds that can be carried
| out seamlessly or near-seamlessly during the login process.
| Or at least actively nudging users to change password and
| thus raise their KDF rounds that way through the default.
|
| [1] https://blog.lastpass.com/2015/06/lastpass-security-
| notice/
| hunter2_ wrote:
| One would think that the UI where one routinely enters their
| master password could silently double as a _start using the
| new default_ UI, as the change-password UI seemingly does.
| shadowgovt wrote:
| I've done a lot of things wrong with OPSEC in my life...
|
| ... But I never trusted a third party to store all my passwords.
| sli wrote:
| My local, managed-by-me KeyPass database has never had a security
| incident or even come close.
|
| That's all I'm gonna say about that.
| bagels wrote:
| Would you actually know?
| sodality2 wrote:
| By that logic you also wouldn't know if your keys/password
| database stored by Lastpass/others (in the browser extension
| or app) is stolen, it's all just local data.
| bagels wrote:
| Isn't that what this whole thread is about, it being
| discovered that LastPass had an actual breach?
| alanfranz wrote:
| not yet.
|
| But there's actually a lot of surface attack area for those
| open source tools as well. If you're able to sneak into the
| supply chain and replace the _client_ with a modified,
| malicious version, you can make it send the master password AND
| the database to a remote server. No need to compromise the
| server. This is true for most commercial password managers as
| well: but I'd expect the security to be tighter there. No
| random maintainer should get access to the release page.
|
| My idea was like this: * Use KeepassX built from source * Use
| Dropbox to sync the kdb files (always encrypted) * Use a
| firewall to prevent any network connection to keepassx; this
| way even a compromised client cannot connect and send the data
| somewhere else. * When updating KeepassX, always build from an
| older git commit; I assumed that in ~15-20 days if there's a
| fuckup on git source, it will be announced.
|
| BUT: it was hard. Bitwarden just works better. I still build it
| from source on desktop computers, though, and take a look at
| the website before updating, just to stay sure. (And I think
| IOS app process will make it harder to submit malware there
| anyway).
| Scoundreller wrote:
| Lots of good suggestions here.
|
| > you can make it send the master password AND the database
| to a remote server.
|
| I wish it was easier to completely restrict an executable
| from ever touching the network. Like, point and click.
|
| Now, there's ways around that (open the browser and a long
| hyperlink of secrets), but yeesh, it should be easier to
| block the direct links.
| sn0w_crash wrote:
| Again?
| JackMorgan wrote:
| I switched to KeePassXC and syncthing and other than a little
| bump once when I accidentally caused a merge I've been really
| pleased with the setup.
| lbj wrote:
| Well.... Unencrypted access to all the sites each username/email
| has an account with could be very damaging for some individuals.
| snug wrote:
| I've tried a lot the password safes/vaults, and none of them work
| nearly as well as Chrome/Googles password manager
|
| You can even use it on iOS, and even use it by default. Even
| apples Keychain password manager works pretty well if you're all
| in on apple ecosystem. Only reason I see why you would not use it
| is if you're not using Chrome or Safari, which is most people.
|
| Yeah, yeah, google evil
| mook wrote:
| The risk there is more you accidentally make a bad comment on
| YouTube and Google bans your account, I think. I have no idea
| if I'd still be able to access my passwords if that happens. At
| least, personally I feel Google deciding to disallow me from
| logging in is more likely than Google losing my passwords.
| snug wrote:
| That is only a risk for syncing, you would still still have
| your passwords locally saved
| jackson1442 wrote:
| Is there a local UI to view/export your passwords? The only
| one I'm aware of is https://passwords.google.com but it's
| been a long time since I've used a builtin browser password
| manager.
|
| also- does Google (or other browser devs) release
| information on how they keep your passwords secure? Is it
| even E2EE?
| joshmn wrote:
| > Is there a local UI to view/export your passwords?
|
| chrome://settings/passwords
| post-it wrote:
| Are you sure? Chrome could very well lock you out.
| boxed wrote:
| Chromes password manager used to be as safe as a text file on
| your desktop. Have they fixed it?
| officeplant wrote:
| If someone has access to my desktop I've already been
| compromised enough to not care.
| jamal-kumar wrote:
| I'm sorry but if you were using this why are your passwords in
| the cloud? Doesn't that whole concept set off like thousands of
| alarm bells in your mind about how it could go wrong?
|
| I know it's convenient or whatever, device synchronization or
| whatnot but compromising security for convenience is a thing I
| thought we might have been aware of avoiding at this point.
| alexhjones wrote:
| No need to brute force - if users re-used their master password,
| it will potentially cross-reference with the correct email and
| password combo from any number of previous data breaches and
| pwnage across the net.
| yasp wrote:
| Good news for people who followed best practices. "I don't have
| to outrun the bear; I just have to outrun you."
| AlexCoventry wrote:
| This bear has the ability to spin up an AWS cluster of bears,
| unfortunately.
| dijit wrote:
| AWS is probably the most expensive way to do this.
|
| Either rent some machines from an ex-crypto miner, since
| AES can be decyphered on GPUs or get some old extremely
| cheap boxes from the hetzner auction.
| jacquesm wrote:
| There isn't just one bear.
| phillipseamore wrote:
| I'd like to point out to users who have 2FA on their LP access
| and think they are safer, that does not protect the vault in a
| compromise like this, it only enhances the security of delivering
| the vault, the attackers here already have the vaults. Vaults are
| only protected by password.
___________________________________________________________________
(page generated 2022-12-22 23:00 UTC)