The LastPass Breach and What It Means for You.

I've been waiting for a while to see if LastPass released any additional information around this breach, but they've been disappointingly quiet. I've had many questions around this topic and thought I'd write this article now as there is a lot of panic and "sky is falling" posts out there and wanted to give people some advice based in their actual risk exposure.

Password managers have been a highly recommended part of a cyber-security plan for many years. Sites and services get breached every day and password managers are the best way to ensure that all your passwords are unique across sites so that when a site or service does get breached, that password you used on that site will not unlock access into any other site. There are other ways to do it, but the fact is that a good password manager that syncs across the devices you use is really the best and most convenient way to ensure password uniqueness.?

This does put a lot of trust in the password manager you use. LastPass is the most well-known of all the password managers out there and has been around for many years. Unfortunately LastPass suffered multiple security breaches in 2022, the first being relatively minor but the second one was much worse. I’m going to explain what happened to LastPass and what you need to do or be concerned about if you are a LastPass user or have ever been a LastPass user. I will go into some fairly deep technical detail for those interested but please skip anything that you don’t want or need to understand but please do take note of the important bits around what you need to do to ensure that you are safe and protected as best as possible.?

So what happened at LastPass?

LastPass alerted customers in August 2022 that an unauthorised party had gained access to “portions” of the LastPass Development environment via a compromised developer account. We were assured that it was contained and that no access to customer data was gained nor any access to anyone’s password vaults.?

In November 2022, LastPass again notified customers that an unauthorised party had gained access to a “third party cloud storage device”, compromising “certain elements” of its customer information. This new breach was enabled by the information gathered in the first breach. We don’t have exact details yet of how exactly they got in (the way LastPass have handled this incident has been less than transparent and very disappointing) but on 22nd December 2022, LastPass admitted that the unauthorised party had managed to gain access to their backup storage where they stored the encrypted backups of the password vaults of their users.?

So they’re encrypted? Aren’t we safe?

As mentioned earlier, the honesty and transparency shown by LastPass relating to this incident has been poor and disappointing. This has led to a lot of guesswork and conjecture around the exact risk to customers and what they need to do to ensure they are safe. Much of this detail following paragraphs is based on what researchers and other interested parties have managed to unearth or discover. We need to assume worst case scenario here and take adequate precautions, but temper that with an understanding of the real risk to you and your credentials stored in LastPass and not make knee-jerk reactionary changes that don’t actually add any value.

The backup data the bad guys obtained was not encrypted at the storage level (or if it was, was decrypted) and they likely have access to all user’s password vault files. These individual password vault files are likely in the clear, but certain fields in these files are encrypted. This is the way LastPass stores your password vault and always has. Some fields are in clear unencrypted text and other fields are encrypted using a standard symmetric encryption algorithm with a key that is generated by a method known an a Password Based key Derivation Function Version 2 (PBKDF2). This is a piece of code that generates an encryption key based on your Master Password (along with some other data) and uses this to encrypt the data in the encrypted fields. This process is then reversed to decrypt the data once the correct password has been supplied.?

Now that the bad guys have this file, they can run programs or scripts called “Brute Force Attacks” which basically just try every possibly combination of characters starting from 0 all the way to ZZZZZZZZZZZZZZZZ (16 character example) including capital and small letters, special characters etc. against these files for years to come until they eventually guess the password correctly. (It's a little more intelligent than this, but this is the basic principle.) This is why long passwords are so important and add more security value than complexity. Every additional character added to the password exponentially improves the effort required in order to brute force it.?

Some solace can be gained from the fact that PBKDF2 is specifically designed to be Brute Force resistant. The function uses multiple iterations to derive the key, not just one. When you enter your password, the function runs its process on your password and a value comes out. This value is then used as the input “password” and the process runs again, and again, and again. This is done to ensure that any brute forcing efforts have to run through this computationally expensive process (it uses a lot of CPU power) for each guess. The number of iterations is generally increased by services using the PBKDF2 over time as computing power increases. When PBKDF2 first came out in the year 2000, the recommended number of iterations was 1 000. In 2021, the recommended standard iteration count is 310?000 according to the Open Web Application Security Project (OWASP).

LastPass currently use a standard iteration count of 100 100. This is well below the recommended standard, but is still very strong, even in 2023. Unfortunately, this is where LastPass dropped a ball. If you created a new account recently, you would be using the 100 100 iteration PBKDF2. If you had been using LastPass for many years, your iteration count is very likely at 5 000, which is their older standard (prior to 2018). They did not upgrade everyone to 100 100, likely due to support or user journey / impact considerations. This means that those with older vaults who did not manually upgrade their iteration count to 100 100 (or more) are far more vulnerable to a brute force attack. You can log into LastPass and check your Account Settings, General, Password Iterations setting to see if this is the case for you.

I’m not worried, I had Multi-Factor Authentication enabled for LastPass so I’m safe.

Excellent! Multi-Factor authentication is critical for security and you absolutely should have it enabled everywhere. Sadly, MFA does not save us in this case. The MFA function is only used when logging into LastPass and accessing your vault through the LastPass frontend. MFA is not used as part of the PBKDF2 and does not help us in this case as they can still brute force the encrypted data fields.

Thankfully I stopped using LastPass long ago and moved to another password manager.

Unless you actually deleted your LastPass account completely, you are likely still vulnerable as your old LastPass vault has still been sitting there even though you haven’t been using it. LastPass have also not been very forthcoming with information around what backups were accessed and how old they were. This means that if they have a 10 year backup retention policy, your vault could still be there and have been stolen even though you deleted your account 9 years ago. We don’t have enough information so if you’ve ever had a LastPass account, assume they have the it and can start trying to crack it even if you did deleted it completely.

What about Dictionary Attacks?

A Dictionary Attack is usually done before or as part of a brute force attack as it is MUCH faster. In a Dictionary Attack, the attacker will use a list of passwords (a dictionary) and try all of those rather than brute forcing from 0 to ZZZZZ….. These dictionaries are huge lists of passwords that have been obtained through other breaches. If you used the same password as your LastPass password at CyrilsUsediPads.co.za and they got breached and their password database was stolen, those passwords would be added to a list (often also tied to your email address) which means they bad guys have a much smaller list if things to try. This is why password uniqueness is so important and is why password managers (despite this annoying failure) are part of a good security plan.?

Which fields were encrypted and which were in the clear?

Again, LastPass have been irritatingly silent on many of these questions, but we do know that the following fields in your LastPass vault are encrypted:

• Username
• Password
• Notes

What additional risk do any unencrypted fields expose me to?

The most concerning unencrypted field is the URL field. This allows the attacker to look into your vault and see the URLs for all the passwords you have. This lets them know that you have an account at Pick n Pay or ABSA or whatever and they can use this information to launch very targeted phishing campaigns to try and trick you into giving them your password, even if they don't crack it. This is scary when combined with the new generation phishing attacks and services like EvilProxy. Be very, VERY suspicious of any emails, SMSs, phone calls etc. from anyone claiming to be from any service you use, especially if it is a financial service.?

My LastPass Master Password wasn’t great but I’ve changed it now and I’ve updated my Password Iteration count to a million.?

Unfortunately it’s too late. The backup files that were stolen were encrypted with your old password. It’s good that you’ve strengthened it now, but it’s not going to save you from this breach.?

So what should I do??

You need to assess your personal risk and take precautions in line with that risk. Here are some recommendations based upon the points I’ve mentioned above:

1. If your LastPass Master password was weak (less than 10 characters) or not unique (used anywhere else), you need to change your critical passwords immediately. This includes your work passwords, banking passwords, email passwords, social media, etc. You should also change your passwords on any ecommerce sites where your credit card details have been saved. Other passwords used for less risky stuff like logins to news sites or anything that doesn’t pose a serious risk if someone else was to access it can be left alone or changed later.?
2. If you’ve moved off LastPass, but your Master Password was a 2011 era 8 character Dog’s name, you should assume those passwords stored in the vault are compromised. Any critical sites that you haven’t changed since you moved off LastPass should be changed immediately.
3. If you are / were a LastPass user with a strong and unique Master Password, you’re probably ok. I would still change banking and email account passwords out of an abundance of caution, but cracking an encryption key protected by a long, strong and unique password with 100 100 PBKDF2 iterations is pretty unlikely and will likely take many years of constant effort to crack. Obviously, this is based on the computing power we have today. As processing gets faster and faster, this gets easier to crack, but realistically, we’re a good few years away from having to worry.?If your Password Iterations setting was 5 000, I would be more urgent around changing my critical passwords as the ease of brute forcing is much higher.
4. Be very vigilant and aware of targeted phishing attacks. This is by far the easiest attack vector bad guys could use with this information, so please be extremely alert.
5. Enable MFA everywhere! Ensure that all critical sites and services (all the ones mentioned in point 1 have MFA enabled. This will protect you even if the password is compromised.

So are Password Managers still the way to go?

Absolutely. Despite this unfortunate incident, Password Managers are still the best way to ensure uniqueness, length and complexity across all the sets of credentials you have. Also, remember MFA is absolutely critical to ensuring that you have an additional layer of protection on all your important accounts. Using a password manager and MFA is still the recommended best practise for normal people trying to be safer in this crazy online world full of bad guys trying to steal your stuff.?

Footnote:

This is a high level summation, and there are many other technical details I did not go through like the ECB vs CBC encryption etc. which are also concerning, but this is above what most people care about, hence me leaving it out. I've tried to make this understandable for those not familiar with encryption, hashing, PBKDF2 etc. Please let me know if there is anything that isn't clear or needs simplification.

I really hope LastPass open up and give us the facts about exactly what was taken, the age of the backups, how they were protected etc. Until they do this, we need to assume the worst. They lost me as a customer a few years ago because Bitwarden was open source and had all the features I needed in the free offering, but the way this has been handled has made me recommend everyone get off their platform ASAP.