It seems since March 2023, the LastPass hack of 2022 has become real for some people. Brian Krebs reports that some LastPass vaults appear to have been cracked open and Cryptoassets lifted from victims. The common thread between victims being that they are long-time users of LastPass and they appear to have stored their seed phrases for their Cryptowallets in LastPass.
Of course LastPass was hacked left and right in 2022 and it seems ALL existing vaults (at least) were lifted by the attackers.
Given LastPass’s reticence to force the encryption iterations from 1, 500 or something equally weak for early adopters, these users were storing their secrets with little protection unless they did something about it. In 2018, LastPass was forcing 100’100 iterations on new users but, again, “old” users were still stuck on tiny iterations.
That left those people exposed and if they did nothing, their vault when stolen was badly protected.
Think Like The Attacker
The person or team who stole the vaults have access to certain information that will certainly help them to prioritise compute time against reward:
- Email address. The email for LastPass would give a clue about the owner and help prioritise the compute allocation to crack a vault
- Iterations. You have to assume that iterations are metadata because the application layer to open the vault has to know how many iterations are required to open the vault
An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations
This is simply a time bomb at such low iterations. It is purely a question of compute time ($$$) per vault to get to a point where the contents are decrypted.
Note: MFA is of no help nor protection here since an MFA code would only be used at the application layer when a user is unlocking the vault in an application or in a web context…..otherwise, it’s zero protection. Ouch!
Money Money Money
The assumption is that the attacker(s) looked at the vaults and metadata, possibly cross-referenced email addresses and iterations to reduce the vaults that they saw value in – and then attacked in that priority.
It makes sense; there is an expense in cracking vaults and aiming the compute power at the vaults that might result in monetary gain is the obvious approach. For example, finding a LastPass vault with an email of a Cryptocurrency trading firm with a handful of iterations is always likely to lead to a financial gain.
That initial investment with a million buck return makes the next wallets “cheap” by comparison. Given the fact that the transactions out of wallets into the [trackable] attacker wallet(s) amounts to around $35 million, it seems the criminals managed to roll the snowball.
LastPass Users – worried?
The typical LastPass user does not need to worry so much as long as they do the following:
- Move from LastPass (obvious)
- Change passwords where monetary loss may occur
- Change passwords on email platforms (and enable MFA)
The cracking of these vaults seems very focused which is clear given the compute costs that are necessary to decrypt vaults, especially those with more iterations.
If you are a LastPass user with seed phrases, passwords to Cryptovaults or something similar, change your passwords and move your assets to a new wallet.
Was this the goal of the LastPass hack?
Yes. The targeting of a LastPass dev, at a personal level, via a Plex flaw suggests some reconnaissance (LinkedIn?) and an idea that the fruits of an attack would be rewarding. It seems the attack, long-term, is rewarding and those with large funds in Cryptowallets should be cautious.