LastPass revealed in December 2022 and in August 2022 that they had been hacked. The two incidents are absolutely related as the criminals who lifted the LastPass customer vaults in December got the secrets they needed in August.
LastPass does claim that they have “zero knowledge” as to what is in the vault but this is not 100% true as not everything is actually encrypted – and perhaps most importantly, the encrypted content in the vault may well vary in how it has been encrypted.
LastPass Encryption: History
LastPass has shown a good understanding that passwords need to be protected properly and appear to have used Password Based Key Derivation Functions (PBKDF) when performing password hashing for a long time.
That amount of time is not exactly known, however, and there are strong indications that they did use Electronic Code Book ciphers (ECB) for quite some time in their product history – evidenced by reports by people examining their LastPass vaults that some password hashes were identical.
In June 2012, LastPass introduced “iterations” for their encryption in order to make the compute effort greater to try to reverse the hash, mainly as a reflection that GPUs were becoming available that could be leveraged to try to decode encrypted content.
In August 2012, the iteration count increased to 5000 and in February 2018, the iteration count jumped to 100’100. As compute power increased, the iteration count was raised to reflect this.
At the same time as the increase to 100’100 iterations, the master password for LastPass was increased in complexity to strongly suggest (I don’t think require) the 8 character minimum to suggest UPPER and lower cases as well as numbers.
It’s worth noting too that Multi-Factor Authentication (MFA) was available with LastPass accounts which secured the login using their code (and especially using just a browser, for example) but (BUT!) this does not increase the protection for the vault if accessed natively.
Possibly the biggest issue is that these changes are likely only to have been applied and iterations increased when a new password was saved into the vault, assuming the iteration count was increased for each and every user. Someone using LastPass since before 2012 who stored their passwords long ago and never changed them may have an iteration of 1 protecting those passwords….!
Those Vaults, They’re Gone
This is the bad news. It seems from what has been disclosed that all vaults of all current LastPass accounts have been acquired by the attackers.
All vaults. They gained access to the storage that was being used for backups. Hundreds, thousands, maybe even millions of accounts.
Someone, somewhere has access to every single LastPass customer vault that exists (and maybe even vaults of those who deleted their accounts, depending on the backup strategy LastPass employs).
What should LastPass users do?
LastPass users should do at least the following:
- Check their iteration count (Account Settings/General/Advanced Settings/Security/Password Iterations) and ensure they are set to at least 100’000. 500’000 might be a recommendation that is future-proof, even 1’000’000 or more – the only time you will notice any change is when unlocking the vault
- Change the LastPass vault password to something longer and more complicated
- Use MFA to prevent “simple” hacks from random people on the Internet
- Start changing passwords, prioritising high-value accounts first (email, social media, banking, etc)
This all will result in the passwords in LastPass being different to those in the stolen vaults (important!) and also make them more difficult to crack should LastPass be hacked again. Never say never…!
The option to move from LastPass to a competitor is there but steps must be followed anyway as this is the only way to remove the risk of compromise for the stored passwords. I moved some time ago from LastPass to Bitwarden and it’s easy to do.
What does this hack mean in the Real World?
Given some iteration counts are being reported to be still 1, the above steps become critical for anyone with this weak setting. The iteration count is not a secret and the people who have accessed the LastPass data will likely be prioritising accounts to hack in order of lowest iterations first.
Using stacked GPUs, the low iteration counts could take minutes or hours to brute-force – so the password entropy is going to be key. Weak passwords and low iterations mean that data cannot be considered to be protected.
Since there is some indication of indirectly identifying data (email, at least), a LastPass user who is a A- or B-list celebrity, a journalist, politician, sports person, well-known business person or similar – they need to follow the steps above and do it quickly.
This also applies for any corporate users of LastPass as it must be assumed that those accounts can be quickly and easily identified. Prioritise any assets that can be logged into from the Internet first!
Ladies and Gentlemen, this is the risk we run when putting all of our eggs in one basket. And from that basket being available everywhere. Perhaps we need to go back to this solution – as it’s only locally-exploitable?