Source ![source Pixabay https://pixabay.com/images/id-2170630/]
What a shitshow…
We’re used to drop wise information publication when it comes to infosec glitches.
But I must admit I had other expectations from a firm specializing in one of the central security areas, password/authentication/id management.
One would assume that these guy’s would live up to higher standards, firstly in regards to protecting sensible customer data and handling „anomalies“ like getting hacked and putting out important info‘s in a timely fashion.
Well, Latpass had other ideas.
They’ve been hacked in August we had to learn by an advisory that was published on August 25.2022 by Karim Toubba (LastPass CEO). In this advisory we could read that an unauthorized party had stolen "portions of source code and some proprietary LastPass technical information."
Source
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
So far it seemed to be not as dramatic as one could have assumed by what Lastpass had published about the incident.
But they also wrote that they will publish updates if further findings will come to light.
In this first blog post we could read all the stuff one would like to hear to calm the loud ringing alarms going off in the the heads of many Lastpass users.
Here from the August 25 blog post, ending "FAQ" section of the blog post:
.
.
.
FAQs
- Has my Master password or the Master Password of my users been compromised?
No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.
- Has any data within my vault or my users’ vaults been compromised?
No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.
- Has any of my personal information or the personal information of my users been compromised?
No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.
- What should I do to protect myself and my vault data?
At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.
- How can I get more information?
We will continue to update our customers with the transparency they deserve.
.
.
.
While the following blog post dated from September 15.2022 still kept this calming tone, on November 30.2022 things didn't read so reasuring anymore.
.
.
.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
.
.
.
This was very serious! Threat actor's had access to customer information and what most Lastpass customers didn't know, the data records in the Lastpass "vault" weren't completely encrypted! The sites, notes and so on were not encrypted! So the threat actor could read/analyse about all the sites and services customers had stored their authentication data for in their Lastpass vaults.
Identifying the potentially most interesting/most valuable targets for spear phishing attacks or brute force password cracking activities is a piece of cake with this information. Even though password cracking, at least with realistic timeframes in mind (hours, weeks, months or even a few or many years), requires specialized equipment (mostly GPU based hardware arranged in clusters) and time.
But as passwords aren't all equal, the longer and more complex the harder to crack, up to a point where it is mathematical/statistical nonsense to even try to brute force your way into an password encrypted vault when it would take hundreds or thousands of years. But with specialized password cracking environments beginning with single rigs equipped with multiple GPU's up to cluster's of such hardware up to whole farms with many of such machines one can dramatically lower estimated timesframes to bust an encrypted password.
The shorter and less complex the password, the easier to blow the encryption of your passwords to smitherines. Password brute force algos also use password dictionaries with "battle hardened" contents. The good old "passw0rd" or all the other heavily and negligently used, easy to guess passwords, are human readable in minutes, sometimes just seconds, even if just a computer cpu is used to test e few hundred or a couple of thousand "well know's" against such a week password.
Give it a try and test some of your passwords with some "crack time estimations" that you can find in the web. Remember the complexity of passwords are defined by length, use of upper and lower case character as well as special characters and symbols.
Here are a few to play with:
https://www.security.org/how-secure-is-my-password/
https://bitwarden.com/password-strength/
https://random-ize.com/how-long-to-hack-pass/
But remember, these are just educated guesses based on security research and there are averages used when it comes to assuming cracking tools. The bigger/more professional threat actor's are the more likely that they could slash the time needed for a given password.
But it became almost a „best practice“ to only say the absolute minimum. In many cases before this breach though, either information that was leaked by the bad actor’s responsible for a hack and breach, or driven by security research, forced other attacked companies or institutions to widen their before narrow scope of impact, of course always with the intention to lessen the negative impact’s on them, like loss of reputation and the consequences that follow like loss of customer’s, monetary losses be it liabilities, „bank run’s“/„exchange run‘s“ or bad sales and so on.
Lastpass acted alike or they really didn’t know at first that the attacker had access to the customer vaults.
I’m with Udi Wertheimer regarding the consequences and mitigation strategies for those affected by one of the possibly most impactful hacks of 2022!👇
https://twitter.com/udiWertheimer/status/1606501962526097408?s=20
- udiWertheimer
Let me know what you think about the whole affair in the comments!
Cheers and stay frosty!