Security Experts Call Out LastPass for Misleading Disclosure of Data Breach

Security Experts Call Out LastPass for Misleading Disclosure of Data Breach

Things started to go south for LastPass in August 2022 when it announced attackers accessed its servers and made off with technical data but no user files. It then reported a second breach in early December that leveraged the previously stolen information to exfiltrate user data. It framed these as separate incidents, but security researcher Wladimir Palant of AdBlock Pro fame isn’t pulling any punches in his analysis. He says talking about these breaches as separate attacks makes LastPass seem less culpable when in reality, this is one months-long attack that LastPass did not contain.

LastPass confirmed on Dec. 22 that the attackers had managed to copy the password vaults that contain all the sensitive information like passwords and secure notes. The takeaway if you only read LastPass’ blog post is that your data is still secure because of the company’s “Zero Knowlege” architecture. Passwords are encrypted with the master password, and since LastPass doesn’t know your master password, hackers can’t steal it. Sadly, the situation isn’t as simple as that.

Security professionals like SwiftOnSecurity, John Scott-Railton, and Jeremi Gosney are reminding everyone how a determined hacker could still gain access to your accounts. For one, LastPass doesn’t encrypt the entire file. It only encrypts passwords, leaving URLs and IP addresses exposed. The attackers could use this information to launch phishing campaigns to trick people into giving away their passwords. For all its flaws, LastPass is easy to use. So, a lot of people may have used it not only for personal accounts but corporate ones as well. That could mean a lot of headaches for IT pros in the coming months.

LastPass attackers now know all websites you have passwords stored for and the blobs, encrypted only by your master password https://t.co/Wdbt6mWe8C https://t.co/HldcJ8DYkK

— SwiftOnSecurity (@SwiftOnSecurity) December 22, 2022

The files could also simply be cracked with enough time. We know the latest GPU hardware has set new records for password cracking, and you might not even need an RTX 4090 to get the job done; LastPass has lax requirements for master passwords, which were only boosted to a 12-character minimum in 2018. Anyone with an older account may still be using a shorter and less secure password. LastPass competitor 1Password took the unusual step of calling out its rival in a blog post, characterizing the former’s claim that it would take millions of years to crack the stolen vaults as “highly misleading.” Palant says in his analysis that some master passwords people consider secure would take less than half an hour to crack with a modern GPU.

With what we know now, it seems inevitable that at least some of the less-secure vaults will be cracked, and there’s nothing anyone can do about that now. If you have passwords stored in LastPass, you should consider them compromised. Updating your most important logins would be smart. You should also enable two-factor authentication wherever possible. Whether or not you put the new passwords in LastPass is up to you (but I wouldn’t).

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.