LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.
Posted: Fri Jan 13, 2023 3:38 pm
If you use, or ever used LastPass, or have any friends, family or clients using it, you should a) Get you or them off that service, and b) change any passwords for really important accounts like banking.
Mainstream news really hasn't been covering this very well, probably because everyone just hears the phrase 'data breach' now and and tunes out, but this is pretty bad as this is a widely used service, and it's not only the breach, but apparent mistakes in securing the data, that will cause serious problems for a lot of people and companies.
Steve Gibson goes into the latest ramifications in his last Security Now podcast 905: https://twit.tv/shows/security-now/epis ... tart=false
Show notes if you prefer reading (page 5 gets to the meat of it): https://www.grc.com/sn/sn-905-notes.pdf
If you're totally in the dark on LastPass, he covered the two data breaches themselves in detail in the previous episode 904: https://twit.tv/shows/security-now/epis ... tart=false
But the bullet points are:
- Early adopters, with old accounts, may have very weak encryption on their data, because when LastPass increased their encryption strength over the years, they did not seem to apply it to at least some older existing accounts. Of real concern is the number of PBKDF2 iterations. In the early days this was set to 1 which was adequate at the time. It was later increased to 100, 500, 5000, and most recently 100100 (Bitwarden also uses around 100,000 iterations, but Steve things you should change it to 300,000 - 1,000,000). The concern is that Data encrypted with 1 iteration, is brute force crackable in a minute with modern GPU computing. Even 100000 iterations could be cracked in around 70 days (depending on the password strength). People have looked at their iteration settings and many people have found they were still on lower numbers, many even set to 1.
- Most password services use PBKDF2 iterations, so even if you've never used LastPass, you should check your iteration settings and I would recommend cranking it up. This could have a performance hit on older, slower hardware, but modern phones and PCs are pretty powerful. A higher iteration count will take longer to decrypt your passwords.
- Even if your iteration count was high, we don't know what the date of the backup was that was stolen. If this is an old backup, it could have a lower iteration count.
- The strength of your master password matters. Even a high iteration count doesn't help if your password was monKey123. Again, it also matters what your password was at the time the stolen backup was made, and Lastpass has said nothing about that. If you used to have a weak master password at one time, it's possible that's the one that got loose.
- If you EVERY used LastPass (even if you don't use it now), assume your data is out there, so change any important passwords. Changing your iteration now only helps you in any future breach. If you were ever a LastPass customer, your data could be part of this breach that came from a LastPass backup server. If you had a weak master password and/or a low iteration at the time of that backup, your accounts are most likely compromised. Even if you closed the account, LastPass has not told us if they delete your data from backups upon closing an account, so don't assume so.
- There were hundreds of millions of accounts compromised (LastPass has corporate customers also). One has to assume hackers will go through the huge amount of stolen data and decrypt the easy ones first (weak passwords, low iterations). Don't assume your passwords aren't at risk because nothing has happened yet. No one may get around to decrypting YOUR passwords for a while.
- Good LastPass alternatives are Bitwarden, 1Password, and Dashlane. Steve Gibson has confirmed that you can export your Last Pass data to a .CSV file and directly import it into Bitwarden. While Bitwarden has a premium version, the free version is probably all you need. Bitwarden also supports self-hosting your own server instead of using their cloud service.
Mainstream news really hasn't been covering this very well, probably because everyone just hears the phrase 'data breach' now and and tunes out, but this is pretty bad as this is a widely used service, and it's not only the breach, but apparent mistakes in securing the data, that will cause serious problems for a lot of people and companies.
Steve Gibson goes into the latest ramifications in his last Security Now podcast 905: https://twit.tv/shows/security-now/epis ... tart=false
Show notes if you prefer reading (page 5 gets to the meat of it): https://www.grc.com/sn/sn-905-notes.pdf
If you're totally in the dark on LastPass, he covered the two data breaches themselves in detail in the previous episode 904: https://twit.tv/shows/security-now/epis ... tart=false
But the bullet points are:
- Early adopters, with old accounts, may have very weak encryption on their data, because when LastPass increased their encryption strength over the years, they did not seem to apply it to at least some older existing accounts. Of real concern is the number of PBKDF2 iterations. In the early days this was set to 1 which was adequate at the time. It was later increased to 100, 500, 5000, and most recently 100100 (Bitwarden also uses around 100,000 iterations, but Steve things you should change it to 300,000 - 1,000,000). The concern is that Data encrypted with 1 iteration, is brute force crackable in a minute with modern GPU computing. Even 100000 iterations could be cracked in around 70 days (depending on the password strength). People have looked at their iteration settings and many people have found they were still on lower numbers, many even set to 1.
- Most password services use PBKDF2 iterations, so even if you've never used LastPass, you should check your iteration settings and I would recommend cranking it up. This could have a performance hit on older, slower hardware, but modern phones and PCs are pretty powerful. A higher iteration count will take longer to decrypt your passwords.
- Even if your iteration count was high, we don't know what the date of the backup was that was stolen. If this is an old backup, it could have a lower iteration count.
- The strength of your master password matters. Even a high iteration count doesn't help if your password was monKey123. Again, it also matters what your password was at the time the stolen backup was made, and Lastpass has said nothing about that. If you used to have a weak master password at one time, it's possible that's the one that got loose.
- If you EVERY used LastPass (even if you don't use it now), assume your data is out there, so change any important passwords. Changing your iteration now only helps you in any future breach. If you were ever a LastPass customer, your data could be part of this breach that came from a LastPass backup server. If you had a weak master password and/or a low iteration at the time of that backup, your accounts are most likely compromised. Even if you closed the account, LastPass has not told us if they delete your data from backups upon closing an account, so don't assume so.
- There were hundreds of millions of accounts compromised (LastPass has corporate customers also). One has to assume hackers will go through the huge amount of stolen data and decrypt the easy ones first (weak passwords, low iterations). Don't assume your passwords aren't at risk because nothing has happened yet. No one may get around to decrypting YOUR passwords for a while.
- Good LastPass alternatives are Bitwarden, 1Password, and Dashlane. Steve Gibson has confirmed that you can export your Last Pass data to a .CSV file and directly import it into Bitwarden. While Bitwarden has a premium version, the free version is probably all you need. Bitwarden also supports self-hosting your own server instead of using their cloud service.