Forum menu
Yeah to crack all the passwords for all users is massive. However even if they crack only a small subset, if it happens to be you who is cracked then it will end badly for you. I'm not happy with that risk, personally.
Agree about the Comms. Lots of inconsequential bollocks in the announcements (e.g. shifting blame onto Plex, suggesting it was "only the backups not the live system" so that makes it ok????)
So I've got to manually reset passwords for the 200 odd I've got saved there? Feel like sending them an invoice for my time 😉
MSP
Full MemberThe password vaults are individually encrypted, so it’s not just a matter of cracking encryption for all users, they would have crack each users encryption separately. That is a massive undertaking.
However I am hugely disappointed by lastpass’s communication around this issue, I don’t think they have been honest with there user base, and left us trying to work out exacvtly what this hack has meant for our security, for that alone I am looking for an alternative.
How do others find alternatives handle passwords on iphones in plugging in with the system api?
It would ordinarily be almost impossible. But Lastpass have leaked the sites saved in plain text, therefore the attackers know the juciest accounts to target (those with crypto, banking etc).
Secondly the failed to set up a lot of accounts correctly, the iterations were so low that the encryption can be cracked (relatively) easily! Iterations ought to be 100,000 (ideally higher), but they have at various points been 1, 500, 1000 and accounts created with those stupid settings were not automatically updated!
I'm thinking about using google chrome to manage my passwords now, is there a disadvantage in doing this?
almost as if handing over all your passwords to some random internet company with no proven record on cyber-security was never really a good idea in the first place 🤔 A quick flick thru their Wiki page lists a fair few incidents over the years... plus their Android app harvests your data, apparently https://www.reviewgeek.com/72272/the-lastpass-android-app-contains-7-trackers-from-third-party-companies-😬/Secondly the failed to set up a lot of accounts correctly, the iterations were so low that the encryption can be cracked (relatively) easily! Iterations ought to be 100,000 (ideally higher), but they have at various points been 1, 500, 1000 and accounts created with those stupid settings were not automatically updated!
(EDIT: minor point-of-interest, that's the first URL I've noticed with an emoji in it 😃)
I write mine on a piece of paper which lives in a safe....
For anything with money involved, anything else I really don't care about...
The password vaults are individually encrypted, so it’s not just a matter of cracking encryption for all users, they would have crack each users encryption separately. That is a massive undertaking.
Assuming you had a decent master password at the time of the breach there are two issues:
1) They weren't using enough PBKDF2 hashing iterations. I think mine was at 300k which is what it defaulted to post 2018(?). They're now saying you are at risk if it's less than 600k.
2) They don't (for data collection sales reasons I imagine!) encrypt URLs which is beyond stupid.
As a result of 2) the attacker essentially has a plain text list of all the URLs a given user has a password for - they also have the windows install location (on my computer that would be my name - you could guess my email from that every easily). For a undisclosed subset they also had plain text stored the email addresses! 99% of websites use your email as your username, so the attacker has a list of URLs and usernames for a good subset of the userbase. The opportunities for phishing are enormous - e.g. find all the users with a Natwest account and then send personalised phishing emails to them. Also vastly limits the attack space for a brute force attack on anything.
1) presumably means the vaults are vulnerable to hashing attacks (rainbow tables). Since hardly anyone has the 600k setting, what everyone really needs to do is a) leave last pass b) choose a new provider c) change every single password (starting with financials) that was in the vault when the attack occured.
I'm currently eying up bitwarden - they encrypt the URLs!
Just installed bitwarden here. Just need to check everything is sorted and will delete lastpass. Annoying as i still have 9 months paid for but still
alloyisreal
Full MemberI’m thinking about using google chrome to manage my passwords now, is there a disadvantage in doing this?
You'd be tied into Google forever, it doesn't support secure notes, Google aren't transparent.
I switched to Bitwarden instead.
I moved to chrome after Lastpass started charging. Works well for me.
My main concern with bitwarden is that they seem to be too cheap and won't make money / have to make compromises. Still given that lastpass weren't that cheap, and made a huge cock up, I'm not sure if I should worry about it!
Any further ideas on who to move to? I need something that plays nicely with iOS mobile, widows and desktop macs
See xora’s post, apparently you can use Lastpass to backup your MFA seed keys, therefore those were compromised also.
That still doesn't answer the question.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled?
why would you not just use iCloud Keychain 🤔Any further ideas on who to move to? I need something that plays nicely with iOS mobile, widows and desktop macs
Ran way from Lastpass over the xmas period following previous breach -- moved to 1Password and rolled shed loads of passwords.
painful
For the record, I don’t use password vaults myself, neither professional nor privately.
What are you doing instead? All the alternatives I'm aware of are bad options.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled
I suppose it depends on how the MFA is applied. I.e. whether it is just applied as an authentication mechanism that then allows you to decrypt using the master password, or whether the MFA is linked to the encryption somehow.
I suspect the former but really I've no idea.
I assume the master password is used as the decryption key only, and that the MFA auth is used to verify access to the encrypted data.
If you've nicked the whole vault (which is what appears to have happened) then it doesn't matter what's in the application that provides access to the vault.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled?
Possibly if you were actively monitoring the device you could catch them entering the MFA (assuming its a code) and then get in inside the window. Guess it would depend if it actively monitors logins and doesnt go "hmmm multiple ips".
Or if it was a global MFA and was a bit trigger happy then they might have just got used to clicking yes.
At work our auth got messed up for a while so it kept asking to reauthenticate. One way we got pressure put on them to fix it was pointing out mfa is only useful if it only gets triggered when someone is specifically trying to get access (or say after a day continuous activity) to something. If it fires for fun then people will just hit yes.
If you’ve nicked the whole vault (which is what appears to have happened) then it doesn’t matter what’s in the application that provides access to the vault.
Yes, if they've managed to pull a local cache of the vault, then the master password is enough. That's not what the article says though, and that's why it seems fishy.
Possibly if you were actively monitoring the device you could catch them entering the MFA (assuming its a code) and then get in inside the window.
If it lets you do that from another IP/device, then that's very poorly implemented MFA.
Or if it was a global MFA and was a bit trigger happy then they might have just got used to clicking yes.
That's not what the article says.
That’s not what the article says.
looking at their lastpass own document its a tad unclear exactly what happened. The use of "employees master password" is odd. Is that after unlocking a personal vault for example to get their master password?
I guess it could have been like our server access where you use password/mfa to authenticate which then allows you to launch a temporary rdp file. Since it does have the alternative of being able to grab the password and then log on directly using rdp. Again time limited though.
I am amazed those key files werent only available on the internal network (with maybe a copy on a secure drive or two just in case) unless he was able to vpn in using his home machine.
Is that after unlocking a personal vault for example to get their master password?
As I understand it the employee in question was targetted and had a keylogger installed on their machine via a previously unknown vulnerability in 3rd party software on their home machine. It was a sophisticated deliberate attack
Aidy
Free MemberThat still doesn’t answer the question.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled?
Once you have the MFA seed you can set up your own authenticator app to do the MFA.
It was a sophisticated deliberate attack
Yes but its the finer details which are interesting.
It is ultimately the problem for someone like lastpass. Unlike most companies where you hack them and then you get to rip just them off with lastpass (or solarwinds as a previous example) if you compromise them you stand a good chance of compromising a whole load more businesses (plus in lastpass individuals).
Since the return on investment is so high its worth top end attacks. Wouldnt be completely surprised if it was a state looking for ways into other more interesting targets.
Once you have the MFA seed you can set up your own authenticator app to do the MFA.
Yes, I understand that.
That's not what the lastpass statement is saying, though.
It states that: "The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault."
This implies that they had the master password, and used the master password to gain access to the vault.
There's no suggestion that the MFA seed was compromised.
Aidy
There’s no suggestion that the MFA seed was compromised.
Summary of data accessed in Incident 2:
DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
In addition LastPass have requested all users reset their MFA secrets
Task 4.2: Already using MFA? Regenerate your MFA shared secret
If you already have enabled one of these MFA services, please regenerate your shared secrets in your LastPass account settings: LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or Grid. Find instructions here:
Is that just if the MFA was backed up? I'm sure that it didn't say that when I read their security bulletin. I guess they may have changed it.
Yes, but that's the data breached in Incident 2. They obviously can't use that to *cause* Incident 2.
As someone who keeps wondering if he should upgrade from his list of 4 or 5 passwords, all subtly similar and kept on a spreadsheet which is stored on the cloud (I know)...
...is there a safer way, or will they all have these failings which make it more likely that I'll be hacked?
And simple to use?
Maybe a stupid question, but if the logins (username + password) leaked from LastPass use 2FA e.g. My banking apps, is the risk reduced?
What are MFA secrets?
I have various accounts that use various types of MFA. Lastpass itself uses an app on my phone. Microsoft another app and lots of others send a text with a code. But I don't remember any of them talking about secrets. Maybe they did it when I wasn't listening 🙂
Aidy
Free MemberYes, but that’s the data breached in Incident 2. They obviously can’t use that to *cause* Incident 2.
Posted 45 minutes ago
I don't get your point then? You know they had a keylogger which could be used to capture both the master password and MFA which could both be reused as long as it was within the same 30s window.
Once the vault was decrypted, they had the MFA seeds and could subsequently generate MFAs at any time
If it's any consolation I didn't actually change anything after the first breach (although I have now) and nothing bad happened. In fact I've yet to hear an example of anybody actually suffering as a result of these incidents. Other than lastpass themselves of course. I'm sure they must be losing customers at an alarming rate.
roverpig
Full MemberWhat are MFA secrets?
I have various accounts that use various types of MFA. Lastpass itself uses an app on my phone. Microsoft another app and lots of others send a text with a code. But I don’t remember any of them talking about secrets. Maybe they did it when I wasn’t listening 🙂
It's a secret code known by your authenticator app and the server.
Normally as part of registering for MFA login, you are given the secret in the form of a QR code to scan.
And then the both the server and the app do the same maths on it.
e.g.
Secret is 1234
Multiply it by current time = 13:44
1344 * 1234 = 1658496
Take the last 4 digits of that, and there's your code 8496
There's a bit of maths in there but that's basically how it works.
You can see some real code for it here (getCode function):
https://github.com/PHPGangsta/GoogleAuthenticator/blob/505c2af8337b559b33557f37cda38e5f843f3768/PHPGangsta/GoogleAuthenticator.php#L63
OK, thanks.
If I've understood this correctly (unlikely 🙂 ) it's only the MFA for lastpass itself I ned to worry about with this incident. So I've been through the process to reactivate the app (generating a new QR code) but I don't think I have to do that for all the other services I use that use MFA. Well I hope not anyway.
Maybe a stupid question, but if the logins (username + password) leaked from LastPass use 2FA e.g. My banking apps, is the risk reduced?
Yes, as long as you didn't have anything relating to the MFAs also stored in LastPass along with the user names and passwords
Immediately switching on MFA for all the apps and websites you use (have stored in LastPass) is probably one of the quickest and easiest ways to reduce any risk. That's the first thing I did after the first breach.
So One Time Passcodes, biometrics (so long as they are applied for all access mechanisms not just for a single device) authenticator apps. All that stuff.
roverpig
Full MemberOK, thanks.
If I’ve understood this correctly (unlikely 🙂 ) it’s only the MFA for lastpass itself I ned to worry about with this incident. So I’ve been through the process to reactivate the app (generating a new QR code) but I don’t think I have to do that for all the other services I use that use MFA. Well I hope not anyway.
I think if you were using the lastpass authenticator app to store them, it'll be all of them (sorry)
edit - and you had "Save accounts to the cloud" enabled
see here
Thanks. No I didn't have "save to cloud" enabled and the only site that used the lastpass app for authentication was lastpass itself, so I think that means I only need to reauthenticate that app. Still seems to be unnecessarily confusing though.
This keeps rumbling along nicely. Serious money in the form of crypto has been going missing. Security researchers believe it is due to the lastpass breach.
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
What an utter disaster!
More fool them, would you leave your bank account login on a password manager?
Especially one that had a widely publicised hack however long ago
Awkward, I'm on bitwarden but I have exactly that: bank details written down in the notes section.
There's just so much information to remember, how else do I do it
personally I think it's safer on a scrap of paper squirrelled away some where at home. preferable without the words 'bank details' written on it with big letters
chances of being burgled, and then finding the paperwork and then working out it's bank details and then working out which bank is smaller than stuff getting hacked online