Things started to go south for LastPass in August 2022 when it announced attackers accessed its servers and made off with technical data but no user files. It then reported a second breach in early December that leveraged the previously stolen information to exfiltrate user data. It framed these as separate incidents, but security researcher Wladimir Palant of AdBlock Pro fame isn’t pulling any punches in his analysis. He says talking about these breaches as separate attacks makes LastPass seem less culpable when in reality, this is one months-long attack that LastPass did not contain.
LastPass confirmed on Dec. 22 that the attackers had managed to copy the password vaults that contain all the sensitive information like passwords and secure notes. The takeaway if you only read LastPass’ blog post is that your data is still secure because of the company’s “Zero Knowlege” architecture. Passwords are encrypted with the master password, and since LastPass doesn’t know your master password, hackers can’t steal it. Sadly, the situation isn’t as simple as that.
Security professionals like SwiftOnSecurity, John Scott-Railton, and Jeremi Gosney are reminding everyone how a determined hacker could still gain access to your accounts. For one, LastPass doesn’t encrypt the entire file. It only encrypts passwords, leaving URLs and IP addresses exposed. The attackers could use this information to launch phishing campaigns to trick people into giving away their passwords. For all its flaws, LastPass is easy to use. So, a lot of people may have used it not only for personal accounts but corporate ones as well. That could mean a lot of headaches for IT pros in the coming months.
LastPass attackers now know all websites you have passwords stored for and the blobs, encrypted only by your master password https://t.co/Wdbt6mWe8C https://t.co/HldcJ8DYkK
— SwiftOnSecurity (@SwiftOnSecurity) December 22, 2022
The files could also simply be cracked with enough time. We know the latest GPU hardware has set new records for password cracking, and you might not even need an RTX 4090 to get the job done; LastPass has lax requirements for master passwords, which were only boosted to a 12-character minimum in 2018. Anyone with an older account may still be using a shorter and less secure password. LastPass competitor 1Password took the unusual step of calling out its rival in a blog post, characterizing the former’s claim that it would take millions of years to crack the stolen vaults as “highly misleading.” Palant says in his analysis that some master passwords people consider secure would take less than half an hour to crack with a modern GPU.
With what we know now, it seems inevitable that at least some of the less-secure vaults will be cracked, and there’s nothing anyone can do about that now. If you have passwords stored in LastPass, you should consider them compromised. Updating your most important logins would be smart. You should also enable two-factor authentication wherever possible. Whether or not you put the new passwords in LastPass is up to you (but I wouldn’t).
Now read: