LastPass Breach Update – August 22 – December 22

27th December 2022 | Advisory, Blog

LastPass 2022 Breach Update

Jan 26th Update 3:

CyberHoot drafted a new LastPass article: Last Straw for LastPass separately with criteria for choosing a replacement password manager.

Dec. 23rd, 2022 Update 2:

Naked Security has this article detailing their take on the LastPass breach and admission that encrypted vaults were stolen. They have some helpful comments and insights. This got CyberHoot thinking some more…

We stored our Credit Card information in LastPass for Form Filling ease of use. Will we cancel and re-issue our credit cards? Speaking personally now, I will not. My Master Password was so long and complex that the cracking effort required according to this website’s Password Strength Meter was: 7 quadrillion years whew! That’s a relief.

Dec. 23rd 2022: CyberHoot LastPass Breach Update:

LastPass released new information on their latest breach announcement from Nov. 30th in which their monitoring identified a new breach (tied to their Aug. breach). In this update from 12/22/2022 they admit that they believe 256 bit AES encrypted client password vaults were stolen from the 3rd party. This is the first time they’ve acknowledged that client data was at risk. Here’s their take on the situation:

Dec. 22nd, LastPass Blog Update:

“If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

So, what does this mean for all you LastPass users out there, or for Companies that have deployed LastPass to their Users? A lot of work actually.

CyberHoot’s Impact Assessment:

Out staff knows the following to be true: in many of the LastPass environments we have supervised over the last decade, despite our training videos and our password policies requiring a minimum of 14 character passwords (2 longer than LastPass defaults) we have seen many Master Passwords that were WEAK. Therefore, given the general lack of strong password hygiene in general, this new breach information from LastPass requires CyberHoot to make the following recommendations to anyone using LastPass personally or in your business:

Inform your users of this breach and state the following: “Count your password length today. If you used a Master Password shorter than 12 characters in length, you must change your Master Password today.“
If you had a master password that was 12 characters or more, you could still follow the advice below, but we don’t think it would be 100% necessary. You can SKIP TO STEP 3.3 BELOW. However, if your password was shorter, especially those 8 or 9 characters or shorter in length, move on to step 3.
If you are changing your Master Password because of recommendation #1 above, then also do EVERY ONE OF the following:
1. 1. Make the new Master Password a 14 to 20 characters long pass phrase! Watch this CyberHoot Passwords and Passphrase video for helpful tips.
  2. Change the Passwords on ALL YOUR CRITICAL ACCOUNTS stored in your Password Vault. [Note: yes we hear the collective groan on this suggestion. Do it anyways.] The reason is if you had a short password that could be brute forced, then all your passwords could be at risk. You have a short window of time before the LastPass hackers could theoretically target your Vault and brute force your account. Therefore, in an abundance of caution, change all your critical account passwords to protect them from compromise. [CyberHoot Tip: Change you Email Password first if you don’t have it tied to multi-factor authentication aka: MFA).
  3. Enable Multi-Factor Access to your LastPass Password Vault. Use an Authenticator APP (it doesn’t have to be LastPass Authenticator). Authenticator apps are more secure than Text Messaging MFA. [CyberHoot Note: having MFA enabled does NOTHING to protect the stolen vaults in this LastPass breach. The thieves will be trying to brute for the password vaults solely on the strength (length) of the master password you set.]
This step goes for EVERYONE. Enable Multi-factor Authentication (MFA), using an Authenticator App, or if you’re really security hardcore, a Yubikey hardware token, on all your online accounts that support MFA. This would prevent even a breached LastPass vault from leading to the compromise of your MFA protected accounts. MFA is your friend. It may seem like a pain sometimes, but the truth is, the pain of a compromise is far worse. Do this today.

CyberHoot LastPass Viability: Q: Does CyberHoot think LastPass is a viable solution given this breach and previous breaches they have faced?

Answer: We cannot answer that question for you. For Cyberhoot, we will continue to use LastPass as we’re fully vested in them at this point. Our Master Passwords are FAR LONGER than 12 characters making our vault theft unlikely to yield anything to the hackers in question here. In addition, as painful as this episode has been for LastPass, it shows their commitment to transparency and security. It would have been potentially far easier for them to hide this incident by sweeping it under the rug. They did not. We want a company that is transparent. Admits mistakes when they happen. Has advanced monitoring in place to catch security events (as they did in this case). And reports on it honestly and openly. We’ll end with a statement the FBI has long been quoted for because it applies to ALL companies and ALL password manager software vendors.

“There are two types of companies in this world. Those that know they’ve been hacked, and those that don’t know they’ve been hacked.”

We know when and how LastPass was hacked here. Do we know anything about any other password manager vendors being hacked?

Full transparency: CyberHoot has not made a single dime from LastPass in any capacity, referral program or otherwise. We have probably left $1000’s of referral dollars on the table because of our desire to remain at arms length for our reporting.