Update your passwords now!

In August 2022, LastPass, a popular password manager, experienced a data breach that resulted in the loss of all customer account data, including sensitive information such as email addresses, billing addresses, and encrypted vaults.[1] This means that the vaults, which are used to store and protect login information, credit cards, autofill data and more for various online accounts, are now out in the wild and can be easily accessed by cybercriminals.

The encrypted vaults, which are meant to provide an added layer of security, can still be compromised if customers use weak passwords or passwords that they believed to be strong. Recent studies have shown that passwords that are less than 8 characters can be cracked in less than an hour, and passwords that are under 11 characters can be cracked in just a few days if they do not use the full mix of available character types, using a single off-the-shelf consumer gaming graphics card.[2] On top of this, due to the cyphers used in some vaults, it's trivially easy to see how many passwords are reused across a vault. 

Another serious blunder is that some of the iteration counts on encryption (which was also backed up and accessed) were set to 1 for many vaults (in particular vaults created from 2008 to 2012), the OWASP standard is 300k which is still considered by many experts to be inadequate.[3]

Data de-obfuscation tools, which can be used to unlock encrypted data, have flooded the dark web and open security forums. These tools can be used to unlock a significant amount of vault data in seconds, depending on the cypher mode used by the vault. Some of the information that can be viewed this way includes login information and even the last time the vault was accessed.[4]

Because the vaults themselves have been stolen, changing the master password is not enough to protect against this attack. Customers will need to change every single password for every system to protect against this attack, which could be a daunting task.

Additionally, the fact that customer metadata was leaked, means that cybercriminals can connect vaults to users and target them specifically. This makes this breach particularly dangerous.

In the wake of the breach, LastPass has urged its customers to take immediate action to protect themselves, such as changing their master password, enabling two-factor authentication, and updating all other passwords. The company has also stated that it is working to improve its security measures to prevent future breaches.

It is important to note that this is not the first time that LastPass has experienced a data breach, not even the first time in 2022. It is therefore our recommendation that you change to a more reputable password management system.

In conclusion, the latest LastPass data breach serves as a stark reminder of the importance of password security and the need for companies to regularly review and update their security measures. The incident also highlights the need for individuals to be vigilant about their online security practices, including the use of strong passwords and the enabling of two-factor authentication. With the ever-increasing threat of cyber attacks, it is more important than ever to take proactive measures to protect ourselves and our personal information.

 

References

1. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ 

2. https://www.hivesystems.io/password-table

3. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

4. https://www.reddit.com/r/Bitwarden/comments/108xv7m/lastpass_vault_deobfuscator/

 

Looking for a software development partner with a security first approach, get in touch with our team today.