Mastodawn

Willy Guthrie Dec 27, 2022

Wladimir Palant

Writing more about #LastPassBreach feels like beating a dead horse. But I had a look at the official statement again and it is highly misleading. I felt the need to provide some context that #LastPass is willingly omitting.

“Again, it seems that LastPass attempts to minimize the risk of litigation (hence alerting businesses) while also trying to prevent a public outcry (so not notifying the general public). Priorities…”

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure

Robert Ivanc Dec 26, 2022

@WPalant thank you for all your work, it’s been very illuminating!

Šime Vidas Dec 26, 2022

@WPalant Your RSS feed (https://palant.info/rss.xml) contains an <meta http-equiv="refresh"> tag that is causing my feed reader browser extension (Feedbro) to auto-redirect to your article. I kid you not. What is that code doing in your feed?

Šime Vidas Dec 26, 2022

@WPalant I had to remove your feed from Feedbro because I couldn’t use it anymore. It would just auto-redirect to your article as soon as I looked at the feeds.

Wladimir Palant Dec 26, 2022

@simevidas LOL. Sounds like your feed reader isn’t doing any content sanitizing which likely renders it vulnerable to way more than merely that redirect. I found quite a few vulnerabilities like that back in the day, and I was quite happy when Firefox added sane built-in RSS functionality. Too bad that browsers are leaving this to extensions again.

This was actually an experiment meant for a notorious thief. See https://infosec.exchange/users/WPalant/statuses/109483011827939479. I guess that there is a human component in their lifting pipeline after all because my latest blog posts haven’t been added.

I’ve removed that tag now.

Yellow Flag (@[email protected])

Attached: 1 image There is this website, laptrinhx[.]com. It is copying content from other websites, not even bothering to change image link to point away from the original server. And it has the audacity to demand that people disable ad blockers to view their “awesome” content. Well, I don’t like that. So I added the following nginx rule: if ($http_referer ~ '^https?://laptrinhx\.com/') { rewrite \.(jpg|png)$ /temp/stealing.jpg; } My articles on their website are now looking absolutely awesome.

Infosec Exchange

Šime Vidas Dec 26, 2022

@WPalant Hehe, I’ll let Feedbro know.

Wladimir Palant Dec 26, 2022

@simevidas They already have their “tag filter” that they will likely add <meta> to without resolving the vulnerability.

Sorry to say that but this extension is beyond horrible security-wise.

Yeleek Dec 26, 2022

@WPalant great article. What would you recommend please for someone who wants a password manager on multiple devices, which supports yubikey and is better than LP?

Wladimir Palant Dec 27, 2022

@yeleek Sorry, I’m a bad person to ask for recommendation. I wrote my own password manager because I was unhappy with my choices. From the products I looked at, 1Password is the only one I could recommend security-wise. But another security researcher I very much respect isn’t very fond of their vulnerability handling.

Yeleek Dec 27, 2022

@WPalant thanks anyway

Adrian Sanabria Dec 27, 2022

@WPalant this is an excellent analysis!

I'd like to add that their wording around "Secure Notes" created a huge amount of confusion, where many of us assumed what Lastpass was doing was less secure than what they were actually doing.

It's really a terrible, terrible example of breach communication.

cilleyperson Dec 27, 2022

@WPalant I am happy that I ditched lastpass two breaches ago. They clearly can be trusted and they seem to have serious systemic security issues within their product.

Chris Glass Dec 27, 2022

@WPalant They did the *exact* same thing with the last time they did this.
While they sent out a bunch of emails to say someone logged into your account, in their 'apology' statement, they said we shouldn't be reusing passwords and such.

I already had left LP before that, but that kind of condescending attitude told me everything I need to know about the company.

greyghost Dec 28, 2022

@WPalant asking for a friend and possibly a dumb question..... does anyone know if text or comment fields etc inside the stolen vault backups were encrypted? If they were unencrypted would you still need master password to view them?

Wladimir Palant Dec 28, 2022

@greyghost They are encrypted, in the same way the passwords are. I covered it here: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/

What data does LastPass encrypt?

LastPass doesn’t explain what data in its “vault” is encrypted. Everyone can download their data and see for themselves easily however.

Almost Secure

greyghost Dec 28, 2022

@WPalant awesome!
Appreciate that.

@WPalant A good read, thank you.

brmc9 Dec 29, 2022

@WPalant I found a family member who was a long time LP user with only 500 PBKDF2 iterations, how easy might that be to crack? They did have a > 20 character master password.

Wladimir Palant Dec 29, 2022

@brm The length of the password in itself unfortunately isn’t meaningful. You can get a rough idea of password complexity on https://lowe.github.io/tryzxcvbn/. Mind you, it isn’t perfect: it won’t recognize many patterns and thus overestimate the complexity.

At 500 iterations, we are talking about 17,500,000 guesses per second on a single graphics card. So for a rough estimate take the “10B / second” result and multiply it with thousand.

zxcvbn tests

olek Dec 30, 2022

hey @WPalant I was a LastPass user, but I closed the account in October. Do you think my data is in danger?

Wladimir Palant Dec 30, 2022

@olek Yes, most likely. LastPass still won’t tell when the data was copied, but I strongly suspect that it was before October. And even for people who closed their accounts before August, the big question is whether the data was also removed from this “backup storage.”

olek Dec 30, 2022

@WPalant understood 👍
shouldn't be like that LastPass sends an email to me with the information that my data has been breached?

Wladimir Palant Dec 30, 2022

@olek They did, to all the active accounts. Your fault, you having deleted your account at a wrong time. 🤷‍♂️

I wonder what the US law would say about it. Somebody should try it out.

olek Dec 30, 2022

@WPalant that's wrong 😞 they should have informed me anyway...

Wladimir Palant Dec 30, 2022

@olek Yes, that was sarcasm. I’m fairly certain that the disclosure laws require them to notify affected former customers as well. Question is whether there will be any notable consequences for them because of failing to do so.

olek Dec 30, 2022

I got your sarcasm 😄

let's say, I don't want to have anything to do with LastPass and I'm a happy customer of @bitwarden

what should I do, to be sure I'm not in danger? Change all the passwords that I imported from LastPass to Bitwarden?

Wladimir Palant Dec 30, 2022

@olek Yes, that would definitely put you on the safe side. At the very least it’s a good idea to change the password for important accounts (email, banking, shopping).

olek Dec 30, 2022

@WPalant understood, will do! thanks for the advice 👍

fatwelshbuddha 🏴󠁧󠁢󠁷󠁬󠁳󠁿Dec 30, 2022

@WPalant excellent read. as a LP user, my password iteration was set at 5000, and I changed it to 100,100 as per the LP blog last week. I guess I should increase it further?? Would you suggest I ditch LP and go elsewhere - if so, where? Have tried 1Password and didn’t like it.

Wladimir Palant Dec 30, 2022

@fatwelshbuddha Yes, increasing it at least to 310,000 (per OWASP recommendation) would be advisable.

Also, you should strongly consider changing all your passwords. Accounts with 5000 iterations and less will likely be targeted first.

Personally: yes, you should definitely consider changing to a competitor who does a better job at keeping your passwords secure. People usually recommend 1Password or Bitwarden.

fatwelshbuddha 🏴󠁧󠁢󠁷󠁬󠁳󠁿Dec 30, 2022

@WPalant thanks for the feedback. will update the iterations. as for changing passwords, I have sooooo many, but I’ll focus on the master one and financial sites. I’ll think about a change but I’m so embedded with the way LP works I’m somewhat reluctant to swap and trust ongoing security will be beefed up.

tomoz1 Jan 2, 2023

@WPalant very interesting info and I have a practical questions : if you have a last pass account, what is the best way to delete all info safely on their server?

Wladimir Palant Jan 2, 2023

@tomoz1 This is not something you can tell from the outside. Especially not, when it comes to backup storage which is where the data leaked.

tomoz1 Jan 2, 2023

@WPalant
well, then let's hope a delete via the site does a full delete of everything and not just stops me from accessing anything

tkteo Jan 24, 2023

@WPalant latest: LastPass parent company was hacked too. who would have thought? /sarcasm

more shit hitting a higher ceiling.

https://www.bleepingcomputer.com/news/security/goto-says-hackers-stole-customers-backups-and-encryption-key/

GoTo says hackers stole customers' backups and encryption key

GoTo (formerly LogMeIn) is warning that threat actors stole encrypted backups containing customer information and an encryption key for a portion of that data.

BleepingComputer