Wladimir PalantFeb 28, 2023

Posted a new blog post on the #LastPass update and what we learn about their breach: https://palant.info/2023/02/28/lastpass-breach-update-the-few-additional-bits-of-information/

Spoiler: it isn’t a whole lot. The LastPass statement once again raises more questions than it answers.

· We now know that a LastPass employee accessed critical company data from their home computer. I wonder whether LastPass mentions it in an attempt to shift blame to the employee (and the vulnerable third-party software they used). If that’s the case, they failed – this demonstrates a clear issue with their security practices.
· The timeline of the breach remains unclear. I *guess* that the attackers spent 10 weeks from August to October exfiltrating data from LastPass’ AWS storage. But that’s only one way of reading their statement.
· Contrary to what LastPass previously said, companies using Federated Login Services are at an increased risk from this breach. As Chaim Sanders noticed (https://medium.com/@chaim_sanders/its-all-bad-news-an-update-on-how-the-lastpass-breach-affects-lastpass-sso-9b4fa64466f6), LastPass admitted leaking K2 component of the hidden master password in the breach. With K1 being accessible to any company employee, it isn’t that hard to get by. And then no bruteforcing will be necessary to decrypt all of the company’s LastPass data.
· On the product side, no security improvements are visible. The default iterations count has been increased to 600,000 but users are still expected to update this setting manually. LastPass once again promises business customers automated updating at some point in future, yet so far they didn’t even manage to implement a simple warning.

Update: Found another LastPass document providing specifics on the timeline. So the attackers stole backups ranging from August 20 to September 16, 2022. Finally something specific. This also means however that by the time LastPass finally warned the users in December 2022, the attackers already had a three months head start at cracking passwords.

LastPass breach update: The few additional bits of information

LastPass breach was aided by lax security policy, allowing accessing critical data from a home computer. Also, companies implementing federated login are also affected by the breach, despite LastPass originally denying it.

Almost Secure
Show threadWladimir PalantMar 1, 2023

Interesting. After news publications already found more of less complete pieces of the #LastPass announcement two days ago, they now posted it on their blog and notified users: https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/. Maybe they want to be transparent, but this isn’t quite working.

I’ve seen a PDF version of the same text already, judging by Last-Modified header it was uploaded to LastPass servers last Friday already. Shared with selected few first I guess?

Security Incident March 2023 Update & Actions - LastPass

Our March 2023 update regarding the LastPass security breach incident including our additional security measures and recommended actions for our LastPass users.

The LastPass Blog
Show threadWladimir Palant

Let me try to get the timeline of the #LastPass breach straight:

· Early in August 2022 the initial compromise happens. LastPass detects it after four days and cuts off access to the development environment.
· End of August LastPass first informs the public about the breach. According to them, the breach is contained. Spoiler: it’s not.
· The attackers spend much of the September extracting data from LastPass’ AWS storage.
· At the very same time LastPass publishes another announcement, essentially repeating the previous one but more confidently – attacker activity is contained. Retroactively it’s obvious that it isn’t.
· We don’t know what else the attackers are doing but LastPass only detects their activities end of October (!).
· For some reason, LastPass waits until end of November to inform the public. No details, essentially a “nothing to worry about.” Spoiler: there is a lot to worry about.
· After yet another month, end of December LastPass finally informs the public that the attackers got away with pretty much all of their data. Still “nothing to worry about” because encryption. And business customers are not affected.
· After another two months, end of February 2023 they finally publish more details on the attack. Oh, and business customers are affected after all. Still “nothing to worry about,” but follow these steps to make sure your account is secure (spoiler: this won’t help retroactively).

Don’t get me wrong, I’m all for a thorough investigation. But this is highly sensitive data we are talking about. In a situation where information is still incomplete, the default should have been “assume the worst” and not “hope for the best.”

By the time LastPass felt fit to notify users about a leak of their passwords data, the attackers already had a three months head start on that data. And this announcement came two months (!) after LastPass presumably learned about “unusual activity within a third-party cloud storage service.”

It’s even worse for business customers. In the December announcement LastPass was still confidently claiming that federated login data didn’t leak, hence business users weren’t affected. So business customers are only learning about the true scope of the breach now, almost half a year after the data leaked.

And even now I haven’t seen a single “if X then update all your passwords ASAP” from LastPass. No, not even for the people who had 1 PBKDF2 iteration configured. LastPass could easily send all of them an email, yet chooses not to warn them. These warnings have to come from bloggers and media outlets.

Same with business customers. A blogger has to tell companies that they are at immediate risk and need to reset K1 ASAP. And LastPass? Nope, again hides behind formulations that sound like “nothing to worry about.”

It’s great to see the LastPass CEO admit that they failed communicating big time. But it seems that they still have many lessons to learn from that failure.

Mar 1, 2023 at 9:23pmWeb
Show threadHearthstone Office TechMar 4, 2023
@WPalant oh yeah it's hilarious reading between the lines in their statements. It's just a timeline of lies and an ineptitude.