LastPass released a new official response on March 1, 2023 about last year's break-in. This article is therefore a follow-up to an earlier article that already laid out the events surrounding the LastPass break-in up to that point.
The good news
A new post has appeared in LastPass' blog. LastPass users were made aware of this blog post yesterday via email. It seems to once again summarize what is known to date. It also lays out what LastPass has changed since then. Finally, it also gives a few tips to users of the software.
This new substantive communication about the incident was eagerly anticipated. For example, LastPass indicates that a connection between the first and second break-ins was found after all. Something that security experts already thought very plausible but had not been proven until now. LastPass also seems to have worded the list of what was captured, and how it was captured, a bit more extensively.
With the same open attitude, LastPass indicates what steps have since been taken internally to further tighten security. As well as what users can expect from them in the future. Finally, LastPass offers advice to its users on the best way forward from here.
The not so good news
Being up front and more information in general is always welcome. Still, there are a few noteworthy things to read between the lines, it seems.
For example, no 'threat-actor' (perpetrator) is known and one is also still in the dark about the motive. This is despite the involvement and efforts of LastPass itself and its suppliers, as well as various parties from the fields of information security, forensic investigation and law enforcement. Finding the perpetrator(s) is usually extremely difficult when it comes to modern cybercrime. Perhaps one day this will be followed up.
What is still striking is what LastPass has broadly laid out regarding the changes made internally. From this emerges a picture about the past that does not quite seem to match how the organization presented itself previously, despite the zero-knowledge model.
But it also seems to paint a picture that may not be very compatible with a player in this market at all. As an example, steps are now being taken that might be expected to have already been taken. Especially since LastPass' core business involves information security for more than 25 million users.
The least good news, however, is what is not discussed at all. And this becomes painfully obvious from a list of questions they present to their users. For example, LastPass asks the following questions in a deeper post to arrive at advice for users:
- Is your master password strong and unique?
- Does your master password have 600,000 hash iterations or more?
- Are the passwords in your vault all strong and unique?
- Are you using multi-factor-authentication?
The first question about the master password is self-explanatory and logical. The second question, however, is remarkable. Average users will not be able to answer this question. LastPass never mentioned this before either. It is a deeply hidden exotic setting that only security experts will understand by just its name.
When encrypting digital data, it is encrypted multiple times. Each 'round' is called an iteration in technical terms. The more 'rounds' the harder it is to decrypt. As computers become more powerful every day, the number of iterations must be increased every so often.
OWASP is a globally recognized community of security experts. LastPass states that as of January 2023, OWASP recommends using an iteration count of 600,000. LastPass also explains how a user can set this number of iterations for the vault. What becomes unpleasantly obvious during those steps is that LastPass has so far defaulted to using 5,000 iterations for a vault. That's 99.17% fewer iterations than the current recommendation. So a huge difference in the resilience of the encrypted data.
LastPass says it will increase the iterations for each user to 600,000 in the coming months, in cases where this is not yet done by then.
The question of using multifactor authentication is justified. It is always advisable to use it. For example, a second channel, such as a smartphone app, should be used to confirm each login attempt.
What LastPass does not tell you, however, is that this does not help at all against theft like the one that took place in this case. The vault files have already been copied (stolen). Partly encrypted, partly not even. The perpetrator(s) can now take all the time they need to endlessly guess master passwords in order to try to decrypt them. And these vaults have only 5,000 iterations by default. Because the upcoming change to this obviously does not count for the vaults that have already been stolen, and that are now in the hands of the perpetrator(s) in that form.
Multi-factor-authentication does not help here either. This only helps against gaining access to the vault through the regular daily routine, the proverbial front door. And thus not if the vault files are stolen through the back door, as has been the case this time.
While it would have been a brave press release, opting for full disclosure and security might have been a better option. In favor of protecting the user. What LastPass could have done, and could have communicated, is something along the lines of:
- Unfortunately, a brake-in has taken place. and during this, mostly-encrypted vault files were obtained via unforseen routes
- In cooperation with others, we continue to search for the perpetrators and hope to be able to clarify the motive as well
- Security is and remains a cat-and-mouse game, in which we always strive for a realistically impossible 100% security
- Internally, we have added and improved a lot to prevent an incident like this as much as possible in the future
- Externally, each time you use your master password, we will increment the iteration number to the then current recommendation
- We recommend that you change all your (critical) passwords immediately for your best possible defense at this time
- It is also strongly recommended that you enable multi-factor-authentication on all your accounts elsewhere as well
After all, the proverbial genie is already out of the bottle.