Lastpass...
CyberInsights #75 - Probably the biggest leak of the year, but password managers are still the wisest choice.
What happened?
LastPass, is a popular password manager. Millions of people use it to store their passwords. Getting access to the LastPass database is getting access to the one ring to rule them all.
Hackers managed to do just that.
On 30th November, LastPass published on their blog that they were investigating a security incident at their third party cloud service provider. Then, on 22nd December, they released another blog post that said that they suffered a data breach through their cloud service provider.
LastPass revealed that the following data was breached:
Basic customer account information
Related metadata including:
company names
end-user names
billing addresses
email addresses
telephone numbers
IP addresses from which customers were accessing the LastPass service
So far, it seems like it was only metadata that was compromised. But things get dark very soon. In the next paragraph of the blog, LastPass revealed the following:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data
While the way it is written seems innocuous, it essentially means that the hacker now has access to your encrypted password database. Security professionals that have seen through the professionally crafted wordings have been quite vocal about it.
Breaches happen. This is one of the bigger ones. LastPass smartly wording it in their carefully worded press release does not make it a minor inconvenience.
Actions?
If you are a LastPass customer, definitely do the following:
Change your master password. The minimum length is 12 characters, but I suggest have a 20 character pass-phrase. I talk about passphrases and how to create secure ones in my book (Monkey Shakespeare Typewriter: Cybersecurity for everyone).
Change every password stored in LastPass (I can hear the groans, but yes, this is important)
Never reuse any of the passwords that were in the breached database.
Enable 2 factor authentication wherever it is made available and use an app like Google Authenticator or Authy.
If you are a business customer of LastPass, then you have to declare an incident and follow your incident management processes. Treat this as a high priority incident.
Are things really this bad?
Short answer – No.
Long answer – It will take some time for any attacker to brute force the compromised database. Each user’s database will be encrypted with the master password. The longer and more complex your master password, the longer it will take to brute force. That is why LastPass says it will take millions of years to crack. However, common passphrases and the use of Rainbow Tables might make this job faster.
Rainbow tables are nothing but a list of common passwords and their encrypted hashes, which reduce the time taken to crack a password. If your password is in the common list of rainbow tables, then your chance of compromise is higher. After all, you are not the only one who thought of the simple and memorable, but complex password — LeoMessi$2023! — after the World Cup.
It is safer to change every password on the off chance that your password might get breached.
Should I just go back to storing passwords on excel sheets again?
NO! Password managers are still your most secure option.
Before you go, answer this poll:
This was the last post of the year.
Season’s Greetings & a Happy New Year to all readers of CyberInsights! There are some interesting updates in store for readers in the year 2023. Look out for them.