One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.
For example, it's clear backups were stolen, but they won't say how old the backups were, or what their retention policy is. So even if you changed your password to a stronger one, with more rotations, it may be that the attacker got hold of very old backups with weaker security. I've asked their support team for information about time windows of backups stolen, if they have a retention policy and whether it was adhered to, but they won't share that information. Instead we are left with a blog post that is more than a month old, no recent updates, and questions remaining unanswered. I'm a paying 'enterprise' customer, and they are meant to be ISO270001 compliant, so a retention policy should be a pretty simple thing to share.
At this point you should assume you're breached. If they aren't going to give you the details, you should assume the worst.
I have asked all of my team to change their passwords. We use LastPass via our parent company and will be switching off LastPass soon for our team. LastPass never would've been my choice, it was made before I joined.
But assume you're breached, change it all now, and ideally you're not going to stay with LastPass. Their communication sucks, which is just icing on the cake in this entire situation.
Export from LP and start migrating, starting with changing common social IdPs like Google, Facebook, Twitter, Github, Apple, Microsoft/Live/Xbox/Outlook. Update the password of remote access programs like Parsec, and your cell phone provider's password. Then go through your TOTP generator and start changing everything in your TOTP generator (especially since you might be using LP Authenticator - if you are, then move to a different authenticator at the same time). Next: banking, your work payroll, investment accounts, Tax/IRS, shopping. From here one out start going through the list by the amount of money involved. If you doubt that then go through them ordered by the amount of data involved.
If you get lost and stuff seems too hard, if your replacement product lets you sort by age then just sort by oldest and hit 5 today. Hit 5 more tomorrow. Keep chipping at it. At this point you might as well change one every single day.
I’ve always felt like there’s a startup in there that can reliably change all your passwords for you. Probably something like one time $299, which sounds expensive, until you realize the pain of doing this.
Depending on how it was implemented, that could just increase the attack surface. Assuming it's a cloud service, now we have another company that has all your passwords, that can be breached. A better way would be desktop software that runs on your local machine and logs in to each web site by itself and changes all your passwords, without using any remote compute or storage, outputting a local file with all your new passwords (don't make the same mistake again using a cloud password manager).
I love web scraping, maybe I can update this prior idea. With the high proliferation of botting, a lot of sites are now resistant to this type of scripting, but at this low volume of interaction, it may be doable with some effort like Undetected Chromedriver.
Vault rotation++. I was bitten by this switching authenticators when one didn't have an export at the time. It was such a massive pain to login and remove, add, setup and annotate, store secrets and repeat.
This was also the final straw for our organization, we have initiated a company-wide reset of any credentials stored in in their service (thanks, LastPass) and are definitely not going to be renewing. The frequency of recent breaches, and especially the opaque manner in which they have been handled have destroyed any credibility they may have once had with regard to being trustworthy enough to store important secrets.
That reads like you're resetting credentials and then putting the new credentials back in LastPass, and then possibly maybe moving away from LastPass at some point in the future.
Given how little LastPass has disclosed, and the negligence we already know about, we should not only assume we're breached, but we should also assume LastPass is still storing critical data in cleartext, they don't have a "zero knowledge architecture", and their systems are still vulnerable to intrusion and exfiltration.
That's good advice. I already made that assumption when the leak was first publicised and changed all of my important passwords the same day. I'm just trying to decide whether it's worth changing the hundreds of other low value passwords that were once stored in LastPass. I migrated to another service a few years ago, but I'm concerned the attackers have got hold of older backups, containing sensitive data that I had deleted, but with LastPass's poor communication, there is no way of knowing.
"One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk."
Yes they have. They had a breach, and lied about it. You can't trust anything about them now. Assume a total breach and move on.
Honestly, even before this latest update, it's safest to assume that your data will be decrypted at some point, and get started changing everything now.
Luckily I had already switched over to Bitwarden, but I still had around 250 accounts to go through, although about 40 entries ended up being duplicates, defunct sites/products, or so old that the accounts were already deleted due to inactivity.
If you haven't started rotating all of your credentials already, this news should definitely get you started on it!
I never expected I'd experience such joy at a website failing to load, or to see it had been turned into a completely different business that doesn't even have a login form.
I did the Lastpass->Bitwarden migration around Christmas, and it was probably 6 hours all told just changing passwords for the accounts I administer. The good thing is, you get pretty fast at changing them after a while.
There's ISO compliance and there's ISO "compliance". I'm pretty sure if most shops were honest they wouldn't be compliant, but more like compliance-inspired.
In principle, your passwords might be stored as a JSON blob encrypted using a key derived from your master password. In which case that metadata could still be secure. I doubt it though.
She probably had an account that had a very low number of iterations. LastPass never updated those unless someone knew to do it manually, so if it was an old account she likely had 5,000 iterations out of the recommended minimum of 100,000.
Yep. And the sucky thing is that the only recourse at this point is to reset all your passwords, because what was leaked was the low-iteration vault. Changing it now only saves you for future leaks.
I believe that my vault was similarly-low iteration, however my master password was an approximately 30 character string that contained no dictionary words.
Based on your understanding, does my master password length sufficiently mitigate the low-iterations, or is decryption a realistic possibility?
If your master password has enough entropy, you're safe with 1 iteration. It's not a great idea, and what "enough" is can be ambiguous. But if your master password is provably 70 bits of entropy or so, you should be fine.
But it's probably easier to just change your passwords anyway. At this point I wouldn't be suprised if the story gets even worse somehow.
The title should be updated to reflect that this wasn't data from LastPass but from other products under the Gogo umbrella.
> Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
> One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.
Worst case: it’s entirely possible they don’t know.
For example, it's clear backups were stolen, but they won't say how old the backups were, or what their retention policy is. So even if you changed your password to a stronger one, with more rotations, it may be that the attacker got hold of very old backups with weaker security. I've asked their support team for information about time windows of backups stolen, if they have a retention policy and whether it was adhered to, but they won't share that information. Instead we are left with a blog post that is more than a month old, no recent updates, and questions remaining unanswered. I'm a paying 'enterprise' customer, and they are meant to be ISO270001 compliant, so a retention policy should be a pretty simple thing to share.