The IT Nerd

You might recall that the UK government served up a £1.2 million fine to LastPass because they got pwned. That fine hasn’t gone over well with LastPass. And I say that because I actually got a statement sent to my inbox about that:

“We have been cooperating with the UK ICO since we first reported this incident to them back in 2022. While we are disappointed with the outcome, we are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures. Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass.”

Clearly they feel that this fine is unfair. But I am not sure what they were expecting. Given how bad this incident was, someone was going to punish them. It happened to be the UK in this case. In short, they had to have seen this coming. If I could offer them some advice, they should forget about the fine and focus on “delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass” as that will go a long way towards fixing the reputational damage that this incident created..

In a blog post on Wednesday, LastPass says that users will now be asked to set a new master password. Here’s why they’re asking users to do that:

When it comes to password security and resilience, there’s strength in numbers. But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability. The current National Institute of Standards and Technology (NIST) guidelines require that human generated passwords be at least 8 characters in length (NIST 800-3B) but given recent advances in password cracking/brute forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended.

LastPass’ new master password length requirement is just one part of a progressive set of initiatives designed to help our customers better protect themselves from current and emerging cyber threats. Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so. By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.

Clearly this relates to the fact that LastPass was pwned in 2022. But this is 2024 and my advice is that you should not be using LastPass because the company taking this sort of action is like closing the barn door after the horses have escaped. In other words, it’s too little too late. Which means if you’re still using LastPass for whatever reason, it’s beyond time for you to move your passwords someplace else.

You might remember that LastPass was pwned in a variety of ways last year, including having the password vaults of their customers swiped. At the time the company said that there was nothing to worry about because threat actors wouldn’t be able to get in. But that no longer appears to be the case according to Brian Krebs:

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto.

Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.

“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”

Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

Well, that’s not good. Clearly LastPass isn’t nearly as secure as it’s made out to be. And what does the company have to say about this?:

LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.

“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastPass said in a written statement provided to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”

Their statement continues:

“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”

I think if it wasn’t clear before, it’s clear now that LastPass should be the last choice in password managers. If for whatever reason you’re still using LastPass, dump it and change your passwords ASAP. Yes it’s a pain. But some pain over a weekend is better than getting pwned.

Frequent readers of this blog know that I always advocate installing the latest software updates for your operating system and application as soon as possible. That’s because threat actors will often look at software updates and reverse engineer the flaws that they fix so that they can go after those who didn’t install those updates. Or they may fix an issue that threat actors are exploiting right now. Either way, I strongly believe that you can’t go wrong installing software updates. So in short, what I’m saying is that you increase your chances of getting pwned by not installing software updates. And since a lot of us work from home, your employer could get pwned as well.

And apparently, that is what happened to LastPass according to PC Magazine when they got pwned in August:

This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered. 

At the time, LastPass said only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way. 

PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee’s home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.

Plex told PCMag the vulnerability is CVE-2020-5741, which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.

“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”   

So the employee didn’t stay up to date in terms of their Plex install, and now the employee and the employer have been pwned. If I were the employer, in this case LastPass, I’d be not only mad but I would fire the person. Because while LastPass was not at fault here, trust in the company is non-existent because of the previous instances of being pwned by threat actors combined with this. And this employee is at least partial fault for that because what is clear here is that this did not need to happen.

And it also makes the perfect argument for employer supplied laptops if people work from home. Those laptops of course need to be locked down so employees cannot install anything that they want, and they have to be encrypted to protect sensitive data. Preferably using self encrypting drives which are commonplace today. And multi-factor authentication needs to be present as well so that it makes it extremely hard for a threat actor to break into the laptop and steal data. Because if you control the platforms that your employees use, and you make them as tough to hack as possible, it’s less likely that bad things will happen to you.

The issues with LastPass and their habit of getting pwned and having customer data in the wild is a big deal as the data in question happen to be customer’s passwords for their online lives. But LastPass has played this down by saying this:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time. 

Well, this didn’t go over well with Wladimir Palant who picked apart what was said by LastPass and said this:

Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.

I encourage you to read the full post as Palant really rips into LastPass in a systematic way that makes it crystal clear why he feels the way he does. But he’s not the only one. 1Password has piled on with their own statement. And it’s damming:

That “millions of years” claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process. Passwords created by humans come nowhere near meeting that requirement. As I have been saying for more than a decade, humans just can’t create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, digits, and symbols do more harm than good.

Unless your password was created by a good password generator, it is crackable.

Translation, LastPass users may be in deep trouble according to 1Password.

The fact is LastPass really dropped themselves in it. As a result, I am now of the belief that LastPass users should do the following in this order:

• Turn on two-factor authentication for as many of your accounts as possible, particularly high-value accounts like your email, financial services, and highly used social media accounts.
• Change all the passwords that are stored in LastPass for every online service that you have to something totally different. Starting with high-value accounts like your email, financial services, and highly used social media accounts.
• Stop using LastPass and delete all LastPass data.
• Switch to a password manager that is either local and encrypted, or in the cloud under your control and encrypted. I use eWallet which supports both use cases. But 1Password and BitWarden are other options.

The fact is that LastPass users are in immediate danger as highlighted by 1Password and by Wladimir Palant, and they need to take immediate action to protect themselves. Because clearly LastPass can’t keep them safe.

A year ago, LastPass appeared to have been pwned by hackers. But the company denied it and that really clouded the issue. Personally I think they were pwned. But there’s no smoking gun to speak of. However as of this morning, I can say that LastPass has absolutely been pwned by hackers last week:

Earlier this week, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.” In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

Toubba continues on to explain that the company has “implemented additional enhanced security measures” after containing the breach, which it detected two weeks ago. The company wouldn’t comment on how long the breach had been going on before it was detected.

Well, this is not a good look for a company that is responsible for securing your passwords. And while grabbing source code doesn’t mean that everyone is in deep trouble immediately, it may mean potential problems for LastPass down the road.

This is a story that is worth keeping an eye on.

LastPass has been suffering from a major outage as users are reporting being unable to log into their accounts and autofill passwords. What’s odd is the company insists that everything is working properly, even though there’s an unusually high number of users reporting issues:

User reports about login issues have been flooding Twitter, but also the company’s forum, Reddit, and DownDetector. Users are reporting receiving the following error when trying to log in: “An error has occurred while contacting the LastPass server. Please try again later.” Both home and enterprise users are impacted. According to reports, LastPass’ support staff has been either non-responsive, or denying reports of any technical issue happening at all. Despite issues being reported as far back as three days, the company has not updated its status page to reflect the incident, nor do they provided any type of explanation or useful help to their userbase.

According to multiple user on Twitter, the problems appear to impact only users with LastPass accounts dating to 2014, or prior. On DownDetector, a company spokesperson said the company was still investigating the incident, stating that there are no glaring issues with its servers — which suggests the roots of this outage might be in a software component. “We are aware of and actively investigating reports from some LastPass customers who are experiencing issues and receiving errors when attempting to log in. At this time no service issues have been identified.” Contacted by ZDNet, the company described the outage as “an isolated issue with limited impact” and said that “engineers are working to resolve the issue.”

I had a look at Twitter and there’s lots of evidence implies that whatever issue that LastPass is having is not on that has a “limited impact” which is exhibited by this Tweet:

LastPass has been suffering from a major outage as users are reporting being unable to log into their accounts and autofill passwords. That is the main problem with anything cloud. My password manager stays on desktop. I avoid stupid cloud as much as possible.

— nixCraft 🐧 (@nixcraft) January 21, 2020

However, there’s this that seems to imply that this is a bit overblown as per this Tweet:

Love how you guys keep tweeting the same provocative headline, but @LastPass has confirmed time and time again there is no outage. My LastPass account is working fine by the way.

— Frank Distazzio (@it_is_confucius) January 21, 2020

So it isn’t clear if this is still an issue, or if this is overblown. I’m going to watch this, but if you have any feedback on this, please leave a comment as I am sure that lots of users of LastPass would like some clarity.

UPDATE: This article suggests that the issue is resolved. But I am also seeing Tweets like this:

Hi Roxanne, yesterday we rolled back the update that triggered this issue so it should not be happening anymore. I see that you have signed in successfully a few times yesterday and today, how often are you seeing the error? ^GD

— LastPass Support (@LastPassHelp) January 21, 2020

That to me implies that the issue isn’t 100% solved. But I would love to hear from LastPass users to confirm if this issue is actually resolved.

The news is out that password manager LastPass has some critical security flaws that allow malicious websites to steal passwords. The first flaw was spotted by Tavis Ormandy of  Google’s Project Zero security team. He found that the LastPass Chrome extension has an exploitable content script that webpages can exploit to extract usernames and passwords. The good news is the LastPass folks quickly fixed this exploit. The bad news is that Firefox users are not immune as a similar exploit was found in an extension for that browser:

Wrote a quick exploit for another LastPass vulnerability. Only affects version on https://t.co/lGcefN9YXM (3.3.2), report on way. ¯_(ツ)_/¯ pic.twitter.com/AgjASiQMfJ

— Tavis Ormandy (@taviso) March 16, 2017

There is apparently a fix for this on the way. On top of that, LastPass is recommending that you move to version 4.x of their Firefox extension. However, before you do, you might want to read this from Mr. Ormandy:

https://twitter.com/taviso/status/844312124541186048

It really seems that LastPass has some serious holes in it at present. Hopefully this all gets patched quickly. But you may want to consider moving to another password manager if you feel the least bit insecure.