LastPass had a security breach today. Let’s decipher their blog post and see exactly what happened, and if you should be worried:
What was stolen and when?
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
The bad guys got away with enough information to try to crack master passwords. They’ve had this information for 3 days. That’s plenty of time to crack the bad passwords.
Who might be at risk because of this LastPass security breach?
If you have a poor master password, you should be worried. You should change your password to one that follows the 4 rules. What is poor?
- Anything 8 characters or less, no matter how gibberishy it looks, can be hacked in a few hours or less
- Anything with only a few regular dictionary words in it
- Anything that is already a popular password (i.e. 123456, password, qwerty…) can be hacked instantly. I don’t think LastPass allows these stupid passwords, though.
Someone with a poor password might consider changing all of their vault passwords.
Because they got emails, phishing emails are highly likely!!! Do not click on any links from an email that looks like it came from LastPass.
If your password hint was obvious (“rhymes with assword”) they’ve got your master password. Change everything.
See also my blog post, how safe is my password?
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
What protections did they have in place on your vault?
“vast majority of users” refers to everyone who has a good password. PBKDF2-SHA256 is a math-intensive hash algorithm that scrambles the master password. Think of a hash algorithm as a very precise way to beat an egg. There’s no way to unscramble the egg. And every time you run the algorithm it’s like beating the egg one time. They ran that hash scrambling algorithm 100,000 times on your password. That’s like asking the computer to beat the egg 100,000 times. Why so many times? To deter brute force attacks. Every time a computer tries to guess a password, it has to run that dang hash algorithm 100,000 times. It greatly delays the process.
It’s important to realize that your master password was NOT stored on the site. Only its hash was. This is how every website should operate (most do, some still do not). When you enter your password to login, they run the hash function 100,000 times and compare the scrambled output with the hash they have stored. If they match they let you in. Neat trick.
Anything else they are doing to mitigate this LastPass security breach?
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
The bad guys will not be able to use your computer, and therefore your IP address, to login. Any nefarious logins will be coming from somewhere else. If the LastPass server sees a login coming from a new computer it might be you, it might be the bad guys. To be sure it’s you, they will email you.
Any other dangers?
An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.
I sure hope none of my readers reused their LastPass master password on other sites. NEVER reuse any password. Ever.
I’m not sure why they think you don’t need to update your master password until they suggest it. Maybe they are adjusting the hashing algorithms or the number of iterations your master password gets ground through the hash? Again, beware the phishing attacks. I can just see the emails coming – click this link to update your master password. That will be the end. Someone will fall for that, make sure it’s not you.
I suggest that you change your master password now to something similar to your original password. Then when they give the green light, change it again to something completely different.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
If the encrypted data were also stolen in this LastPass security breach, the bad guys could do all their work entirely offline. They could hammer away at your master password until it cracked (could take decades for the best master passwords that follow the 4 rules), and then use that password to unlock all the rest of your passwords. But the encrypted user data was NOT taken, so no worries there.
Multifactor, aka 2-factor authentication, aka 2FA, is highly recommended for important accounts such as password managers, banks, and business.
Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.
We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.
& the LastPass Team
So thanks to LastPass for coming forward with this relatively quickly. It’s important to have all the information before such a press release instead of instilling panic and having to revise their story.
It’s also important to note that everyone is being attacked. Although some network flaw somewhere allowed the attackers entry causing the LastPass security breach, this is not just a LastPass problem. I guarantee you many more attackers are trying to get into all the password manager companies.
Again, the people who should be the most worried are the ones with poor master passwords or obvious password hints. If this is the case, they should change all the passwords in their vault. Or if their master password was used anywhere else online, change every instance of that password.