cancel
Showing results for 
Search instead for 
Did you mean: 
sven858
Active Contributor

Clear communication about the impact of the incident

I think it would be greatly beneficial to have a central point of clear communication without any "biased wording" (like "sensitive fields" telling us, what fields are considered "sensitive"). Please comment with corrections when I am wrong with one of my assumptions.

Some "facts" as I understood them and how I would communicate them:

  • In the incident, backups of ALL vaults have been copied by the attacker. So: ALL vaults are at risk
  • The risk for a non-federated user is HIGH, because the encryption key is derived from the master password in this case. There is no enforcement of complex master-passwords. A weak password might result in a successful dictionary attack in minutes. You might have a look at "https://support. 1password. com/pbkdf2/". I don't like 1password, but they have this estimation about cost of password cracking. According to that table "2wd74wmq" can be broken for about 770 USD, to break "Best0jogh2gno", it would take about 220,000 USD and to break "slain9dynast5try6punch8licensee" would cost about 14,000,000,000,000,000 USD.
  • The risk for a long-term user is also HIGH, because it seems that not all vaults have been updated to 100100 iterations for key derivation.
    • You can look up the iterations in the account settings after clicking on "show advanced settings". 100100 is "good", 5000 means: "you definitely want to change all your passwords and your master password NOW".
    • IF there are backups of old vaults with 5000 iterations and the same master password, this means: "you definitely want to change all your passwords and your master password NOW"
  • The risk for users of "federated login" is LOW, because they are NOT using "user defined master passwords", but a machine generated master password that is split in two pieces, of which one part is stored at LastPass while the other is stored in your identity-provider (e.g., Azure AD). This means that with "federated login", you have a strong master password that is extremely expensive to attack.
  • Even for the best master password: all URLs have been exposed for all vaults, because LastPass considers this information as "non-sensitive".
    • This means: the attacker already knows that I have an account at "amazon.de".
    • Websites like Amazon are not a problem, but websites that have a specific medical context are. You don't want others to know what type of mental or physical health issues you are dealing with.

What I still don’t know:

  • What fields are protected and what fields are not? What is with user defined fields?
  • Attachments are stored on AWS S3 – have they been copied as well? How EXACTLY are they protected / encrypted?
2 REPLIES 2
lolphirae
Contributor

Re: Clear communication about the impact of the incident

According to this, vast majority of the fields is plaintext.

https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass-Vault-Format

AKHBGT
Contributor

Re: Clear communication about the impact of the incident

Overall very unimpressed with the way communication has been presented to folks in what steps we should be taking first and in which order, making us have to figure these out on our own.

How do I report on who is using the unencrypted fields and could have put passphrases in there by accident?

Do I now have to run a report on every user to find out every URL they may have been using that may appear to be the most "attractive" to go after hacking the associated information?

Unimpressed overall.