We are trying to assess our risks in the breach reported yesterday. We make extensive use of Shared Folders in our organization.
Are the Shared Folders included in the breach readable with the Master Password for each and every account that has access to the Folder? Or is breaking the Master Password of the account that has created the Shared Folder required?
I do not know if Shared Data is stored in the vault files or if it was included in the leaked data, but I do know how it's encrypted because it's in the whitepaper
So many of the questions asked on this forum are answered in the whitepaper.
It uses public key cryptography. Without going into the encryption details on this, that basically means that if the shared folder data was leaked along with the vault and the hacker is able to break the encryption due to a weak password, then the shared data is also compromised.
For large organizations this is especially scary because the security of that shared data is only as secure as the weakest password in the org. So it would be a good time to review the enforced policies and make sure you're enforcing something like a 14 character or longer password or switch to federation.
Thanks for sharing what you got from support, very useful! Still would like to get confirmation from LP whether each and every account added to a shared folder is in fact a road into that shared folder. For now we'll assume the the account with the weakest password and iterations that has had access to a shared folder determines its exposure.
just the account used to create the folder is used. so if you know a shared folder was created by a user whose password iterations were at least 100,100 and 12+ character passwords, than that folder is fine. but if you don't know, and you have older accounts that are less than what's above, than you are better off changing all the passwords and moving them to a new folder. which is what we are doing. we have so far found 3 accounts till set for 5000 iterations and all 3 may have been used to created folders. there's no way to know who created a folder or when it was created. even Lastpass can't pull that info.