Product Communities
Sign In Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Getting started | Community guidelines
JanSteenbeek
Active Contributor

Security Incident and Shared Folders

We are trying to assess our risks in the breach reported yesterday. We make extensive use of Shared Folders in our organization. 

 

Are the Shared Folders included in the breach readable with the Master Password for each and every account that has access to the Folder? Or is breaking the Master Password of the account that has created the Shared Folder required?

‎12-23-2022 07:30 AM
Labels:
Reply
17 REPLIES 17
bbechard
Active Contributor

Re: Security Incident and Shared Folders

hello??  anyone?  does LastPass monitor these questions?

‎12-27-2022 04:51 PM
Reply
IT_Trev
New Member

Re: Security Incident and Shared Folders

yes, did the shared folders get downloaded, or just individual user data?  Without you answering, we must assume ALL data was taken

‎12-28-2022 07:43 PM
0 Kudos
Reply
PhilFIT
Active Contributor

Re: Security Incident and Shared Folders

I do not know if Shared Data is stored in the vault files or if it was included in the leaked data, but I do know how it's encrypted because it's in the whitepaper

https://support.lastpass.com/download/lastpass-technical-whitepaper

 

So many of the questions asked on this forum are answered in the whitepaper.

It uses public key cryptography. Without going into the encryption details on this, that basically means that if the shared folder data was leaked along with the vault and the hacker is able to break the encryption due to a weak password, then the shared data is also compromised.

For large organizations this is especially scary because the security of that shared data is only as secure as the weakest password in the org. So it would be a good time to review the enforced policies and make sure you're enforcing something like a 14 character or longer password or switch to federation.

‎12-30-2022 02:08 PM
0 Kudos
Reply
bbechard
Active Contributor

Re: Security Incident and Shared Folders

Shared folders were taken along with everything else. Shared folders are encrypted using the master password and password iterations of the person that created the folder. And no, not all accounts prior to 2019 were migrated from 5000 password iterations to 100100. About 50% of ours were not. Another lie from LastPass.
‎12-30-2022 02:35 PM
0 Kudos
Reply
PhilFIT
Active Contributor

Re: Security Incident and Shared Folders

Interesting, where did you find this out? How can you determine how many iterations the shared folders are encrypted with? I was just looking at attempting to decrypt my local vault file to see what kind of effort it would take when set to a random 300,000+ iterations.
‎12-30-2022 02:40 PM
0 Kudos
Reply
bbechard
Active Contributor

Re: Security Incident and Shared Folders

Took getting through several levels of support. And there’s no way you or they can tell you who created the folder, the password strength at the time the info was stolen or password iterations. Good logging and reporting there. But if you have older accounts I’d suggest doing some research to see if any account or shared folder might be vulnerable. 5000 iterations with a password of 40 bit entropy can be broken in 4 days with last years graphic card….
‎12-30-2022 02:46 PM
Reply
JanSteenbeek
Active Contributor

Re: Security Incident and Shared Folders

Thanks for sharing what you got from support, very useful! Still would like to get confirmation from LP whether each and every account added to a shared folder is in fact a road into that shared folder. For now we'll assume the the account with the weakest password and iterations that has had access to a shared folder determines its exposure.

‎01-04-2023 06:22 AM
0 Kudos
Reply
bbechard
Active Contributor

Re: Security Incident and Shared Folders

just the account used to create the folder is used.  so if you know a shared folder was created by a user whose password iterations were at least 100,100 and 12+ character passwords, than that folder is fine.  but if you don't know, and you have older accounts that are less than what's above, than you are better off changing all the passwords and moving them to a new folder.  which is what we are doing.  we have so far found 3 accounts till set for 5000 iterations and all 3 may have been used to created folders.  there's no way to know who created a folder or when it was created.  even Lastpass can't pull that info.  

‎01-04-2023 10:36 AM
0 Kudos
Reply
AKHBGT
Contributor

Re: Security Incident and Shared Folders

If the folder was migrated from an older user to a newer user (by doing a removal of user account and migrating them to an existing account) who had more password iterations, did it keep the old password iterations of the previous vault user or the current one? Guess it's anyone's guess.
‎01-04-2023 04:47 PM
0 Kudos
Reply
About Us
Terms of Service
NEW Privacy Policy
Trademark
© 2023 LogMeIn, Inc. All Rights Reserved