cancel
Showing results for 
Search instead for 
Did you mean: 
JanSteenbeek
Active Contributor

Security Incident and Shared Folders

We are trying to assess our risks in the breach reported yesterday. We make extensive use of Shared Folders in our organization. 

 

Are the Shared Folders included in the breach readable with the Master Password for each and every account that has access to the Folder? Or is breaking the Master Password of the account that has created the Shared Folder required?

17 REPLIES 17
bbechard
Active Contributor

Re: Security Incident and Shared Folders

hello??  anyone?  does LastPass monitor these questions?

IT_Trev
New Contributor

Re: Security Incident and Shared Folders

yes, did the shared folders get downloaded, or just individual user data?  Without you answering, we must assume ALL data was taken

PhilFIT
Active Contributor

Re: Security Incident and Shared Folders

I do not know if Shared Data is stored in the vault files or if it was included in the leaked data, but I do know how it's encrypted because it's in the whitepaper

https://support.lastpass.com/download/lastpass-technical-whitepaper

 

So many of the questions asked on this forum are answered in the whitepaper.

It uses public key cryptography. Without going into the encryption details on this, that basically means that if the shared folder data was leaked along with the vault and the hacker is able to break the encryption due to a weak password, then the shared data is also compromised.

For large organizations this is especially scary because the security of that shared data is only as secure as the weakest password in the org. So it would be a good time to review the enforced policies and make sure you're enforcing something like a 14 character or longer password or switch to federation.

bbechard
Active Contributor

Re: Security Incident and Shared Folders

Shared folders were taken along with everything else. Shared folders are encrypted using the master password and password iterations of the person that created the folder. And no, not all accounts prior to 2019 were migrated from 5000 password iterations to 100100. About 50% of ours were not. Another lie from LastPass.
PhilFIT
Active Contributor

Re: Security Incident and Shared Folders

Interesting, where did you find this out? How can you determine how many iterations the shared folders are encrypted with? I was just looking at attempting to decrypt my local vault file to see what kind of effort it would take when set to a random 300,000+ iterations.
bbechard
Active Contributor

Re: Security Incident and Shared Folders

Took getting through several levels of support. And there’s no way you or they can tell you who created the folder, the password strength at the time the info was stolen or password iterations. Good logging and reporting there. But if you have older accounts I’d suggest doing some research to see if any account or shared folder might be vulnerable. 5000 iterations with a password of 40 bit entropy can be broken in 4 days with last years graphic card….
JanSteenbeek
Active Contributor

Re: Security Incident and Shared Folders

Thanks for sharing what you got from support, very useful! Still would like to get confirmation from LP whether each and every account added to a shared folder is in fact a road into that shared folder. For now we'll assume the the account with the weakest password and iterations that has had access to a shared folder determines its exposure.

bbechard
Active Contributor

Re: Security Incident and Shared Folders

just the account used to create the folder is used.  so if you know a shared folder was created by a user whose password iterations were at least 100,100 and 12+ character passwords, than that folder is fine.  but if you don't know, and you have older accounts that are less than what's above, than you are better off changing all the passwords and moving them to a new folder.  which is what we are doing.  we have so far found 3 accounts till set for 5000 iterations and all 3 may have been used to created folders.  there's no way to know who created a folder or when it was created.  even Lastpass can't pull that info.  

AKHBGT
Contributor

Re: Security Incident and Shared Folders

If the folder was migrated from an older user to a newer user (by doing a removal of user account and migrating them to an existing account) who had more password iterations, did it keep the old password iterations of the previous vault user or the current one? Guess it's anyone's guess.