Security Incident and Shared Folders - Page 2

JanSteenbeek · ‎01-05-2023

I don't fully get how this is supposed to work.

Why do Shared Folders have their own iteration count? Are these basically separate vaults? Where are the passwords for these vaults coming from? Is there some kind of automatic password generation going on behind the scenes?

We're just updating everything in Shared Folders now, so my open questions are more out of academic interest then business need.

AKHBGT · ‎01-05-2023

I'll be filing a ticket to get an official response. Will share what I can here to help others.

AKHBGT · ‎01-05-2023

Did they file an FR for any of your questions that they could not answer or provide guidance on?

I've placed a ticket as well, looking for some more concrete answers, and anything they can't ask will get filed into an FR as far as I am concerned. Want it on the record that it's been requested.

bbechard · ‎01-05-2023

When a shared folder is created it uses the master password and iteration count of the person that created it. Presumably, if the master password or iteration is changed, the person vault and any owned shared folders would get updated. if that users is deleted, they're shared folders end up being orphaned in that they will continue to exist but no way to update them with new master password and such.

AKHBGT · ‎01-05-2023

When a shared folder is created it uses the master password and iteration count of the person that created it.

^Yep, we assumed that to, and asked specifically that to confirm.

Presumably, if the master password or iteration is changed, the person vault and any owned shared folders would get updated.

^This is where I got a little less trustworthy of the automatic kneejerk answer we received, and asked for something in writing from T3 or Engineering that confirms or disputes this.

if that users is deleted, they're shared folders end up being orphaned in that they will continue to exist but no way to update them with new master password and such

^We received an even more vague answer on this one, so we asked for something in writing from T3 or Engineering that confirms or disputes this.

JanSteenbeek · ‎01-05-2023

Re: Security Incident and Shared Folders

When a shared folder is created it uses the master password and iteration count of the person that created it.

^Yep, we assumed that to, and asked specifically that to confirm.

^^ If that's true, how do other users access the folder? They might have access to the iteration count, but surely not the master password of the user that created the shared folder?

I would have assumed an extra stand-alone decryption key was generated similar to e2e encrypted group chats in whatsapp and signal.

AKHBGT · ‎01-06-2023

The more questions we ask and vague answers we receive, the more concerning it becomes on lack of clarity.

AKHBGT · ‎01-15-2023

@JanSteenbeek

The response (edited) that we received from support re: Shared Folders:

The backup that was copied included an intact backup of all customer information and vaults of all LastPass users as of September 22, 2022. So, if a user had a low iteration count, it means that the shared folder was affected on this user's behalf. In this case, we do recommend that the password stored on those shared folders are now updated. I understand that you have no record or history of what users changed their iteration count, so our best suggestion is to progressively change of all the passwords for those items store within shred folders.

So, we are now assuming anything in a Shared Folder is at risk, which is how we were first approaching that. Sounds like Shared Folder passwords were saved with local user's password iterations, not the user who created the Shared Folder.