More on LastPass Getting Cracked

posted by Roy Schestowitz on Dec 25, 2022

• The LastPass Hack Was Worse Than We Thought - Invidious

  In this video I cover the latest information about the lastpass data breach.

• My Philosophy and Recommendations Around the LastPass Breaches - Daniel Miessler

  Why do we give our passwords to third parties when we have built-in password management?

• What data does LastPass encrypt? | Almost Secure

  A few days ago LastPass admitted that unknown attackers copied their “vault data.” It certainly doesn’t help that LastPass failed to clarify which parts of the vaults are encrypted and which are not. LastPass support adds to the confusion by stating that password notes aren’t encrypted which I’m quite certain is wrong.

  In fact, it’s pretty easy to view your own LastPass data. And it shows that barely anything changed since I wrote about their “encrypted vault” myth four years go. Passwords, account and user names, as well as password notes are encrypted. Everything else: not so much. Page addresses are merely hex-encoded and various metadata fields are just plain text.

  [...]

  As I’ve already established in the previous article, decrypting LastPass data is possible but expensive. Nobody will do that for all the millions of LastPass accounts.

  But the unencrypted metadata allows prioritizing. Someone with access to admin.bigcorp.com? And this account has also been updated recently? Clearly someone who is worth the effort.

  And it’s not only that. Merely knowing who has the account where exposes users to phishing attacks for example. The attackers now know exactly who has an account with a particular bank, so they can send them phishing emails for that exact bank.