You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Following the colossal cock-up the other month, Lastpass have again been hacked.
This time through a media centre (allegedly Plex) running on a senior devops engineers home workstation 😀👌
Plex was exploited and a keylogger installed on the workstation. This allowed the hacker to capture the login details for a 'master' Lastpass account, which had the login details for their Amazon S3 bucket. This contained critical data.
For those not versed in the boring world of IT security, allowing random 3rd party software to be installed on any PC with access to a company network would be considered amateur hour, even for a small company. But for a well known security software company of the scale and public awareness of LastPass to fail even this basic level of security, let alone one of their senior devops engineers is honestly mind blowing.
Another point is that their own intrusion detection and log monitoring failed to detect this, instead Amazon's alerts is how they came to be aware of the hack.
It sounds like the sort of thing that Multi Factor Auth would have prevented
I particularly like how their own press release tries to shift blame on to third-parties...
'Neither incident was caused by any LastPass product defect or unauthorized access to – or abuse of – production systems. Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.'
But this happened in YOUR environment LastPass you should have controls in place.
StuF
Full MemberIt sounds like the sort of thing that Multi Factor Auth would have prevented
Posted 10 seconds ago
Actually they were using MFA, but that was captured by the keylogger as well. I can only guess the attacker used it immediately?
Rather, the threat actor exploited a vulnerability in
... your poor control of software installation on your machines.
I can't quite believe how this was ever allowed to happen. We run a small development agency and all required apps are installed remotely by an admin. Nobody (without access to admin rights) could even install something like Plex onto their laptop. How on earth were LastPass even in a position where an employee was able and/or allowed to install Plex on a work machine?
Not great for Plex either or anyone using it - apparently they have no idea what the vulnerability is so can’t patch it! And LastPass not being helpful 😂
I assume this will only effect users of Plex that have downloaded a media server to their machine, not people using a browser to access a Plex server?
<div class="bbp-reply-content">
Actually they were using MFA, but that was captured by the keylogger as well. I can only guess the attacker used it immediately?
</div>
I beleive like most of the password managers you can store the MFA key in the lastpass wallet. So once thats been compromised thats game over for MFA!
So what to do as a Lastpass account holder?
Will deleting the account protect anything now?
I can’t quite believe how this was ever allowed to happen. We run a small development agency and all required apps are installed remotely by an admin. Nobody (without access to admin rights) could even install something like Plex onto their laptop. How on earth were LastPass even in a position where an employee was able and/or allowed to install Plex on a work machine?
Indeed. Incredible.
kayak23
Full MemberSo what to do as a Lastpass account holder?
Will deleting the account protect anything now?
Change all your passwords (ideally).
However it depends on a few things how vulnerable you are.
If your account was old, it may have been set up incorrectly (by lastpass). Basically they defaulted to a weak encryption setting (low iterations) and never upgraded people once they realised.
So if your account is more than a few years old, it is potentially more vulnerable.
It also depends how strong your password was.
Thirdly, I've read that the sites you had saved were leaked in plain text. Therefore it is easy for the hacker to know what your passwords were for. If you had banking/crypto/anything with immediate access to money stored, I would think you are likely to be more of a target.
Not great for Plex either or anyone using it – apparently they have no idea what the vulnerability is so can’t patch it! And LastPass not being helpful 😂
Their blame detection and prevention isn't good enough?
Happy enough to accept their might be a plex issue but the hurry to pass the buck coupled with LastPass not being overly helpful does pang very much of "Wtaf has happened? We don't know but incidentally plex has been installed on that machine and shouldn't have. Yep that'll do, all plex's fault"
all required apps are installed remotely by an admin
Maybe the hacked employee was an admin.
Maybe the hacked employee was an admin.
Then their own security measures were dreadful and they clearly weren't listening during the internet safety training / online security sessions that LastPass must have undertaken (and officially logged) in order to get the ISO27001 certification that they got on 27 July 2022.
well, according to the article, the Plex-blaming [I]isn't[/I] the official line from LP but from an anonymous source... could also be an unofficial-official "leak" though of course...Happy enough to accept their might be a plex issue but the hurry to pass the buck
It also mentions Plex themselves were breached soon after, whether it's linked or not no-one knows but a lot of customer data was taken. I had been using Plex since the Xbox Media Centre days but binned them off some time ago, didn't like the direction it was headed in (trying to become some kind of international media conglomerate!)
Maybe the hacked employee was an admin.
Any installations here are rolled out to the user via AD Groups/Group Policy. No-one actually logs into a machine and installs software, Admin or not.
They need YubiKeys (that’s what we are enforcing next).
It’s extremely trivial to steal the certificate and use using Mimikatz btw.
Ouch! DevOps = 50% Dev + 50% Ops + 0% SecOps. Why is a senior developer using their home computer to access company files?
Why is a senior developer using their home computer to access company files?
Or installing unauthorised software onto a company device.
But for a well known security software company of the scale and public awareness of LastPass to fail even this basic level of security, let alone one of their senior devops engineers is honestly mind blowing.
Yikes. There are some people I would understand doing this but if your senior devops stuff don't automatically know that this is wrong then you have an issue. Time to jump ship I think
The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
1 of only four. Absolutely no excuse for not being aware of the possibilities
Sure, although the article relates that the hack involved the compromise of the employee’s home computer.
(Reply to JohnDoh)
Lol, some major reading fail by some of the posters here...
They need YubiKeys (that’s what we are enforcing next).
It’s extremely trivial to steal the certificate and use using Mimikatz btw.
The private keys of the key pair are held only on the yubikey for FIDO authentication so would be tricky to get to those with Mimikatz unless Mimikatz just gets the authorization token once authentication has taken place
Sure, although the article relates that the hack involved the compromise of the employee’s home computer.
Ahh right - I missed that bit. Either way it was a pretty major screw-up though.
So where would the liability be if this led to a fraudulent transaction. Would you have been deemed to have shared a personal password with a 3rd party (lastpass) or is it a given that you stored the password safely (like writing it down and locking it in a drawer)
Ok well as this seems that the breach was to be from last August, hopefully i don't need to change my passwords again.
Might look at changing provider though, any suggestions?
1Password would be my preferred app for a replacement. It's not going to be fun if you've lots of passwords though!
1Password does everything with no added extras required. You may need to check that your preferred cloud storage will allow the vault to be stored online.
I tend to go with the theory that they are probably safer than most now as they will be super vigilant. But despite reading this thread and the various statements from LastPass I still can’t tell if my passwords are actually at risk from any of this or not. I’ve changed the master one to something so random I had to write it down somewhere😀 changed the number of iterations to 600000 and changed the passwords for anything with financial information. Hopefully that is enough.
Oh joy, that's a good chunk of tomorrow taken care of 🙁
FWIW my job is supplier assurance with a Bank, we use LastPass but as the assurance is 'owned' at Group level it's not me that's missed anything 🙂
For the record, I don't use password vaults myself, neither professional nor privately.
As per @grahamt1980 looks like I don't need to change all my passwords again. At least.
Already done that for anything important after the first announcement and also switched on MFA for any service that offered it.
When I heard about the first breach I took a look at 1Password - looked a pain to use, particularly on mobile.
Was giving LastPass the benefit of the doubt but think I will probably be moving elsewhere. You might think they would be more vigilant but unfortunately problems like this are often culture related (rushing/cutting corners) and/or they've dug themselves a hole of technical debt and are struggling to keep up with.
Failing to adequately secure your backups, when those backups contain all the Crown Jewels, and also your whole business is as an infosec company, is very very shoddy
I can’t quite believe how this was ever allowed to happen. We run a small development agency and all required apps are installed remotely by an admin.
I think that's pretty uncommon outside of Windows shops.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
Hmm... that doesn't make much sense though.
They know what the vault's password is, after the employee has auth'd with MFA - but so what? MFA should still prevent the attacker from accessing the vault, that's... the point of MFA. Just because the employee has auth'd with MFA doesn't mean someone else gets to login without MFA.
This doesn't feel like the whole story.
Password would be my preferred app for a replacement. It’s not going to be fun if you’ve lots of passwords though!
you can export a password file from LastPass and import it directly into 1Password - that’s what we did. It only takes a couple of minutes.
Dashlane any good as a password manager?
Keeping the same passwords as the possible compromised ones?
Keeping the same passwords as the possible compromised ones?
That's up to the user, but it is very easy to then go through and change individual passwords with a couple of clicks in 1Password.
I'm fighting that i changed mine last month after the previous thread, and the issue in this one was last year so i shouldn't need to change them again.
Have done all the other recommended actions so will export at some point. Just need to decide which one to move to
That reminds me, I'm going to stop that annoying hacker who keeps editing my STW posts.
EDIT: No you won't
you can export a password file from LastPass and import it directly into 1Password – that’s what we did. It only takes a couple of minutes.
Just to make it entirely clear to everyone, moving password manager does not protect you from the breach if you are/were using LastPass. YOU STILL NEED TO GO AND CHANGE ALL YOUR PASSWORDS!!!
I don't agree with the official LastPass stance that you don't need to. Although they say your passwords will still be encrypted in what the hacker got access to, you are assuming the encryption won't be cracked /taking last pass at their word that it was in fact encrypted.
Just to make it entirely clear to everyone, moving password manager does not protect you from the breach if you are/were using LastPass. YOU STILL NEED TO GO AND CHANGE ALL YOUR PASSWORDS!!!
Yeah I did say in a later post that once the passwords are in 1Password, it is easy to update them to new secure passwords.
Aidy
Free Member“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
Hmm… that doesn’t make much sense though.
They know what the vault’s password is, after the employee has auth’d with MFA – but so what? MFA should still prevent the attacker from accessing the vault, that’s… the point of MFA. Just because the employee has auth’d with MFA doesn’t mean someone else gets to login without MFA.
This doesn’t feel like the whole story.
See xora's post, apparently you can use Lastpass to backup your MFA seed keys, therefore those were compromised also. From the LastPass PDF:
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
natrix
Free MemberThat reminds me, I’m going to stop that annoying hacker who keeps editing my STW posts.
EDIT: No you won’t
🙂
The password vaults are individually encrypted, so it's not just a matter of cracking encryption for all users, they would have crack each users encryption separately. That is a massive undertaking.
However I am hugely disappointed by lastpass's communication around this issue, I don't think they have been honest with there user base, and left us trying to work out exacvtly what this hack has meant for our security, for that alone I am looking for an alternative.
How do others find alternatives handle passwords on iphones in plugging in with the system api?
Yeah to crack all the passwords for all users is massive. However even if they crack only a small subset, if it happens to be you who is cracked then it will end badly for you. I'm not happy with that risk, personally.
Agree about the Comms. Lots of inconsequential bollocks in the announcements (e.g. shifting blame onto Plex, suggesting it was "only the backups not the live system" so that makes it ok????)
So I've got to manually reset passwords for the 200 odd I've got saved there? Feel like sending them an invoice for my time 😉
MSP
Full MemberThe password vaults are individually encrypted, so it’s not just a matter of cracking encryption for all users, they would have crack each users encryption separately. That is a massive undertaking.
However I am hugely disappointed by lastpass’s communication around this issue, I don’t think they have been honest with there user base, and left us trying to work out exacvtly what this hack has meant for our security, for that alone I am looking for an alternative.
How do others find alternatives handle passwords on iphones in plugging in with the system api?
It would ordinarily be almost impossible. But Lastpass have leaked the sites saved in plain text, therefore the attackers know the juciest accounts to target (those with crypto, banking etc).
Secondly the failed to set up a lot of accounts correctly, the iterations were so low that the encryption can be cracked (relatively) easily! Iterations ought to be 100,000 (ideally higher), but they have at various points been 1, 500, 1000 and accounts created with those stupid settings were not automatically updated!
I'm thinking about using google chrome to manage my passwords now, is there a disadvantage in doing this?
almost as if handing over all your passwords to some random internet company with no proven record on cyber-security was never really a good idea in the first place 🤔 A quick flick thru their Wiki page lists a fair few incidents over the years... plus their Android app harvests your data, apparently https://www.reviewgeek.com/72272/the-lastpass-android-app-contains-7-trackers-from-third-party-companies-😬/Secondly the failed to set up a lot of accounts correctly, the iterations were so low that the encryption can be cracked (relatively) easily! Iterations ought to be 100,000 (ideally higher), but they have at various points been 1, 500, 1000 and accounts created with those stupid settings were not automatically updated!
(EDIT: minor point-of-interest, that's the first URL I've noticed with an emoji in it 😃)
I write mine on a piece of paper which lives in a safe....
For anything with money involved, anything else I really don't care about...
The password vaults are individually encrypted, so it’s not just a matter of cracking encryption for all users, they would have crack each users encryption separately. That is a massive undertaking.
Assuming you had a decent master password at the time of the breach there are two issues:
1) They weren't using enough PBKDF2 hashing iterations. I think mine was at 300k which is what it defaulted to post 2018(?). They're now saying you are at risk if it's less than 600k.
2) They don't (for data collection sales reasons I imagine!) encrypt URLs which is beyond stupid.
As a result of 2) the attacker essentially has a plain text list of all the URLs a given user has a password for - they also have the windows install location (on my computer that would be my name - you could guess my email from that every easily). For a undisclosed subset they also had plain text stored the email addresses! 99% of websites use your email as your username, so the attacker has a list of URLs and usernames for a good subset of the userbase. The opportunities for phishing are enormous - e.g. find all the users with a Natwest account and then send personalised phishing emails to them. Also vastly limits the attack space for a brute force attack on anything.
1) presumably means the vaults are vulnerable to hashing attacks (rainbow tables). Since hardly anyone has the 600k setting, what everyone really needs to do is a) leave last pass b) choose a new provider c) change every single password (starting with financials) that was in the vault when the attack occured.
I'm currently eying up bitwarden - they encrypt the URLs!
Just installed bitwarden here. Just need to check everything is sorted and will delete lastpass. Annoying as i still have 9 months paid for but still
alloyisreal
Full MemberI’m thinking about using google chrome to manage my passwords now, is there a disadvantage in doing this?
You'd be tied into Google forever, it doesn't support secure notes, Google aren't transparent.
I switched to Bitwarden instead.
I moved to chrome after Lastpass started charging. Works well for me.
My main concern with bitwarden is that they seem to be too cheap and won't make money / have to make compromises. Still given that lastpass weren't that cheap, and made a huge cock up, I'm not sure if I should worry about it!
Any further ideas on who to move to? I need something that plays nicely with iOS mobile, widows and desktop macs
See xora’s post, apparently you can use Lastpass to backup your MFA seed keys, therefore those were compromised also.
That still doesn't answer the question.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled?
why would you not just use iCloud Keychain 🤔Any further ideas on who to move to? I need something that plays nicely with iOS mobile, widows and desktop macs
Ran way from Lastpass over the xmas period following previous breach -- moved to 1Password and rolled shed loads of passwords.
painful
For the record, I don’t use password vaults myself, neither professional nor privately.
What are you doing instead? All the alternatives I'm aware of are bad options.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled
I suppose it depends on how the MFA is applied. I.e. whether it is just applied as an authentication mechanism that then allows you to decrypt using the master password, or whether the MFA is linked to the encryption somehow.
I suspect the former but really I've no idea.
I assume the master password is used as the decryption key only, and that the MFA auth is used to verify access to the encrypted data.
If you've nicked the whole vault (which is what appears to have happened) then it doesn't matter what's in the application that provides access to the vault.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled?
Possibly if you were actively monitoring the device you could catch them entering the MFA (assuming its a code) and then get in inside the window. Guess it would depend if it actively monitors logins and doesnt go "hmmm multiple ips".
Or if it was a global MFA and was a bit trigger happy then they might have just got used to clicking yes.
At work our auth got messed up for a while so it kept asking to reauthenticate. One way we got pressure put on them to fix it was pointing out mfa is only useful if it only gets triggered when someone is specifically trying to get access (or say after a day continuous activity) to something. If it fires for fun then people will just hit yes.
If you’ve nicked the whole vault (which is what appears to have happened) then it doesn’t matter what’s in the application that provides access to the vault.
Yes, if they've managed to pull a local cache of the vault, then the master password is enough. That's not what the article says though, and that's why it seems fishy.
Possibly if you were actively monitoring the device you could catch them entering the MFA (assuming its a code) and then get in inside the window.
If it lets you do that from another IP/device, then that's very poorly implemented MFA.
Or if it was a global MFA and was a bit trigger happy then they might have just got used to clicking yes.
That's not what the article says.
That’s not what the article says.
looking at their lastpass own document its a tad unclear exactly what happened. The use of "employees master password" is odd. Is that after unlocking a personal vault for example to get their master password?
I guess it could have been like our server access where you use password/mfa to authenticate which then allows you to launch a temporary rdp file. Since it does have the alternative of being able to grab the password and then log on directly using rdp. Again time limited though.
I am amazed those key files werent only available on the internal network (with maybe a copy on a secure drive or two just in case) unless he was able to vpn in using his home machine.
Is that after unlocking a personal vault for example to get their master password?
As I understand it the employee in question was targetted and had a keylogger installed on their machine via a previously unknown vulnerability in 3rd party software on their home machine. It was a sophisticated deliberate attack
Aidy
Free MemberThat still doesn’t answer the question.
The question is: How do you compromise a vault, even knowing the master password, which has MFA enabled?
Once you have the MFA seed you can set up your own authenticator app to do the MFA.
It was a sophisticated deliberate attack
Yes but its the finer details which are interesting.
It is ultimately the problem for someone like lastpass. Unlike most companies where you hack them and then you get to rip just them off with lastpass (or solarwinds as a previous example) if you compromise them you stand a good chance of compromising a whole load more businesses (plus in lastpass individuals).
Since the return on investment is so high its worth top end attacks. Wouldnt be completely surprised if it was a state looking for ways into other more interesting targets.
Once you have the MFA seed you can set up your own authenticator app to do the MFA.
Yes, I understand that.
That's not what the lastpass statement is saying, though.
It states that: "The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault."
This implies that they had the master password, and used the master password to gain access to the vault.
There's no suggestion that the MFA seed was compromised.
Aidy
There’s no suggestion that the MFA seed was compromised.
Summary of data accessed in Incident 2:
DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
In addition LastPass have requested all users reset their MFA secrets
Task 4.2: Already using MFA? Regenerate your MFA shared secret
If you already have enabled one of these MFA services, please regenerate your shared secrets in your LastPass account settings: LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or Grid. Find instructions here:
Is that just if the MFA was backed up? I'm sure that it didn't say that when I read their security bulletin. I guess they may have changed it.
Yes, but that's the data breached in Incident 2. They obviously can't use that to *cause* Incident 2.
As someone who keeps wondering if he should upgrade from his list of 4 or 5 passwords, all subtly similar and kept on a spreadsheet which is stored on the cloud (I know)...
...is there a safer way, or will they all have these failings which make it more likely that I'll be hacked?
And simple to use?
Maybe a stupid question, but if the logins (username + password) leaked from LastPass use 2FA e.g. My banking apps, is the risk reduced?
What are MFA secrets?
I have various accounts that use various types of MFA. Lastpass itself uses an app on my phone. Microsoft another app and lots of others send a text with a code. But I don't remember any of them talking about secrets. Maybe they did it when I wasn't listening 🙂
Aidy
Free MemberYes, but that’s the data breached in Incident 2. They obviously can’t use that to *cause* Incident 2.
Posted 45 minutes ago
I don't get your point then? You know they had a keylogger which could be used to capture both the master password and MFA which could both be reused as long as it was within the same 30s window.
Once the vault was decrypted, they had the MFA seeds and could subsequently generate MFAs at any time
If it's any consolation I didn't actually change anything after the first breach (although I have now) and nothing bad happened. In fact I've yet to hear an example of anybody actually suffering as a result of these incidents. Other than lastpass themselves of course. I'm sure they must be losing customers at an alarming rate.
roverpig
Full MemberWhat are MFA secrets?
I have various accounts that use various types of MFA. Lastpass itself uses an app on my phone. Microsoft another app and lots of others send a text with a code. But I don’t remember any of them talking about secrets. Maybe they did it when I wasn’t listening 🙂
It's a secret code known by your authenticator app and the server.
Normally as part of registering for MFA login, you are given the secret in the form of a QR code to scan.
And then the both the server and the app do the same maths on it.
e.g.
Secret is 1234
Multiply it by current time = 13:44
1344 * 1234 = 1658496
Take the last 4 digits of that, and there's your code 8496
There's a bit of maths in there but that's basically how it works.
You can see some real code for it here (getCode function):
https://github.com/PHPGangsta/GoogleAuthenticator/blob/505c2af8337b559b33557f37cda38e5f843f3768/PHPGangsta/GoogleAuthenticator.php#L63