Your LastPass Secrets Aren’t Secret – How to Protect Yourself

Ian Reay

January 5, 2023

LastPass users are now learning the unfortunate security incident they were previously notified of was actually a colossal data breach that exposed encrypted password vaults—the keys to the castle of any password manager—along with other private data. Hackers have had their hands on LastPass user’s vaults for weeks, maybe even months since LastPass has yet to confirm the original breach date, leaving us all wondering how many of LastPass’s 25.6 million users are going to be among the next very targeted attack. 

The newly expanded scope of the LastPass breach has stirred the cybersecurity industry turning LastPass users into high-risk targets and shaken the confidence of zero-knowledge password manager users. This very serious leak brings into question the amount of trust companies place in closed source password management solutions and what you should do if your LastPass vault has been stolen. 

If you are a LastPass user, you need to immediately take action to protect yourself and your organization from potential damage. Here are our top 7 recommendations:

  1. If you're using an 8- to 10-character master password, you need to change it right now. 
  2. If you haven’t added MFA, you need to add it to as many accounts as possible.
  3. If you thought your LastPass vault was encrypted, it’s not, so keep reading.
  4. If you use LastPass, you're likely going to get phishing attacks directed at you so be prepared. 
  5. If you have access to sensitive enterprise information or systems you should change all of your passwords since malicious actors may attempt to brute force your master password. 
  6. If your company doesn’t use LastPass you should actively block it as a company service so personal usage doesn’t pose a risk to your business.
  7. If you haven’t already, switch to an open source password manager that doesn’t place hints, like URLs, dark web monitoring details, security scoring information sensitive information, to your secrets in plain text.

 

Personal or Business Use, LastPass’s Leaked Vaults Could Pose Risk to Your Business

On December 22, 2022, LastPass disclosed additional information about the scope of the breach that seems to have occurred in August 2022. To summarize, a backup of customer data was stolen containing a number of plain text pieces of information including the URLs of websites users have stored credentials for. 

What would hackers who gained access to these backups do with the stolen customer data? The first step would likely be to scan the data for high-value URLs to enterprise software providers like CrowdStrike, Carbon Black, AWS, Azure, Okta, Snowflake, and many others. Then they would look for the owners of these vaults and any indication of poor password hygiene, especially those with bad security scores, who are reusing passwords, using weak passwords, and so on. Then they would launch phishing attacks against those users to see who they could hack quickly and easily. And for users who look really tantalizing, a hacker would engage in cloud-based password cracking to try to break some of those master passwords. They might not get all of them. But humans are predictable and they are likely to break some accounts. 

What makes this even more insidious is that employees often use their personal LastPass accounts to store enterprise passwords. So you might think you're not at risk because your company doesn’t use LastPass. But unless you have actively blocked the LastPass service you should plan for some of your employees to have been caught up in this breach. 

 

The Problem with Plain Text Data In Your Vault

A key issue in this breach is that LastPass stores URLs for vaulted data in plain text breaking a fundamental tenet of zero-knowledge encryption. Only you and those you share information with should be able to see details about the passwords you have stored including the URL, a critical piece of that information. Plain text makes it easy to identify what services are being used. It also isolates high-value users that would be more lucrative to target in phishing or brute-forcing attacks.

LastPass described the exploitation of plain text data as:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Nowhere does LastPass describe what else is stored in plain text which led us to wonder if it was just the URL or if there was more plain text data. Unfortunately, the problem didn’t end with just URLs being plain text.

While LastPass doesn’t officially publish its schema, people have reverse-engineered LastPass’s schema in order to provide additional experiences such as a command line interface (CLI) experience. By looking at LastPass’s schema we see the plain text is used heavily in a variety of ways. Of LastPass’s 43 fields, only 7 fields are actually encrypted. All other fields in the LastPass vault are actually stored plain text (or Base64 obscured depending on the data in play). 

LastPass has documented its rationale for storing URls in plain text stating “data is aggregated across all users to give us a better understanding of how LastPass is being used.” Do you agree that LastPass should be able to profile you by inspecting what is in your vault? Fundamentally this knowledge flies in the face of a zero-knowledge solution.  

It is best practice for vault data to be encrypted and therefore hard to abuse. The problem with plain text is that it makes it easy to identify what services are being used including the user’s credential hygiene and the value of any given account.  

Plain text can reveal information that makes it easier for hackers to be successful. For instance, if the user mixed personal and professional credentials in a single account, it could lead a hacker to profile the online services the user's employer uses. The URLs can contain sensitive information such as customer names, user names, and email addresses or can reveal details about legacy or unpatched environments for popular software. They can also contain embarrassing or confidential websites that leak information about confidential actions like URLs to data room information which can leak information about potential corporate mergers, divestitures or any other sensitive information leading to blackmail or extortion scenarios. Others could indicate an employee violated their terms of employment by using personal LastPass accounts which could imperil their company security and their employment status. 

 

Leaked Risk Scores Can Make You a Target

In addition to the leaked vault data being plain text, we reached out to LastPass about if security score information was also leaked. LastPass declined to provide this information to us at Bravura Security when we requested it. Security score information is the data generated when you log in and reported to the server independent of your vault data to render your security dashboard. It is also a map for hackers to help them know where to look.

However, when we inspect the traffic LastPass transmits over the network we can see Security Scores being transmitted without master key encryption. Given the scope of the data leak we believe this information also had a decent chance of being leaked. This information further adds additional and highly valuable information for profiling out which vaults a malicious attacker might want to take steps to compromise either through phishing attacks or brute forcing attacks. If you are concerned, please submit a support request to LastPass.

 

Stolen Vaults Combined with Personal Phishing Attacks Increase Risk

Normally people are worried about phishing attacks against LastPass itself, and that is not to be discounted. However, personal password phishing alongside this breach that resulted in stolen vaults allows malicious actors to further narrow their targets. 

For example, if a hacker successfully phished a personal Netflix, MailChimp, or a personal version of Office 365, it could benefit them in two ways. First, the hacker would gain access to the data in that service. Second, they would now have new passwords to use in lateral attacks with other services where users may have re-used their passwords. The data in this breach paired with typical password re-use behavior across personal and professional accounts is almost a roadmap for a hacker to gain access to your business.

 

Make Your Master Password Impenetrable 

If you use a perfectly random 10-character master password, you are likely ok. But most people are human and do not use perfectly random passwords. They use words, anagrams, and have various tricks to remember passwords such as re-using a password and doing a slight change to it. And it's these actions that weaken the passwords in real-world use. 

Data-Driven Defense Evangelist Roger Grimes highlights the real-world costs to brute-force password vaults in light of this LastPass compromise. Grimes highlights how current technology allows a realistic password-cracking rig to try a billion possible passwords a second. While these setups are not cheap, established hackers can target high-value accounts with them and cost-effectively extract value. To help bring focus, its safe to assume that you can compromise the master password of a user’s vault for between $1000 and $10,000 using today’s hardware and leveraging the fact that most people are very poor at choosing and remembering good passwords. For example, passwords like this can be compromised in this price range:

  • 8riu72lqp
  • 1riU7wlpR
  • Excess-Passenger-Unfitted1
  • Compromised-password-vault

Do these passwords look better than your master password? If so, you should immediately change all your passwords especially if you have access to sensitive business information or systems.  

Take Immediate Action to Protect Yourself 

If you use LastPass this breach is greatly concerning. Zero-knowledge password managers should ensure your privacy is protected. But the plain text information and password quality in LastPass’s leak creates significant risks for you personally and your work. It allows malicious attackers to identify weak points. Then lays out a roadmap to exploit those weaknesses. This could be a phishing attack. It could be a brute-force attack. And in extreme cases, it could result in a ransomware attack. 

Instead of using a closed source password manager that heavily relies on plain text, evaluate an open source solution. Bravura Safe zero knowledge password manager is based on open source and publicly hosted on GitHub for review and vetting. It respects zero knowledge fundamentals and ensures all your information is encrypted at all times. 

Protect your secrets and passwords to prevent cyberattacks with a turnkey enterprise password safe built with more than two decades of experience in privileged access management and security controls of the world's largest enterprises. Combined with true passwordless MFA, Bravura OneAuth, and additional features including self-service password reset and password auto-rotation provide even more protection against hacks, leaks, and phishing attacks. 

Zero knowledge password management needs to be designed based on zero knowledge principles removing all evidence of your use of an application and storing them as obscurely as possible. We invite you to try Bravura Safe yourself as a more robust and secure alternative to LastPass. It is built on Open Source foundations and hosted by a company with a 25-year track record in enterprise password management solutions. Bravura Security is an analyst-recognized industry leader, delivering best-in-class identity, privileged access, password and passwordless products. Our software has helped Fortune 500 companies around the world protect their companies over the last two decades against increasing cybersecurity threats.  

Go Passwordless with Bravura Safe & OneAuth