Hoskinson broadcasting live from warm, sunny Colorado. Today is Christmas Eve, and before I head off to enjoy the Christmas festivities, I wanted to make a video. I've recommended a product in the past that has recently been hacked, and I wanted to discuss the consequences of that hack, what you can do if you're a user, and what exactly happened.
As many of you know, I've been using LastPass for years, way back when I was still listening to Steve Gibson and This Week in Security on the TWiT network. LastPass was a convenient and easy-to-use password manager with a nice browser extension and a solid mobile app. I used it in various security workflows because it supported most of the things I cared about. Recently, the company released a blog post stating that there had been a hack, and I wanted to talk a little about what happened.
Let me go ahead and share my screen. If you go to their website, it's in their blog somewhere how it works. Ars Technica carried a good article on it. In short, LastPass works by using a master password and something called PBKDF2, which stands for Password-Based Key Derivation Function. It's a standard that RSA developed. The system splits into two buckets: one becomes an encryption key, and the other is used as an identifier for a vault. LastPass has vaults that contain usernames, passwords, and any notes you want to include. That vault is encrypted with a standard called AES-256.
What happened was that, despite having 33 million users, the company allowed their systems to be compromised. An attacker gained access to all of the encrypted vaults on LastPass. Now, the only thing an attacker has to do is guess the master password. If they can do that, they can decrypt any of those 33 million vaults.
There is some good security hygiene in certain parts of this design. For example, using PBKDF2 makes it really hard to brute-force attack larger passwords. Every time you try to enter a random derivation, you’re not just checking a hash against a list; you have to go through an expensive function that takes time, which increases with the size of the password. So, larger passwords should take quite a bit of time to brute-force, assuming they implemented what they claim on their website. However, I don’t have much trust left in this company. They previously claimed that vaults were totally encrypted and that nothing was leaked, only for us to find out that there’s metadata connected to the vault that is not encrypted with the encryption key. This means the attacker likely knows the identities of each vault and can differentiate one vault from another.
What this effectively means is that they can create a priority queue for high-value targets to go after their vaults and see if they can crack them. Assuming they properly implemented PBKDF2 and cryptography, and that they’re using proper AES, things might still be secure. However, it’s hard to know for sure since the code is not open source. At this point, they should probably make it open source to regain some trust.
This is a disastrous attack because it cannot be resolved by simply changing your master password. You have to assume that every piece of information stored in your encrypted vault will eventually become public. This means every password in the vault should be rotated. Additionally, if there’s any banking information, PGP keys, or crypto keywords stored in the private notes section of LastPass, you have to assume that they will be compromised at some point.
The problem is that even deleting your account or discontinuing use of LastPass doesn’t change the fact that that information has been cloned, and the encrypted copy is now in the hands of an attacker of unknown capabilities. We don’t know how they serialize the vault or how their implementation of AES-256 works. We don’t know if they’ve properly implemented PBKDF2. We assume there’s some degree of competence, but the fact that they lost all 33 million vaults indicates they were not following proper storage and access control procedures to protect customer information.
Given that they’ve previously lied about vaults being indistinguishable from each other, it’s concerning that now they are distinguishable. There’s metadata and user data, allowing a priority queue to form. Publicly known individuals, such as celebrities or wealthy people, are likely at the top of the stack for a brute-force attack. If you have a large master password with lots of characters and everything is correctly implemented with PBKDF2, the chance of decryption is exceedingly low unless the adversary has some new attack method.
To be honest, I’m pretty sick and disgusted by this company. I trusted them for a long time and recommended their products. It’s extraordinary that they initially claimed there was a hack but no customer data was lost, only to later admit that some customer data had been lost. Now, they’ve lost all the encrypted vaults, not just a few. Their email explaining this attack was one of the most asinine apologies I’ve ever seen.
If you’re looking for alternatives, Bitwarden is a great option. They are open source and a much better company. The only reason I hadn’t migrated to them is that I had a lot of data still sitting in LastPass. But better late than never. They have better infosec practices, follow better standards, and offer good pricing, including a free product line. I highly recommend Bitwarden; it comes recommended by many people.
The problem with information security is that it’s always a moving target. Ten years ago, LastPass was the go-to option, and many people looked up to them. Now, it seems they’ve lost their way. If you are a LastPass user, I recommend you immediately migrate to a different service, whether it’s Bitwarden or another option, and start the process of cycling your passwords. If you have any private notes, credit card information, or other sensitive data in your vault, it’s wise to rotate that information as well.
As a general rule, never store anything unencrypted in a cloud service. Always double encrypt: let the cloud service encrypt it and store the file encrypted. This way, even if it gets compromised, you have an extra layer of security. I might do some videos on that topic.
Sorry to be the bearer of bad news. This issue has been floating around for some time, and I recommend you read the Ars Technica article on the LastPass hack. It would be nice to get at least a decent apology from the company. It’s pretty dirty what has happened, and it’s extraordinary to me that they could screw up this badly. Information security is really hard, and it’s a shame that PGP is not more widely adopted as a standard. Ultimately, if the vaults were encrypted with a client-side PGP key, I wouldn’t care at all that they got leaked. In fact, when we for a Lace wallet start supporting PGP encryption of paper wallets, I plan to take some ADA—probably a million dollars' worth—put it into a paper wallet encrypted with PGP, and publicly post it on my Twitter so you can try to break it. I’m very confident in those standards.
Master passwords, even if they’re long, are becoming a dead standard and shouldn’t be relied upon anymore. There are alternatives like Bitwarden, KeePass, and 1Password, and many others out there. We need to be vigilant. If you are on LastPass, begin the process of migration. If you have any personally identifiable information there, expect it to be lost. If you have credit cards or similar information, change the numbers. As for all your usernames and passwords, you need to change them. Unfortunately, if adversaries break your vaults, they will be fully aware of the accounts you have.
Goodbye, LastPass. Thanks, everybody, and have a great Christmas.
1:07:35
26:05
26:19