Another year, another day, another data breach:

Or, Did LastPass Get Gassed?

The old year rang out with upsetting news for users of the password manager application, LastPass.  News went out that the Master Password List was cracked and presumably those master passwords were for sale on the dark web.  On December 28, BleepingComputer reported:

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

The email notifications also mention that the login attempts have been blocked because they were made from unfamiliar locations worldwide.

"Someone just used your master password to try to log in to your account from a device or location we didn't recognize," the login alerts warn.

To better understand the import of this news, it is useful to review what a password manager is, and the obvious reasons why I have never recommended their use.

Traveler's Insurance has recommended password manager software to its customers.  Traveler's reasoning is, indeed, sound — if we lived in a perfect cyber world.

To help solve the problem of keeping your passwords strong and remembering them all, a handful of companies have developed password manager software applications designed to accomplish four key benefits:

1. They allow you to remember just one master password to access your other passwords for all sites and applications.

2. They can auto-generate strong, random passwords with a mix of symbols and letters so the passwords cannot easily be guessed. They can also be used to rate the strength of passwords you currently use.

3. They provide the added security of having any personal information and passwords stored in the manager to be encrypted, depending on the password service you select.

4. You no longer have to write passwords down on paper or store them in a digital text document, both of which can significantly increase your vulnerability to a potential hack or criminal activity.

This all sounds great, but as WIRED put it as far back as 2015:

EXPERTS RECOMMEND PASSWORD managers like LastPass as the easiest way to generate unique, strong security codes for every one of your online accounts — which sounds great, until that password manager itself is cracked, potentially offering attackers access to all the accounts it was designed to protect.

 LastPass has been gassed in the past.  As WIRED detailed in the above referenced article:

On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users' email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.

In the attack of December 2021, LastPass admitted that it had been victim to a "credential stuffing attack."

Credential stuffing is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system. The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services.

Credential stuffing attacks have become quite common recently as endless numbers of username and/or password combinations have been stolen and made available on the dark web.

These types of attacks have typically been aimed at online services like email providers, gaming accounts, social media profiles, and online shopping sites since these are the typical accounts that, when hacked, can be re-sold on cybercrime markets.

In reply to the article referenced above, LastPass issued the statement below:

LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.

This statement is, however, in dispute.  What a security blogger suggests is that the LastPass Master Password List was included in a bigger dump of data exfiltrated from corporate networks, and thus LastPass was indeed gassed.  Users signed on to the Twitter account MayhemDayOne reported many users were notified of a breach of their LastPass account from LastPasss.

There is no question that credential stuffing attacks are on the rise.  In a report dated January 5, 2022, The New York State Office of the Attorney General has warned 17 companies that roughly 1.1 million customers have had their user accounts compromised in credential stuffing attacks.&  The NY AG began its report thusly. A PDF of NY AG report is available here.  A PDF file will open.

There is no reason to assume that the security protocols implemented by LastPass are any better than those of The Colonial Oil Pipeline or the Kronos HR contractor, to name just a couple of well publicized victims of recent cyber attacks that impacted thousands of people.  So my bet is this: Yep. LastPass got gassed.

Any eggs placed all in one basket 9 times out of 10 has a bad outcome.  That is just common sense.  And, as I have said many times, common sense is your best form of security in any space, cyber or physical.  So to me, given that 7% is too thin a margin to bet a bank or brokerage account on, I say passwords managers have become like, say Network Attached Storage (NAS), wonderful technology made useless, if not down right dangerous, by the cyber crooks.

My favorite personal password management tool is an alphabetized notebook, pencil, and high quality eraser.  Granted this doesn't help much on the road with your phone; but many of us do not need access to every account we have all the time.  For those accounts that you must access from your phone or tablet, the experts all agree that enabling 2 Factor Authentication (2FA) on all your accounts that allow for it is now de rigueur. 

Of course, 2FA is itself far from foolproof or hacker proof.  As CSO magazine said in June 2021, "Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice."   See Common Sense above.

With all the pillaging of databases and pilfering of account credentials you might be wondering if your creds are included in the crud.  Well, Dear Reader,  soldier on to the next post to learn how you can find out "Have I Been Pwned?"