Top | |
Newsletter 01/09/2022 | Back to Contents |
Another year, another day, another data breach: Or, Did LastPass Get Gassed? The old year rang out with upsetting news for users of the password manager application, LastPass. News went out that the Master Password List was cracked and presumably those master passwords were for sale on the dark web. On December 28, BleepingComputer reported:
Many LastPass users report that their master passwords have been
compromised after receiving email warnings that someone tried to use
them to log into their accounts from unknown locations. To better understand the import of this news, it is useful to review what a password manager is, and the obvious reasons why I have never recommended their use. Traveler's Insurance has recommended password manager software to its customers. Traveler's reasoning is, indeed, sound — if we lived in a perfect cyber world. To help solve the problem of keeping your passwords strong and remembering them all, a handful of companies have developed password manager software applications designed to accomplish four key benefits:
1. They allow you to remember just one master password to access
your other passwords for all sites and applications. This all sounds great, but as WIRED put it as far back as 2015: EXPERTS RECOMMEND PASSWORD managers like LastPass as the easiest way to generate unique, strong security codes for every one of your online accounts — which sounds great, until that password manager itself is cracked, potentially offering attackers access to all the accounts it was designed to protect. LastPass has been gassed in the past. As WIRED detailed in the above referenced article: On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users' email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords. In the attack of December 2021, LastPass admitted that it had been victim to a "credential stuffing attack." Credential stuffing is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system. The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services. Credential stuffing attacks have become quite common recently as endless numbers of username and/or password combinations have been stolen and made available on the dark web. In reply to the article referenced above, LastPass issued the statement below: LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
This statement is, however, in dispute. What a security blogger
suggests is that the LastPass Master Password List was included in a
bigger dump of data exfiltrated from corporate networks, and thus
LastPass was indeed gassed. Users signed on to the
Twitter account MayhemDayOne
reported many users were notified of a breach of their LastPass account
from LastPasss.
Virtually every website and app uses passwords as a means of
authenticating its users. Users — forced to contend with an
ever-expanding number of online accounts they must manage — tend to
reuse the same passwords across multiple online services. Unfortunately,
the widespread use and reuse of passwords has made them attractive
targets to cybercriminals, who know that passwords stolen from one
company may provide the keys to a host of accounts at another. Furthermore, a recent analysis of the security of various corporate networks large and small made by security firm Positive Technologies, found that cybercriminals could breach 93% of company networks and trigger 71% of unacceptable events within a month. The undesirable events include disrupting technological processes and service delivery and theft of financial resources and information. Most disruptions originate from distributed denial-of-service attacks. According to the researchers, threat actors could take over some information systems in a matter of days and trigger the events in less than a month.
There is no reason to assume that the security protocols implemented by
LastPass are any better than those of The Colonial Oil Pipeline or the
Kronos HR contractor, to name just a couple of well publicized victims
of recent cyber attacks that impacted thousands of people. So my
bet is this: Yep. LastPass got gassed.
|
Back to Top | next post → |