In January 2023, I wrote a blog about the LastPass breach from August 2022, and specifically, LastPass, informing their users that the following information wasn’t encrypted.
- user’s email address
- company names
- end user names
- billing addresses
- last IP address used to access the vault
- URLs of all sites saved in the vault
Are Crooks Cracking Keys
In September 2023, Krebs on Security wrote an article titled “Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach“. In the article, Brian Krebs wrote how MetaMask, a popular software cryptocurrency wallet, and other researchers started to see crypto wallets targeted, with an overall loss of $US35 million. The clues and indicators for these people losing their cryptocurrency is that they were all long time users of LastPass. These people were very security minded and held their seed phrases in the LastPass vault. As LastPass improved the iteration count for the master password, it wasn’t automatically updated on users. Nor were they informed to check their settings. The iteration count is used to determine how many times the master password is processed through the master password encryption routines. The higher the number, the longer the criminals require to process to crack the password for a vault. In the article, it mentions that if the iteration count is 1, then only 17 hours is required to crack the master password. If 500, then 1 year is required to crack the master password. As computer processing improves, these timeframes will reduce.
This shows the criminals have been sifting through the stolen vault unencrypted data from LastPass to determine the high value targets.
What does this mean for you as a LastPass user?
If you were a user of LastPass prior to August 2022, you need to do the following activities, immediately. If you are a new user of LastPass have a check and see if you can improve the security of your vault.
1. Change your master password to LastPass.
LastPass have now set the minimum to 12 characters. Be better than the minimum and set yourself up with at least 15 characters. The longer, the better.
2. Reset or set your two-factor authentication (2FA).
If you already have 2FA, set up a new 2FA code. If you haven’t set 2FA, then do this to give yourself an extra layer of protection. It doesn’t protect the stolen vault, since that has no 2FA, but does protect your vault going forward.
3. Check your LastPass settings.
Go to ACCOUNT SETTINGS > GENERAL > SHOW ADVANCED SETTINGS > PASSWORD ITERATIONS. Change this number to the highest number LastPass recommends. I found LastPass is recommending 600,000 at the time of writing this blog.
4. Review other security settings
Check the other security settings for LastPass and update them based on LastPass’ recommendations or your personal needs.
5. Change all records in your vault
This is especially recommended for users who were not using 2FA and/or have a weak master password. However, I extend this recommendation to all LastPass users to review your accounts stored in the vault and change each one’s password by visiting the associated website. If the account has 2FA available, activate the 2FA or reset it for additional security.
Start with the accounts that are the most important to you, for example bank accounts, credit card accounts, email accounts. Work your way down the list until all have been changed.
FEELING UNSURE ABOUT LASTPASS?
Martarna offers password management services using Keeper Security. We set up your account with strict security policies. For example, all users must have 2FA set up, no user can export their passwords or share them outside the organisation. When an employee leaves your employment, you can have the account locked and transferred to another user. Many of our clients are like solo-business owners and find the convenience and security of having the administration managed by Martarna.
In addition, we provide our annual cyber awareness training to our clients to arm themselves against security threats.
