LastPass accused of lying in security breach announcements
The reputation of LastPass has taken quite a battering over the past year, with the handling of security incidents doing nothing to improve things. Just last week the company gave an update about a security breach that took place back in August, revealing that it had been more serious than first suggested.
But now the updated announcement from LastPass has been ripped to shreds by security experts with one denouncing it as being "full of omissions, half-truths and outright lies".
- LastPass data breach is worse than first thought; user data and password vaults grabbed by hackers
- Leaked: Microsoft is bringing tabs to more apps in Windows 11
- Twitter removes suicide prevention feature at Musk's request -- [UPDATED: it's back, with Musk claiming 'fake news']
Security researcher Wladimir Palant has penned a scathing attack on LastPass, accusing the company of being more concerned with saving face than being transparent. He tears apart the most recent statement issued by LastPass, going through it line by line and calling out instances of misrepresentation and what he refers to as "omissions, half-truths and outright lies".
Palant starts off attacking LassPass for trying to make it seem as though the updates it is issuing are being done as acts of benevolence; he points out that this is actually a legal requirement.
The most recent admission from LastPass was that a threat actor was able obtain "a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Palant points out:
Note how LastPass admits not encrypting website URLs but doesn't group it under "sensitive fields". But website URLs are very much sensitive data. Threat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort.
Never mind the fact that some of these URLs have parameters attached to them. For example, LastPass will sometimes save password reset URLs. And occasionally they will still be valid.
He decries claims that user data is safe because of the difficulty of cracking master passwords, with LastPass shifting responsibility to users. A requirement for lengthier passwords only applies to accounts created in the last four years, and the company's claim that it "utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password" is also questioned. Palant says:
Note "stronger-than-typical" here. I seriously wonder what LastPass considers typical, given that 100,000 PBKDF2 iterations are the lowest number I’ve seen in any current password manager. And it’s also the lowest protection level that is still somewhat (barely) acceptable today.
In fact, OWASP currently recommends 310,000 iterations. LastPass hasn’t increased their default since 2018, despite modern graphics cards becoming much better at guessing PBKDF2-protected passwords in that time -- at least by factor 7.
There are many other complaints and much more condemnation of LastPass, not least for the company's suggestion to users that: "There are no recommended actions that you need to take at this time".
This statement receives a sound pounding:
This is just gross negligence. There certainly are recommended actions to take, and not merely for people with overly simple master passwords or too low number of iterations. Sufficiently determined attackers will be able to decrypt the data for almost anyone. The question is merely whether it’s worth it for them.
So anybody who could be a high value target (activists, dissidents, company admins etc.) should strongly consider changing all their passwords right now. You could of course also consider switching to a competitor who in the case of a breach will be more concerned about keeping you safe than about saving their face.
You can read Wladimir Palant's full blog post here.
Palant is far from being alone in his criticism of LastPass. Over on Mastodon, security researcher Jeremi M Gosney rips into the company's security claims saying:
LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted.
He goes on to complain about poor encryption, "garbage" browser extensions and poor security practices.