Almost Secure Blog: A year after the disastrous breach, LastPass has not improved

[Gandalf_The_Grey]

n September last year, a breach at LastPass’ parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers. The criticism from the security community has been massive. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackers’ job much easier. The list goes on.

Now this has been almost a year ago. LastPass promised to improve, both as far as their communication goes and on the technical side of things. So let’s take a look at whether they managed to deliver.

TL;DR: They didn’t. So far I failed to find evidence of any improvements whatsoever.

Contents​

• The communication
  • The initial advisory
  • The detailed advisory
  • Improvements?
• Secure settings
  • The issue
  • Improvements?
• Unencrypted data
  • The issue
  • Improvements?
• Conclusions

A year after the disastrous breach, LastPass has not improved

A year after the breach, LastPass still failed to deliver useful mitigation steps. The technical issues haven’t been resolved either.

palant.info

 

[Ink]

At this point, anyone who continues to use LastPass (password manager) is an idiot and doing themselves a disservice.

Keeping your private data offline, encrypted and stored in a secure location is your safest bet.

 

[Wladimir Palant]

Keeping your private data offline, encrypted and stored in a secure location is your safest bet.

This isn’t really about online vs. offline. It’s possible to encrypt data in a way that it is safe to store online. But for that you have to understand crypto and to encrypt everything. Most popular password managers are doing an okay’ish job on that – there might be smaller issues, but these aren’t showstoppers. In case of a breach, only a few high-profile targets might have reason to worry. Also, the other password managers took the LastPass breach as an occasion to check their security, and they did improve things.

LastPass is really exceptionally bad. Not only is it clear from their source code that they don’t understand crypto and never did. This is at least their third breach, and they failed to learn from any of them. Never mind their “regular” security issues where they received reports of issues in the same area again and again, being unable to fix things properly.

 

[Arequire]

At this point, anyone who continues to use LastPass (password manager) is an idiot

To play devil's advocate, I assume most LastPass users aren't aware of the company's indifference towards their security. Likely the most they saw is whatever email was sent when they publicly disclosed the breach and what they plan on doing to combat future breaches, and that's assuming they even read that.

 

[Jonny Quest]

To play devil's advocate, I assume most LastPass users aren't aware of the company's indifference towards their security. Likely the most they saw is whatever email was sent when they publicly disclosed the breach and what they plan on doing to combat future breaches, and that's assuming they even read that.

But, after all the breaches through all the years, who would not know by now, or at least have done some research as far as a secure password manager and of LastPass ineptness to keep their account secure? So in that case, at this point, if they did not know about any of this, but only through a reassurance email notice, then isn't that their problem for not doing any follow-up research?

 

[Arequire]

But, after all the breaches through all the years, who would not know by now, or at least have done some research as far as a secure password manager and of LastPass ineptness to keep their account secure?

I'd bet there's a decent contingent that aren't aware of at least some the breaches, or have forgotten about the them. You also have to take into account the users who only started using the service after each breach occurred, thus might not have ever received any communication about it.

Even if they are aware, transitioning to another password manager might be perceived as a headache that they simply don't want to deal with.

they did not know about any of this, but only through a reassurance email notice, then isn't that their problem for not doing any follow-up research?

Their problem, sure, but they likely have their own reason(s) for not switching, and while "I can't be bothered" isn't a good reason, it is a reason and I wouldn't go out of my way to try and convince them otherwise.

 

[Jonny Quest]

I'd bet there's a decent contingent that aren't aware of at least some the breaches, or have forgotten about the them. You also have to take into account the users who only started using the service after each breach occurred, thus might not have ever received any communication about it.

Even if they are aware, transitioning to another password manager might be perceived as a headache that they simply don't want to deal with.


Their problem, sure, but they likely have their own reason(s) for not switching, and while "I can't be bothered" isn't a good reason, it is a reason and I wouldn't go out of my way to try and convince them otherwise.

Fair enough, especially since those of us on this forum are curious and keep up to speed better than the basic, average user, who as you say, may think it overwhelming to export, import and learn a new password manager.

 

[Wladimir Palant]

But, after all the breaches through all the years, who would not know by now

Lots of people would not. Before the latest breach, I tried a few times to ask people from the security community to stop recommending LastPass. I cited their poor security track record and all the issues which are by design. And I invariably got the response “but they fixed things quickly, so it’s all good.”

LastPass is very good at PR. Even the people who should have known better bought into it. And you are surprised that some regular Joe still thinks “yes, there was this breach notification, but LastPass said that it isn’t something to worry about so I don’t”?

 

[simmerskool]

only through a reassurance email notice, then isn't that their problem for not doing any follow-up research?

well yes and no, I would assume lastpass has some legal liability for sending erroneous email to its users, although I have not seen such email as I never used lastpass

 

[nickstar1]

i remember how everyone use to swear by lastpass i personally always hated it and knew someone would eventually tarnish its reputation.

 

[Ink]

This isn’t really about online vs. offline. It’s possible to encrypt data in a way that it is safe to store online. But for that you have to understand crypto and to encrypt everything. Most popular password managers are doing an okay’ish job on that – there might be smaller issues, but these aren’t showstoppers. In case of a breach, only a few high-profile targets might have reason to worry. Also, the other password managers took the LastPass breach as an occasion to check their security, and they did improve things.

LastPass is really exceptionally bad. Not only is it clear from their source code that they don’t understand crypto and never did. This is at least their third breach, and they failed to learn from any of them. Never mind their “regular” security issues where they received reports of issues in the same area again and again, being unable to fix things properly.

It was not a solution to an online vs offline problem, but a suggestion - as an example.

 

[vtqhtr413]

Remember last November, when hackers broke into the network for LastPass—a password database—and stole password vaults with both encrypted and plaintext data for over 25 million users? Well, they’re now using that data to break into crypto wallets and drain them: $35 million and counting, all going into a single wallet.

That’s a really profitable hack. (It’s also bad opsec. The hackers need to move and launder all that money quickly.)

Look, I know that online password databases are more convenient. But they’re also risky. This is why my Password Safe is local only. (I know this sounds like a commercial, but Password Safe is not a commercial product.)

Using Hacked LastPass Keys to Steal Cryptocurrency - Schneier on Security

www.schneier.com

 

[Trident]

LastPass at this point is just a natural disaster.
That pretty much summarises everything that needs to be said about them.