The attack on the password manager LastPass seems to be more far-reaching than previously assumed – in addition, LastPass is said to have known much earlier than was previously communicated to the outside world.
The company announced just before Christmas that hackers were able to access sensitive, encrypted customer data and entire data vaults. The source codes used in a large-scale attack in early December were stolen back in August.
Good password choice: Sometimes not so easy
The then updated LastPass report regarding the hack is now being torn up by security experts (via beta news). One of them denounced them as “full of omissions, half-truths and outright lies”:
Of the Security researcher Vladimir Palant accuses the company, being more concerned about saving face than being transparent about the incident. In addition, Palant criticizes that LastPass does not identify the updated information as what it is, namely a legal requirement. LastPass, on the other hand, points out that they want to “ensure transparency”.
Palant criticizes again:
“Note that LastPass admits it doesn’t encrypt website URLs, but doesn’t classify them as ‘sensitive fields.’ But website URLs are sensitive data. Threat actors would like to know what you have access to. Then they could target phishing -Create emails only for the people who are worth their effort. It doesn’t matter that some of those URLs have parameters attached. For example, LastPass sometimes saves password reset URLs. And occasionally they’re still valid.”
He rejects the claim that users’ data is safe because master passwords are difficult to crack. However, LastPass shifts the responsibility onto the user, although the company itself could have done more to ensure security.
LastPass has also come under criticism for telling its users that “there are no recommended actions you need to take at this time”. This is not only grossly negligent in Palant’s eyes. There are certainly recommendations for action, and not just for people with master passwords that are too easy to guess. Anyone who could be a valuable target (activists, dissidents, company admins, etc.) should strongly consider changing all passwords now.
Palant is far from alone in his criticism of LastPass. On Mastodon, security researcher Jeremi Gosney criticizes the company’s security claims, saying:
“LastPass claims of ‘zero knowledge’ is a blatant lie. They have as much knowledge as any password manager can possibly have. Every time you log into a website, an event is generated and sent to LastPass with the sole purpose of tracking which sites you log in. You can disable telemetry, but that won’t do anything – it still logs into LastPass every time you authenticate somewhere, plus almost everything is in your LastPass Vault unencrypted. I think most people think of their vault as some kind of encrypted database where the entire file is protected, but no – with LastPass, your vault is a plain text file and only a select few fields are encrypted.”
Download 1Password: Comprehensive password manager
Download KeePass – Password Collection Tool
Infographic: Choose a secure password
