As part of our commitment to security, we want to make sure our customers and the public are aware of recent reports from LastPass users of fraudulent SMS account recovery requests. Our security and engineering teams have recently observed potential “credential stuffing” attacks occurring. Credential stuffing attacks are events when a malicious or bad actor attempts to access user accounts (e.g., in this case, LastPass) using e-mail addresses and passwords obtained from third-party breaches related to other unaffiliated services. Using an encrypted password manager and only using complex, unique passwords – bolstered by multi-factor authentication – is the ideal protection against this type of attack.
Create the most secure and random passwords by using our built-in password generator for a site, then store those sites in your LastPass Vault. It is recommended to use generated passwords as much as possible as a security best practice. Generate a secure password by doing the following. LastPass for Microsoft Edge. If you're using Chromium-based Microsoft Edge, this one's for you. LastPass browser extension for Microsoft Edge without a binary component. Features dependent on a binary component, such as automatic logoff after idle and sharing of login state with other browsers, will not function.
Each time you successfully log in to LastPass using a mobile device, a randomly generated unique identifier for the mobile device (UUID) will be added to a list on the Mobile Devices tab. All devices listed here can be renamed, enabled, disabled, or deleted.
We want to reassure you that there is no indication that LastPass or LogMeIn were breached or compromised.
How LastPass Protects Against Malicious Activities
LastPass was built with security in mind and includes various features, including the account recovery process, designed to protect against unauthorized or malicious access. The account recovery process specifically, requires several steps designed to ensure that recovery can only be executed by the real owner, including requiring a one-time passcode (OTP) that the account owner receives via email or text to be input during the recovery login flow. Once OTP receipt has been confirmed, the user must additionally execute the recovery process on a browser or platform where the user has previously logged in successfully via LastPass Browser Extension (e.g., on Chrome, Edge, Safari, etc.). This process is being triggered but cannot be completed as expected on an attacker machine.
LastPass also has many industry-standard protections in place, from various infrastructure level solutions, such as multiple web application firewalls, DDoS protection solutions, and malicious request filtering engines, to various application-level protections where we limit unusual behaviors in various ways. Operating and keeping these tools up-to-date is a continuous commitment from us to keep our users safe.
Creating a Strong Master Password
It’s very important that you use a strong Master Password and it should never be used as a password for any other website or app. If you or your end users have re-used your LastPass Master Password anywhere, we recommend immediately changing your LastPass Master Password and enabling multi-factor authentication on your account, as well as your end users’ accounts.
Although you’re protected by the many layers of encryption and security we put in place to keep your data safe, using a strong, unique Master Password will not only help to protect you from a brute-force attack but should also ensure that a breach at another random website won’t affect your LastPass account. While we enforce industry-standard minimums when creating the Master Password (must be at least 12 characters long, at least 1 number, at least 1 lowercase and 1 uppercase letter), LastPass users should make the Master Password as strong as possible. Specifically, that means a Master
Password should be long and unique, with a mix of character types.
Dangers of Password Re-Use
As the world continues to work remotely and spend more time online, there have been a generally observed increase in cyber-attacks and breaches. Unfortunately, with large data leaks, millions of usernames and passwords are out there for anyone to abuse. The easiest way for attackers to make use of those credentials is to systematically try logging in to other websites, such as LastPass, with the same username and password combinations.
Creating long, strong and unique passwords is one of the main reasons you’re using a password manager like LastPass. We’re fortunate to be one of the most popular password managers available, but that doesn’t mean our service is exempt from these attempts either. Because re-using passwords is such a common (though dangerous) practice, we do everything we can to protect our users.
What Can LastPass Users Do?
To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend users follow these online best practices:
- Use a strong, secure master password for your LastPass account that you never disclose to anyone.
- Never reuse passwords on multiple accounts, especially your LastPass Master Password. Use a different, unique password for every online account.
- We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords. LastPass can help you replace those passwords with strong, unique ones using our password generator tool.
- Enable dark web monitoring in the Security Dashboard. Once it’s on, you can relax knowing that LastPass is monitoring your account security for you. If an account is at risk, you will receive an alert in your email and in-product.
- Turn on multi-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Run antivirus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures.
- Make regular backups (either locally or to the cloud) of your critical data – this will serve you very well in case of ransomware attacks and similar. If all else fails, you do have your data in a safe pace. Create a bi-weekly or bi-monthly habit to synch/run backup to catch up any changes.
Many LastPass users found out on social media or on news sites earlier this week that LastPass experienced a significant security breach. While the password vaults that contain users passwords are not believed to have been compromised, cyber attackers gained access to users’ email addresses, password reminder questions, server per user salts, and hashed master passwords. The breach comes at a time when many security writers have been recommending that people use strong, unique passwords for all the websites and cloud services they use to minimize the damage of a password breach of one service. Many even recommended LastPass as a secure way to remember all of these complex, unique passwords.
We analyzed exposure to the LastPass breach across over 18 million McAfee (formerly Skyhigh Networks) users. Before we dive into those numbers, what does the breach mean for the average LastPass user? First, while the breach is a wake up call for the industry, the average user is likely not to be impacted. LastPass users login to their accounts using a master password, which gives access to the passwords stored in the vault hosted by LastPass. Master passwords are hashed before they leave the user’s computer using PBKDF2-SHA256. LastPass only stores hashed passwords. Passwords are salted as an additional security measure. In other words, a piece of random data is added to the password before hashing it to make it harder for an attacker to compromise.
Unlike encryption, the hashing used by LastPass is a one-way operation. When you encrypt data you can decrypt it using a key. Hashing applies a similar algorithm to scramble data. A properly designed hashing algorithm cannot be reversed. Given the hashed value, there’s no mathematical way to transform it back into the original value. However, when you hash a password, if someone else uses the same password the hash value will be the same for both. This gives an attacker a way to compromise the hash. Given enough computing power, an attacker could compute hash values for many different random letters and numbers. By comparing the hash values they generated with the stolen hash value, they could guess a password.
This is where a salt comes in. In the case of LastPass, the salt is a piece of information added to each user’s password before it is hashed. That way, if two users both have the password “Password1234” the hash values for both passwords will be different. An attacker could pre-compute hash values but the hash makes it mathematically much more difficult to do this at scale. In the LastPass breach, it is these hashed passwords that were stolen. Alone, this may not be very troubling, except LastPass says the per user salts were also compromised. Since both the hashed password and salt were stored together, the benefit of the salt is negated. It’s almost as easy for an attacker to compute passwords and login to a user’s LastPass account to gain access to all of their passwords in the vault as without the salt.
One of the drawbacks of the hashing algorithm PBKDF2-SHA256 employed by LastPass is that it was not designed to protect passwords. SHA is a general-purpose hashing function designed to shrink large amounts of data to a smaller hash value in order to do a comparison or check on the integrity of the data in the shortest amount of time possible. But when you’re trying to protect passwords, you want the calculation of the hash to take as long as possible to thwart a brute force attack. The hashing functional bcrypt was designed for password and by some measures takes 5 orders of magnitude longer to crack. Its design also limits performance gains cyber criminals seek by using GPU hardware to crack passwords.
The Definitive Guide to Cloud Threat Protection
Download this guide to learn about the new approach and best practices for managing cloud threat protection.
Lastpass Random Username
Another potential risk is the disclosure of password reminder questions. LastPass is somewhat unique in that, rather than offering users a standard set of password reset questions such as your mother’s maiden name, first pet, or favorite teacher, it allows users to type in a free form password reminder for their master password. If users select unsecure passwords such as their favorite teacher’s name, then attackers could use a dictionary of all names to expedite the pre-computation of hash values using the per users salts from LastPass and more quickly determine a user’s master password. They could also more easily perform a phishing or social engineering attack to recover passwords using the password reminders.
In practice, however, most LastPass users (if not all) likely have not had their password vaults compromised. Because attackers only gained access to hashed master passwords and not the passwords stored in the vaults themselves, they would need to login via LastPass to extract them. LastPass has required all users without multi-factor authentication to re-authenticate using their email accounts. Users with multi-factor authentication are protected since even an attacker with their password would need access to their mobile phone to get the secondary password sent to their device at login. Finally, LastPass users can protect themselves by changing their master password and changing that password anywhere else they may have reused it. As an aside, this is a good reminder of the risk of re-using passwords in multiple places.
Nevertheless, the attack highlights that attackers are highly motivated to breach sensitive caches of information in the cloud, especially password managers. Looking at usage data for McAfee’s 18 million users, we found that 91% of organizations have LastPass users. The average organization has 173 LastPass users. Let’s take the example of an IT admin who stores passwords for company systems in LastPass. If her password vault were compromised in a future attack, an attacker could gain control over a multitude of systems to steal or even destroy data. We found a company that has 2,635 LastPass users. It’s not hard to imagine if the cyber criminals in this attack had managed to compromise the passwords stored in vaults along with the master passwords, they may have gained access to admin credentials for many core systems and could launch a Sony-style attack on this organization.
More than anything, the LastPass breach demonstrates that passwords are no longer the only protection you need. Used in isolation, they’re not effective anymore. Spinning logo animation. With millions of account credentials for sale on the darknet, it’s necessary for cloud services to offer additional layers of protection. McAfee tracks the security controls of over 12,000 cloud services and found that just 15% offer multi-factor authentication, a critical security feature that ultimately protected LastPass users. Our recommendation is that enterprises rate highly the importance of multi-factor authentication to safeguard their users’ credentials when choosing cloud services. Cloud providers need to also be more intelligent about increasing authentication steps required when a user logs in from a different device, another location, or exhibits uncharacteristic or anomalous behavior.