LastPass Hack: 33 Million Accounts
The severity of this hack cannot be understated. 33 million consumer accounts. 100k business accounts. The password vaults are in the hands of the hacker, and given time, will be cracked.
Here are the answers to common questions asked about the hack and the likely impacts on individuals who use LastPass.
LastPass said my vault will take millions of years to crack. Is that true?
If your password was complex, it will be difficult for hackers to crack. A simple password, formed from dictionary words, will be cracked quickly. Based on the technology available in 2022:
A randomly generated password, of 20 characters, would take 3 million trillion years: E6AMYUBK6qUmeYhPyh83
A password based on dictionary words, with letter substitution, could be cracked in less than a day: H0rses4C0urses!
A dictionary based password of 12 characters could be cracked in less than 10 minutes: HorsesCourses
What is this Password Iterations feature?
The Master Password used to encrypt your vault was subject to PBKDF2 “scrambling” to make cracking harder to achieve.
Newer LastPass accounts had a high number of PBKDF2 iterations, around 100,000. But older accounts had a much lower count at 5,000 iterations.
The hackers know these defaults and will base the cracking attempts on them.
I used 2FA in LastPass. Surely, I am safe from the hack?
No. The 2FA protects the LastPass user interface to access your password vault. It does not protect the vault itself. Because the hacker has stolen your entire password vault, this 2FA protection is worthless.
I’m a long-time user of LastPass. What does this mean to me?
Defaults for accounts dating from 2011 to 2017 are poor. Password length was only 8 characters and the Password Iterations feature was set at 5,000.
LastPass did nothing since 2017 to prompt you (or force you) to change these defaults. Therefore, long-time LastPass users are at the most risk.
What about my Credit Card and Bank Accounts?
Anyone using LastPass to manage credit card or bank account details is at high risk. A compromise of this information will have potentially disastrous consequences. Take immediate steps to protect your financial information.
LastPass does continually prompt when it detects credit card information being keyed into a website. There is no way of disabling this nagging, so some users may have allowed this to happen.
What should I do?
You must change all passwords immediately.
Any other data stored in LastPass, such as credit cards or secure notes, should also be considered compromised. Take steps to protect yourself.
Find out more about what happened at the LastPass hack in my other blog by following this link.
About the Author:
Jamie Steele is an Azure Data Architect here at Version 1.
