An open rusted padlock

It’s been a week since password management and security service LastPass disclosed that the private password vaults of their customers were now in the hands of criminals.

As part of The Crow’s day job, I reported on this incident for MakeUseOf, and pointed out that because criminals now have the password vaults of every customer on their local machines, they can crack the master passwords at leisure.

I also speculated the claim on the LastPass blog that it would “take millions of years to guess your master password using generally-available password-cracking technology.” was a more than a little disingenuous, and at the very least, those responsible could download the 613 million most common passwords from haveibeenpwned and crack at least some of the vaults in a matter of minutes.

The advice I gave was that if you’ve ever used LastPass, you should change all your passwords for everything. It seems extreme, but this is a very real threat, and you should assume that within a year or so, the passwords stored in your LastPass vault will be known to anyone who cares to use them.

Reports suggest the LastPass situation is worse than you can imagine

The Crow keeps his ear to the ground and is known to be a sympathetic listener - which is presumably why a reader, who wished to remain anonymous, contacted this blog to say that the threat is more immediate than thought, and that over the past ten days, she has been “having to play defense against bad actors”.

Despite having her master password set to an astonishing 19 characters, our source claims to have experienced a wave of successful attacks against her through the sites and services she uses. These have included messing with her home thermostat to change the temperature to a sweltering 87F (About 30C for those who use sensible measurements).

As fun a prank as that sounds, our contact also reports the attackers used her Apple ID and ATT credentials to change the PIN on her phone, successfully simjacked her, and added a whole bunch of authorized devices to her LastPass account to bypass MFA.

Our contact isn’t some novice who doesn’t know how technology works, she’s a cybersecurity compliance professional. She knows what she’s talking about:

When they downloaded the backup through the admin credentials, I believe based on their understanding of the data schema it then allowed them to know which tables were needed to crack the master password for accounts where the passwords had not changed since that backup was taken.

There is no other way that they could have known my LP master password, bypass MFA & get access to the other accounts I mentioned because LP vault was the only place that would have known the stored credentials.

Our contact isn’t the only person claiming to be affected. Twitter user, Cryptopathic, posted on December 23rd that four of their wallets were compromised, despite the seeds being kept encrypted in a LastPass vault behind a 16 character password.

A tweet about LastPass from Cryptopathic

That shouldn’t be possible - especially as the master password was unique to LastPass, never reused, generated using dice rolls, and employing all character types.

But then, LastPass has never been especially well known for its brilliant encryption or general security. Passwords secured with LastPass are regularly stolen due to insecurities in the API, insecurities in browser plug-ins, and an absolute shit-ton of bugs.

Of course, the cases we’re talking about here could simply be chance, but we doubt it. The odds of successfully generating the correct 19 character and 16 character unique passwords out of thin air are so low as to be, for all intents and purposes, impossible without a quantum computer.

Clearly, more is going on than is revealed by the LastPass blog post.

“I seriously just want LastPass to be honest & forthcoming & be held accountable for the headache they are putting me thru & possibly others,” said our source.

We couldn’t agree more.

In the meantime, keep your passwords out of other people’s hands by deploying a self-hosted password manager such as BitWarden.