It all started when people were asked to reset multi-factor authentication (MFA) applications. The fact is that users are required to re-login to their LastPass account and reset the MFA after the company was hacked at the end of last year. And by the way, we also talked that LastPass Breach Investigation Goes On, Things are Even Worse.

Let me remind you that media also wrote that Hackers Broke into the Home PC of the Developer of the LastPass Password Manager and Penetrated the Company’s Cloud Storage, and also that Hunter Biden’s top-secret laptop was protected with a simple password.

The new security measures that will be introduced as part of the planned improvements in this area were announced by the company on May 9th.

As a result, many users were off their accounts and lost access to the LastPass vault, even after successfully resetting MFA apps (eg LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

The problem is exacerbated by the fact that victims cannot even contact LastPass support for help, since it requires logging into their account, and people are locked in an endless loop where they are prompted to reset the MFA.

At the same time, LastPass developers report that they warned about the upcoming reset of the MFA through messages in the application “several weeks” before the start.

Since the warnings clearly didn’t work, the company is now issuing security patch newsletters explaining to users that these changes are necessary to increase the password iterations to the new default value of 600,000.

In another newsletter, the company says users need to re-enable multi-factor authentication to stay secure when logging into LastPass.

The entire procedure required to reset the pairing between LastPass and an authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator) is now detailed in a separate document.

As part of security enhancements, users are now prompted to verify their location when they sign in to a website or app using LastPass. Also, if you sign in to a site or app that used LastPass to sign in, you’ll need to re-enter your credentials and authenticate with the authenticator app. The next time you sign in to a site or app using LastPass, you are asked to repeat the same process as an added security measure.

The post LastPass Users Can’t Login to App after Resetting MFA appeared first on Gridinsoft Blog.

LastPass breach is much more encompassing

As the investigation discovered, hackers successfully made it into the DevOp engineer’s LastPass home computer as part of a lengthy targeted attack. Deploying malware allowed them to access corporate data on cloud storage resources. The unnamed attacker used the stolen data from the August incident to plan and execute cloud storage reconnaissance and exfiltration efforts between August and October 2022. In doing so, the attackers took advantage of an RCE vulnerability in a third-party multimedia software package by injecting a keylogger on the LastPass employee’s personal computer. After that, they were able to intercept the master password and gain access to the DevOps engineer’s corporate vault.

The attacker then exported all available records and the contents of shared folders. They contained encrypted notes with the access and decryption keys needed to access the production environment, AWS S3 LastPass backups, other cloud storage resources, and some critical databases. LastPass has issued a separate bulletin titled “Security Incident Update and Recommended Actions”, which contains additional information about hacking and stolen data. The company has also developed supporting documents outlining steps customers and business administrators should take to improve account security.

How did the breach go that far?

According to the official note released by the LastPass company, only four of their engineers had access to the aforementioned cloud backup. To grab the password from the S3 bucket, hackers deployed a keylogger using the mentioned CVE-2020-5740 vulnerability in the Plex desktop application. As it turned out in the process of the investigation done by LastPass, Plex was hacked around that period as well. Seems that hackers were either lucky enough to synchronise their efforts with the crooks who broke into the Plex, or they are powerful enough to breach several companies at one time. This or another way, these events are creating a really sick halo around the companies that develop password-keeping solutions.

Currently, LastPass tries to remain transparent on the situation. They claim about “improving [the guilty one] engineer’s home network and personal resources security”, without more precision. Additionally, the company changed all the high-privilege passwords that were allegedly touched by a breach and intends to do the same to the ones with fewer capabilities. How long will it take, and had they located all the compromised elements – this remains an unanswered question.

What’s next?

The list of actions recommended to LastPass users was actually published much earlier, after the first disclosure of the incident in December 2022. That included a notice that customers who used 12-character master passwords (ones that are needed to access the LastPass account) may exhale with relief. Such tough combinations were not exposed in any way. People whose master keys were less strong should change all the passwords they stored within the LastPass. That is likely related to how easy it is to guess these passwords – starting from 12 letters, the smallest complications will render any brute force useless.

LastPass’ story will be as acknowledged as hacks of Colonial Pipeline, Kaseya, and Twitter. Despite some of the mentioned ends up with ransomware attacks, the data leak outcome is what really unites them all. And while harm from user data leaks or corporate documents exposure does not have a really big potential to expand, leaked passwords do. It may range from having straightforward losing access to accounts as the result of the account hijack to phishing with impersonation – which will most likely harm your image. And what exactly will happen is quite hard to foresee, as hackers usually tend to sell their booty to numerous other scoundrels in the Darknet. For that reason, it is better to have both your social networks and password vault protected with as reliable a password as possible. You can read how to pick a safe password in our article.

The post LastPass Breach Investigation Goes On, Things are Even Worse appeared first on Gridinsoft Blog.

The developers of the open-source password manager KeePass explain that a vulnerability that allows an attacker to steal all user passwords is not so dangerous. The fact is that the developers consider that if an attacker controls your system, then this is no longer your system.

By the way, read: Is It Safe to Use a Password Manager in 2022? And also: Experts have discovered vulnerabilities in popular password managers.

You might also be interested to know that Only 26% of users agreed to change their password when they learned that it was compromised.

KeePass is a popular password manager that allows managing passwords using a locally stored database rather than the cloud like LastPass or Bitwarden. To protect such local databases, users can encrypt them with a master password so that malware or an attacker that has entered the system cannot simply steal the database and automatically gain access to all the data stored there.

A vulnerability found in KeePass (CVE-2023-24055) and allows attackers with write access to the target system to modify the KeePass configuration XML file and inject a malicious trigger into it that will allow the password manager database to be exported, including all usernames stored there and passwords in plain text format.

That is, the next time the victim launches KeePass and enters the master password to open and decrypt the database, the “bookmark” for export will work, and all the contents of the database will be saved in a separate file that attackers can read and steal. In this case, the export process runs in the background without notifying the user and prompting for a master password, which allows the attacker to remain unnoticed.

Even worse, the PoC exploit for CVE-2023-24055 has already been published in the public domain, which makes it much easier for malware developers to update their infostealers and create malware that can steal KeePass databases from compromised devices.

After the vulnerability became known, users are asking the KeePass development team to at least add a mandatory confirmation to the password manager that would be requested before automatically exporting the database, or publish a version of the application that does not contain the export function at all.

It is also proposed to add a custom flag to the program to disable export inside the actual KeePass database, which could be changed only by knowing the master password.

However, the KeePass development team has its own point of view on this matter. In their opinion, CVE-2023-24055 should generally be classified as a vulnerability, given that an attacker who already has write access to the target device can obtain information from the KeePass database in many other ways.

In fact, in the KeePass help center, the problem of accessing the configuration file with write permission has been mentioned repeatedly since at least April 2019. And there, too, it is reported that “this is not a security vulnerability in KeePass.”

The post Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text appeared first on Gridinsoft Blog.

LastPass password manager developers have reported that hackers who recently broke into the company’s cloud storage have accessed it and stolen customer data, including password vaults that could now theoretically be hacked.

Let me remind you that the compromise of the company’s cloud storage became known earlier this month. It is noteworthy that for this hack, the hackers used data previously stolen from the company earlier: during the previous attack, which occurred in August 2022.

Let me remind you that we also wrote that In LastPass for Android found seven built-in trackers.

In early December, the developers wrote that “an unauthorized party, using information obtained during the incident in August 2022, was able to access some customer data,” but there were no details, as they were promised to be provided after the completion of the investigation.

Now the investigation is over, and LastPass head Karim Toubba says the hacked cloud storage was used to store archived backups of production data, although it was physically separated from the production environment.

It is emphasized that the encrypted data is protected by 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password. Tubba notes that the master password is not known to LastPass and is not stored on LastPass systems.

By the way, the media also wrote that Attackers gained access to privileged credentials that were previously stored in the Ubiquiti IT employee’s LastPass account and gained superuser administrator access to all Ubiquiti AWS accounts.

However, users are still warned that attackers may try to crack their master passwords to gain access to stolen encrypted vault data. At the same time, the developers insist that “it will take millions of years to pick up a master password using public technologies for cracking passwords.”

At the same time, LastPass acknowledges that the leaked data can still be used for phishing attacks on users, credential stuffing attacks, or brute force of accounts associated with the LastPass storage.

You might also be interested in How To Securely Store Passwords.

The post Hackers Stole Data from the LastPass Use Password Vault appeared first on Gridinsoft Blog.

Seven trackers were found in the password manager, including four from Google that collect data for analytics and crash reporting, as well as AppsFlyer, MixPanel and Segment. For example, the latter collects information for marketing teams, and its developers write that the tool offers to create a “single view of the customer” by profiling users and linking together their actions on different platforms (presumably to personalize ads).

At the same time, the researcher warns that often application developers do not know at all what data trackers collect and what they transfer to third parties. As a result, integrating someone else’s proprietary code into an application can be dangerous and can lead to data leakage. According to the expert, there is no place for such trackers in a password manager, whose security is extremely important.

According to the expert, LastPass transmits to the side information about the device used, the carrier, the type of the LastPass account, the Google advertising ID (which can be used to link user data from different applications). In addition, trackers “know” when a user creates new passwords and what type they are.

LastPass representatives have already assured the media that with the detected trackers it is impossible to transfer confidential user data, and their storage is also safe. It is emphasized that trackers only collect statistical information about the use of the application, which is used to improve and optimize the product. In addition, user can opt out of collecting analytics in the settings.

Let me remind you that ToTok messenger turned out to be a tool for total tracking.

The post In LastPass for Android found seven built-in trackers appeared first on Gridinsoft Blog.

Let I remind you that HIBP, founded in 2013, is a service for verifying credentials for compromise. Collecting information about various data breaches, Troy Hunt created a unique database, the services and API of which are currently used by many sites and software (including Firefox and LastPass) to promptly notify their customers of a possible compromise.

Hunt writes that over the years, he has invested a lot of effort, time, and resources into the project, but he can no longer continue to develop HIBP on his own. According to him, the community’s contribution to the development of Have I Been Pwned has always been considerable, and recently it has only increased.

“Every byte of data loaded into the system in recent years has been provided free of charge by someone who has decided to improve the security landscape for all of us, — writes Troy Hunt. – The philosophy of HIBP has always been to support the community, and now I want the community to support HIBP. Open source is the most obvious way to do this. All the essential elements of HIBP will be put into the hands of people who can help maintain the service, no matter what happens to me.”

The process of moving to an open-source model would not be easy, so Hunt says it will take some time and has not yet named any specific timeline.

“In addition, there is also an aspect of privacy: among these leaks, there is my personal data, and probably yours too, because billions of people have already suffered from data leaks. Regardless of how widely this information circulates, I still have to ensure confidentiality control for the data on leaks itself, even if the project’s code base becomes more transparent” — sums up the expert.

While professionals like Troy Hunt spend their time and resources on protecting users, they (according to a study by Carnegie Mellon University) rarely change passwords, even if their account got into the HIBP database.

The post HIBP (Have I Been Pwned?) leak aggregator opens the source code appeared first on Gridinsoft Blog.

It turned out that back in 2017, researchers analyzed five popular password managers: LastPass, Dashlane, Keeper, 1Password and RoboForm. The analysis helped identify four previously unknown vulnerabilities, including one that led to the disclosure of credentials.

Therefore, the most serious of the detected problems allowed the malicious application to impersonate a legitimate program and trick the password manager into revealing the stored credentials. Experts did not risk talking about their research before, as they considered it too dangerous.

“The main problem affected the Android applications 1Password and LastPass, which were recognized as vulnerable to phishing attacks, as it was very strange to determine which saved credentials to offer for autocomplete. In fact, a malicious application could pretend to be legitimate simply by using an identical name”, – write the experts.

So, the researchers created a PoC application that successfully attacked LastPass (and could do the same with 1Password). This application had a login screen designed to mimic the official Google login screen, and therefore was difficult to distinguish from the real one. As a result, LastPass offered for this fake auto-complete with Google credentials.

At the same time, experts note that the attack had a number of obvious limitations: the malicious application must be installed on the victim’s device, and the victim herself must use vulnerable password managers and autocomplete, and also have credentials for the target application stored in encrypted storage.

Another vulnerability that researchers found in all of the password managers listed above (with the exception of 1Password) was that they did not provide sufficient protection for the credentials copied to the clipboard. In particular, in Windows 10, credentials could be pasted from the clipboard in plain text, even if the computer is locked. According to experts, to protect against such attacks, password managers should be able automatically clear the clipboard after a certain time.

Although some password managers allow users to protect their password store with a four-digit PIN code, experts write that RoboForm and Dashlane applications did not have a counter of the number of incorrect attempts to enter this code. That is, an attacker could sequentially enter two PIN codes, then remove the application from the list of recently used ones and try two more PIN codes. Even if an attacker enters PIN codes manually, he can still pick up a PIN code in an average of 2.5 hours.

“We did not fully automate this attack, but we believe that in the case of an automated attack, PIN retrieval will take significantly less time”, — experts write

Researchers contacted the developers of the tested password managers back in 2018. It is reported that five vendors responded to their requests and listened to warnings, but patches were not issued for all detected problems, as many of the vulnerabilities found were given a low priority.

Let me remind you that the popular password meter services put Internet users at risk. So, it remains only to remember passwords, right? )

The post Experts have discovered vulnerabilities in popular password managers appeared first on Gridinsoft Blog.