|
|
|
|
|
|
by 8organicbits
1095 days ago
|
|
|
> The forced logout + MFA resync events are taking place as we increase all customer's password iterations. Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused. If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds? The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right? |
|
|
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
1: https://blog.lastpass.com/2023/03/security-incident-update-r...
2: https://support.lastpass.com/help/what-data-was-accessed