Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 17 September 2023

Feedback & Followups

Deep Dive — LastPass Vaults are Being Cracked (Follow the Money!)

It was predicted when the details of the LastPass breach emerged that it would become viable to crack the weakest vaults in a matter of months, and it now seems clear that that’s started to happen. To understand what’s happening, and why it makes sense, it’s important to remember two things:

  1. Depending on when you started your LastPass account, you had different encryption strengths by default, and LastPass never pro-actively upgraded the encryption, so the most loyal users had the worst protection.
  2. The attackers got both the encrypted vaults, and metadata about the vaults, including the encryption strength, and customer information

To understand cybercrime the single most important thing to remember is that it’s a for-profit enterprise, so you need to follow the money. If it doesn’t make economic sense to attack a weakness, it won’t be attacked, if it does, it almost certainly will be!

What Brian Krebs is reporting is that a spate of high value crypto thefts (we’re talking millions of dollars) has been linked to leaked LastPass vaults belonging to prominent members of the crypto community and employees of prominent Crypto firms.

These users had strong passwords, but, weakly encrypted vaults, so attacking their vaults still cost money — the raw computing power to perform a brute-force attack against even weak encryption is still substantial, and it has to be paid for somehow — be that in hardware & electricity bills, cloud computing bills, or botnet fees. But, these users were also carefully chosen because the probability that they contained crypto currency private keys was high. Because the attackers had both the metadata and the encrypted vaults, they could carefully choose their targets to maximise their profits.

Think about it this way, if it costs $10K to attack a weakly encrypted vault, and you choose vaults with a 10% chance of containing a $1M crypto wallet private key, then you invest $100K to make $1M, which gives $900K profit! I’m just making very crude guesses with nice round numbers, but the principle certainly applies of we’re seeing the attacks happening for real.

The silver lining here is that if you’re not recognisable as being a likely valuable target based on the leaked metadata, the chances are very small your vault will be attacked. Attacking any vault is not cheap, and with so so many to choose from, the attackers are going to be careful and deliberate in their choices. Remember, they’re in it for profit!


❗ Action Alerts

Worthy Warnings

Notable News

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Note Bart and Allison are aware that emoji are not showing. There appears to be an encoding problem of the database that is causing this problem and we’re in the process of discovery to solve it. The curious thing is that it’s a problem on both Allison’s and Bart’s

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top