Almost Secure Blog: A year after the disastrous breach, LastPass has not improved

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
n September last year, a breach at LastPass’ parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers. The criticism from the security community has been massive. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackers’ job much easier. The list goes on.

Now this has been almost a year ago. LastPass promised to improve, both as far as their communication goes and on the technical side of things. So let’s take a look at whether they managed to deliver.

TL;DR: They didn’t. So far I failed to find evidence of any improvements whatsoever.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
Keeping your private data offline, encrypted and stored in a secure location is your safest bet.
This isn’t really about online vs. offline. It’s possible to encrypt data in a way that it is safe to store online. But for that you have to understand crypto and to encrypt everything. Most popular password managers are doing an okay’ish job on that – there might be smaller issues, but these aren’t showstoppers. In case of a breach, only a few high-profile targets might have reason to worry. Also, the other password managers took the LastPass breach as an occasion to check their security, and they did improve things.

LastPass is really exceptionally bad. Not only is it clear from their source code that they don’t understand crypto and never did. This is at least their third breach, and they failed to learn from any of them. Never mind their “regular” security issues where they received reports of issues in the same area again and again, being unable to fix things properly.
 
Last edited:

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
At this point, anyone who continues to use LastPass (password manager) is an idiot
To play devil's advocate, I assume most LastPass users aren't aware of the company's indifference towards their security. Likely the most they saw is whatever email was sent when they publicly disclosed the breach and what they plan on doing to combat future breaches, and that's assuming they even read that.
 

Jonny Quest

Level 21
Verified
Top Poster
Well-known
Mar 2, 2023
1,081
To play devil's advocate, I assume most LastPass users aren't aware of the company's indifference towards their security. Likely the most they saw is whatever email was sent when they publicly disclosed the breach and what they plan on doing to combat future breaches, and that's assuming they even read that.
But, after all the breaches through all the years, who would not know by now, or at least have done some research as far as a secure password manager and of LastPass ineptness to keep their account secure? So in that case, at this point, if they did not know about any of this, but only through a reassurance email notice, then isn't that their problem for not doing any follow-up research?
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
But, after all the breaches through all the years, who would not know by now, or at least have done some research as far as a secure password manager and of LastPass ineptness to keep their account secure?
I'd bet there's a decent contingent that aren't aware of at least some the breaches, or have forgotten about the them. You also have to take into account the users who only started using the service after each breach occurred, thus might not have ever received any communication about it.

Even if they are aware, transitioning to another password manager might be perceived as a headache that they simply don't want to deal with.

they did not know about any of this, but only through a reassurance email notice, then isn't that their problem for not doing any follow-up research?
Their problem, sure, but they likely have their own reason(s) for not switching, and while "I can't be bothered" isn't a good reason, it is a reason and I wouldn't go out of my way to try and convince them otherwise.
 

Jonny Quest

Level 21
Verified
Top Poster
Well-known
Mar 2, 2023
1,081
I'd bet there's a decent contingent that aren't aware of at least some the breaches, or have forgotten about the them. You also have to take into account the users who only started using the service after each breach occurred, thus might not have ever received any communication about it.

Even if they are aware, transitioning to another password manager might be perceived as a headache that they simply don't want to deal with.


Their problem, sure, but they likely have their own reason(s) for not switching, and while "I can't be bothered" isn't a good reason, it is a reason and I wouldn't go out of my way to try and convince them otherwise.
Fair enough, especially since those of us on this forum are curious and keep up to speed better than the basic, average user, who as you say, may think it overwhelming to export, import and learn a new password manager.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
But, after all the breaches through all the years, who would not know by now
Lots of people would not. Before the latest breach, I tried a few times to ask people from the security community to stop recommending LastPass. I cited their poor security track record and all the issues which are by design. And I invariably got the response “but they fixed things quickly, so it’s all good.”

LastPass is very good at PR. Even the people who should have known better bought into it. And you are surprised that some regular Joe still thinks “yes, there was this breach notification, but LastPass said that it isn’t something to worry about so I don’t”?
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
This isn’t really about online vs. offline. It’s possible to encrypt data in a way that it is safe to store online. But for that you have to understand crypto and to encrypt everything. Most popular password managers are doing an okay’ish job on that – there might be smaller issues, but these aren’t showstoppers. In case of a breach, only a few high-profile targets might have reason to worry. Also, the other password managers took the LastPass breach as an occasion to check their security, and they did improve things.

LastPass is really exceptionally bad. Not only is it clear from their source code that they don’t understand crypto and never did. This is at least their third breach, and they failed to learn from any of them. Never mind their “regular” security issues where they received reports of issues in the same area again and again, being unable to fix things properly.
It was not a solution to an online vs offline problem, but a suggestion - as an example.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Remember last November, when hackers broke into the network for LastPass—a password database—and stole password vaults with both encrypted and plaintext data for over 25 million users? Well, they’re now using that data to break into crypto wallets and drain them: $35 million and counting, all going into a single wallet.

That’s a really profitable hack. (It’s also bad opsec. The hackers need to move and launder all that money quickly.)

Look, I know that online password databases are more convenient. But they’re also risky. This is why my Password Safe is local only. (I know this sounds like a commercial, but Password Safe is not a commercial product.)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top