- Nov 1, 2018
- 50
Lastpass says hackers accessed customer data in new breach
- Thread starter piquiteco
- Start date
- May 10, 2019
- 2,289
- Jan 21, 2018
- 814
LastPass Breach - Schneier on Security
www.schneier.com
"Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:
That’s bad. It’s not an epic disaster, though.
So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)
Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:
If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)
My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.
If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything."
- Aug 7, 2017
- 270
And this time CNET has this to say about Lastpass here Best Password Manager to Use for 2023:
This time around LP isn't getting away and will pay the price. Deservedly so. It is just the beginning of a downslide.
This time around LP isn't getting away and will pay the price. Deservedly so. It is just the beginning of a downslide.
Last edited:
- Jan 21, 2018
- 814
I missed this post from Dec 28th but I think it is still worth highlighting here more detail about the failings of Lastpass -
"LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.
LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.
Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk...."
palant.info
www.malwarebytes.com
"LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.
LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.
Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk...."
LastPass breach: The significance of these password iterations
The Password Iterations setting is essential to keep users’ data secure. Yet LastPass failed to keep it up-to-date for many accounts.
I missed this post from Dec 28th but I think it is still worth highlighting here more detail about the failings of Lastpass -
"LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.
LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.
Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk...."
LastPass breach: The significance of these password iterations
The Password Iterations setting is essential to keep users’ data secure. Yet LastPass failed to keep it up-to-date for many accounts.
LastPass updates security notice with information about a recent incident
LastPass has posted an update to the August security incident that raises some questions
www.malwarebytes.com
- Aug 7, 2017
- 270
You guys may be interested in this 2 hour and 3 minute long Security Now podcast with Steve Gibson and Leo Laporte.
Leaving LastPass - How LastPass failed, Steve's next password manager, how to protect yourself
The notes: https://www.grc.com/sn/SN-903-Notes.pdf
Leaving LastPass - How LastPass failed, Steve's next password manager, how to protect yourself
The notes: https://www.grc.com/sn/SN-903-Notes.pdf
Deleted all entries from LP once they started their ads 30$ and hacks 2 years ago and switched to BW after asking here. No regrets.
- Jan 21, 2018
- 814
- Aug 7, 2017
- 270
Article in the NYT:
A Breach at LastPass Has Password Lessons for Us All
I have spent the past 2 weeks changing passwords to most of the several hundreds of logins in my LP account and now working on replacing 2FA tokens on critical accounts to begin with and progressing to the not-so-critical ones. Thanks for messing up my holidays LP.
A Breach at LastPass Has Password Lessons for Us All
I have spent the past 2 weeks changing passwords to most of the several hundreds of logins in my LP account and now working on replacing 2FA tokens on critical accounts to begin with and progressing to the not-so-critical ones. Thanks for messing up my holidays LP.
- Apr 24, 2016
- 7,242
Jeremi M Gosney :verified: (@epixoip@infosec.exchange)
I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people...
The general consensus among security folks for those that want to switch away from Lastpass appears to be:
Bitwarden: for free users
1password: for paid users
Bitwarden: for free users
1password: for paid users
- Oct 2, 2011
- 1,552
LastPass sued over “woefully insufficient” security
1Password saves the master password inside the vault, which can be deleted should the user wishes.
OC was deleted, but the replies are visible in this reddit post, shared below.
- Aug 7, 2017
- 270
And the flow of bad news has no end - What’s at stake for 33M compromised LastPass users?
- May 10, 2019
- 2,289
If I were a Lastpass user, I would export my data to another Pm, and then change every single password and reenable 2FA. I know this is a nightmare, but it has to be done.
- Aug 7, 2017
- 270
@Divine_Barakah I began changing passwords to my most critical websites as soon as I read of the breach on the morning of Dec 22/23 and fully migrated to 1PW and Bitwarden. After taking a backup, my LP account and that of my family members were deleted an active family subscription notwithstanding.
I've been a Bitwarden subscriber since 2017 all thanks to the good folks here at MalwareTips. Happened 2-3 months after I signed up at this forum in Aug '17 (subbed to BW in Nov '17 IIRC) . And of course I thought I'd give a new startup based offering an open source PM a chance. I am so glad I did.
I've used and/or subscribed to nearly every PM out there starting with the granndaddy of 'em all Roboform which was a good app but and LP quickly became my favourite. Yes, stupid of me not to see the writing on the wall years ago when the hack attacks began.
Anyway, I've changed passwords to nearly all the several hundred sites I had in LP, disabled renabled 2FA on the critical ones to generate new tokens, regenerated new backup recovery codes. Ditto for my family members' accounts.
It has been a very painful and tedious job over the past 2+ weeks and still continues for minor sites. Unfortunately there's nothing I can do about the safe/secure notes but cross my fingers & hope they're not decrypted as they contain a lot of personal and other data. I am so darned angry with LP!!
I've been a Bitwarden subscriber since 2017 all thanks to the good folks here at MalwareTips. Happened 2-3 months after I signed up at this forum in Aug '17 (subbed to BW in Nov '17 IIRC) . And of course I thought I'd give a new startup based offering an open source PM a chance. I am so glad I did.
I've used and/or subscribed to nearly every PM out there starting with the granndaddy of 'em all Roboform which was a good app but and LP quickly became my favourite. Yes, stupid of me not to see the writing on the wall years ago when the hack attacks began.
Anyway, I've changed passwords to nearly all the several hundred sites I had in LP, disabled renabled 2FA on the critical ones to generate new tokens, regenerated new backup recovery codes. Ditto for my family members' accounts.
It has been a very painful and tedious job over the past 2+ weeks and still continues for minor sites. Unfortunately there's nothing I can do about the safe/secure notes but cross my fingers & hope they're not decrypted as they contain a lot of personal and other data. I am so darned angry with LP!!
Last edited:
- May 10, 2019
- 2,289
Calling yourself stupid for you trusted a password manager is not right. Lastpass is one of the best PMs functionality wise. I feel sorry for them because it seems their end is inevitable now.@Divine_Barakah I began changing passwords to my most critical websites as soon as I read of the breach on the morning of Dec 22/23 and fully migrated to 1PW and Bitwarden. After taking a backup, my LP account and that of my family members were deleted an active family subscription notwithstanding.
I've been a Bitwarden subscriber since 2017 all thanks to the good folks here at MalwareTips. Happened 2-3 months after I signed up at this forum in Aug '17 (subbed to BW in Nov '17 IIRC) . And of course I thought I'd give a new startup based offering an open source PM a chance. I am so glad I did.
I've used and/or subscribed to nearly every PM out there starting with the granndaddy of 'em all Roboform which was a good app but and LP quickly became my favourite. Yes, stupid of me not to see the writing on the wall years ago when the hack attacks began.
Anyway, I've changed passwords to nearly all the several hundred sites I had in LP, disabled renabled 2FA on the critical ones to generate new tokens, regenerated new backup recovery codes. Ditto for my family members' accounts.
It has been a very painful and tedious job over the past 2+ weeks and still continues for minor sites. Unfortunately there's nothing I can do about the safe/secure notes but cross my fingers & hope they're not decrypted as they contain a lot of personal and other data. I am so darned angry with LP!!
So glad that you migrated to BW. Regarding your safe memos, I am going to say one thing. Please do not put all your eggs in one basket. One more thing, it is wise to not sync your private data to the cloud to avoid situations such as lastpass’s. I do know it is a little inconvenient, but is it worth the risk?
I do not want to spread paranoia, but believe me BW can suffer the same as LP. Unfortunately, self-hosting Bw is not an easy task. Thus, it is up to you if you want to keep your data synced to the cloud or migrate to another offline PM.
Now for sure can anybody here at MT or even MT itself offer an instance of BW hosted at MT servers? That would be nice right?
- Aug 7, 2017
- 270
Well, I am quite clued into the IT industry having worked in it for decades on both desktop & enterprise applications so I blame myself for not having seen the writing on the wall.
You're right about the 'eggs in one basket' bit - all my new recovery codes are now downloaded to my PC, stored on a NAS and USB hard drive and copies encrypted using good ol' Ccryptomator and stored on multiple cloud drives. Never again will I begin using my PM to store personal data.
And you're absolutely 100% right, what happened to LP could happen to any cloud based PM service so we have to make our choices. Though I have Sticky Password and Enpass + use Keepass as an archiver, BW, 1PW and Dashlane have that ease of use that makes them so enjoyable to use especially for non geeks like my wife and other family members. There would be howls of protest if were ever to push Keepass or similar as a solution. LOL!
- May 10, 2019
- 2,289
Cryptomator a nice piece of software. I can’t imagine my life without it.Well, I am quite clued into the IT industry having worked in it for decades on both desktop & enterprise applications so I blame myself for not having seen the writing on the wall.
You're right about the 'eggs in one basket' bit - all my new recovery codes are now downloaded to my PC, stored on a NAS and USB hard drive and copies encrypted using good ol' Ccryptomator and stored on multiple cloud drives. Never again will I begin using my PM to store personal data.
And you're absolutely 100% right, what happened to LP could happen to any cloud based PM service so we have to make our choices. Though I have Sticky Password and Enpass + use Keepass as an archiver, BW, 1PW and Dashlane have that ease of use that makes them so enjoyable to use especially for non geeks like my wife and other family members. There would be howls of protest if were ever to push Keepass or similar as a solution. LOL!
SP and Enpass are great especially for syncing passwords over WIFI. Enpass does offer a family plan and is currently on sale $24/year.
While Dashlane is great, I am using it btw, it is cloud based so I would not store anything critical in it. Enpass, on the other hand, can be used offline and that provides peace of mind. Enpass is fully-featured not like Keepass.
Hello guys,
I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?
I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?
Thank you all!
I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?
I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?
Thank you all!
Similar threads
