LastPass master passwords may have been compromised

[mkoundo]

as well as recovery phone included in my account.

Personally, I would disable phone recovery as this adds an attack vector that's increasingly popular.

 

[Azure]

There is a discussion about it here

Ask HN: How did my LastPass master password get leaked? | Hacker News

news.ycombinator.com

I want to point out the following from poster there
“What troubles me is that the master password was stored in a local encrypted KeePassX file.”

 

[Gandalf_The_Grey]

Beeping Computer Update December 28, 15:08 EST: Added info on LastPass login pairs stolen by RedLine Stealer malware:

While LastPass didn't share any details regarding how the threat actors behind these credential stuffing attempts, security researchers Bob Diachenko said he recently found thousands of LastPass credentials while going through Redline Stealer malware logs.

BleepingComputer was also told by LastPass customers who received such login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer found by Diachenko.

This means that, at least in the case of some of these reports, the threat actors behind the takeover attempts used some other means to steal their targets' master passwords.

LastPass users warned their master passwords are compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

www.bleepingcomputer.com

 

[South Park]

This happens over and over again with "cloud" password managers. I've been very happy with KeePass, which has an Android version as well as Windows.

 

[South Park]

There is a discussion about it here

Ask HN: How did my LastPass master password get leaked? | Hacker News

news.ycombinator.com

I want to point out the following from poster there
“What troubles me is that the master password was stored in a local encrypted KeePassX file.”

Notable quote from the thread: "Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum."

 

[cryogent]

I'm glad I moved to Bitwarden and I hope we never have the same problems as LastPass.

 

[Gandalf_The_Grey]

Bleeping Computer Update December 29, 03:37 EST: In an update to the original statement, LastPass VP of Product Management Dan DeMichele told BleepingComputer that some of the login warnings were likely sent in error.

As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.

We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.

However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.

Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).

We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.

LastPass users warned their master passwords are compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

www.bleepingcomputer.com

 

[LASER_oneXM]

LastPass VPs confirm 'no indication' of compromised accounts after security alerts

LastPass VP Gabor Angyal said some of the security alerts that initially caused concern were "likely triggered in error."

www.zdnet.com

LastPass VPs confirm 'no indication' of compromised accounts after security alerts​

LastPass VP Gabor Angyal said some of the security alerts that initially caused concern were "likely triggered in error."

Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week.

Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again.

On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users' accounts.

"While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised," wrote Gabor Angyal, VP of engineering at LastPass.

 

[shmu26]

Maybe the affected LP users were hit by a keylogger, or stored their master password in an insecure way, either on their device or in the cloud. I don't see any evidence that LP was hacked. It sounds more like users were hacked.

 

[Azure]

Maybe the affected LP users were hit by a keylogger, or stored their master password in an insecure way, either on their device or in the cloud. I don't see any evidence that LP was hacked. It sounds more like users were hacked.

You can read here that this user states

Ask HN: How did my LastPass master password get leaked? | Hacker News

news.ycombinator.com

“What troubles me is that the master password was stored in a local encrypted KeePassX file.”


Someone else stated that they got an alert even after changing passwords


Perhaps Lastpass is right, and it was an error.

 

[JasonUK]

If the master password was (possibly) obtained from a locally encrypted KeePassX database as original poster on Hacker news feared then the issue is with the users device security not Lastpass.

 

[Dark Knight]

Me sipping tea comfortably with my local password manager (KeePass), that leaks and hacks can't reach,

Having your passwords online is asking for trouble, same for having them saved on the browser and synced.

I agree 110% , anyone who pays a service to store their passwords online would be better off taking their money and burning it.
I think LastPass is playing CYA right now seeing as this just recently happened to them and they really cannot afford another hit like this, I think in the future we will find the breach ACTUALLY happened and the notices were not sent in error. All it takes is one pissed off employee to blow the whistle.


This has become all too common with LastPass, my advice to anyone that uses it .......... cut bait and dump it.

 

[printing]

You can read here that this user states

Ask HN: How did my LastPass master password get leaked? | Hacker News

news.ycombinator.com

“What troubles me is that the master password was stored in a local encrypted KeePassX file.”


Someone else stated that they got an alert even after changing passwords


Perhaps Lastpass is right, and it was an error.

If KeepassX file was compromised, it could affect other applications, websites and even bitwarden. It seems to target LP for now
Seems werid to me.

 

[printing]

If the master password was (possibly) obtained from a locally encrypted KeePassX database as original poster on Hacker news feared then the issue is with the users device security not Lastpass.

Does that means other accounts in the Keepass database may be compromised?

 

[Local Host]

If KeepassX file was compromised, it could affect other applications, websites and even bitwarden. It seems to target LP for now
Seems werid to me.

KeePass databases are stored locally, so your system that would be compromised in that case.

In the case of LastPass you have no control whasoever over their systems.

I've seen multiple excuses from LastPass, which shows even them don't know what is going on, they just trying to put out the fire.

 

[JasonUK]

I've seen multiple excuses from LastPass, which shows even them don't know what is going on, they just trying to put out the fire.

I've noted that too. Lastpass' device-type changes earlier in the year didn't really worry me but the whiff (again) around this password manager is the proverbial straw that broke the camel's back. I've deleted my Lastpass vault and will stick to locally stored Keepass XC for now although I'll probably give Bitwarden another go too (wasn't impressed last time).

 

[Gandalf_The_Grey]

I've noted that too. Lastpass' device-type changes earlier in the year didn't really worry me but the whiff (again) around this password manager is the proverbial straw that broke the camel's back. I've deleted my Lastpass vault and will stick to locally stored Keepass XC for now although I'll probably give Bitwarden another go too (wasn't impressed last time).

Another alternative could be 1Password.

 

[Vasudev]

Just checked Lastpass via browser login and it seems 2FA and other settings haven't been changed/modified

 

[shmu26]

LastPass has 25 million users. So far there are no reports of their encrypted vault data ever being hacked. And even if it does get hacked someday, the chances that your bank account will be first to go are kind of low.

 

[Dark Knight]

"And even if it does get hacked someday, the chances that your bank account will be first to go are kind of low."

25 million users or not, if you are paying a service to keep your credentials safe then it should be unhackable, doesn't matter if my account is the first to go or not, someones account will be the first to go is what matters.

It is not like this has not happened to them before and in the future I think we will eventually find this incident actually has but as of right now I think LastPass is just doing damage control.

I think it kind of silly they way you are playing it off ..... what if it was your account they decided to empty? probably wouldn't like it too much would ya?

LastPass has made Millions if not Billions of $$ storing peoples lives but yet cannot ever seem to get their house in order, use their service and you deserve whatever happens.

I would almost bet my bottom dollar the owner of LP doesn't even use his own service.