LastPass master passwords may have been compromised

Status
Not open for further replies.

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,009
Beeping Computer Update December 28, 15:08 EST: Added info on LastPass login pairs stolen by RedLine Stealer malware:
While LastPass didn't share any details regarding how the threat actors behind these credential stuffing attempts, security researchers Bob Diachenko said he recently found thousands of LastPass credentials while going through Redline Stealer malware logs.

BleepingComputer was also told by LastPass customers who received such login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer found by Diachenko.

This means that, at least in the case of some of these reports, the threat actors behind the takeover attempts used some other means to steal their targets' master passwords.
 

South Park

Level 9
Verified
Jun 23, 2018
400

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,009
Bleeping Computer Update December 29, 03:37 EST: In an update to the original statement, LastPass VP of Product Management Dan DeMichele told BleepingComputer that some of the login warnings were likely sent in error.
As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.

We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.

However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.

Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).


We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
 

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,534

LastPass VPs confirm 'no indication' of compromised accounts after security alerts​


LastPass VP Gabor Angyal said some of the security alerts that initially caused concern were "likely triggered in error."

Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week.

Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again.

On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users' accounts.

"While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised," wrote Gabor Angyal, VP of engineering at LastPass.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,155
Maybe the affected LP users were hit by a keylogger, or stored their master password in an insecure way, either on their device or in the cloud. I don't see any evidence that LP was hacked. It sounds more like users were hacked.
 

Azure

Level 27
Verified
Top poster
Content Creator
Oct 23, 2014
1,615
Maybe the affected LP users were hit by a keylogger, or stored their master password in an insecure way, either on their device or in the cloud. I don't see any evidence that LP was hacked. It sounds more like users were hacked.
You can read here that this user states
“What troubles me is that the master password was stored in a local encrypted KeePassX file.”


Someone else stated that they got an alert even after changing passwords

Perhaps Lastpass is right, and it was an error.
 

Dark Knight

Level 4
Aug 17, 2013
180
Me sipping tea comfortably with my local password manager (KeePass), that leaks and hacks can't reach, 🍵

Having your passwords online is asking for trouble, same for having them saved on the browser and synced.
I agree 110% , anyone who pays a service to store their passwords online would be better off taking their money and burning it.
I think LastPass is playing CYA right now seeing as this just recently happened to them and they really cannot afford another hit like this, I think in the future we will find the breach ACTUALLY happened and the notices were not sent in error. All it takes is one pissed off employee to blow the whistle.


This has become all too common with LastPass, my advice to anyone that uses it .......... cut bait and dump it.
 
Last edited:
  • Like
Reactions: Venustus

printing

Level 1
Nov 14, 2020
42
You can read here that this user states
“What troubles me is that the master password was stored in a local encrypted KeePassX file.”


Someone else stated that they got an alert even after changing passwords

Perhaps Lastpass is right, and it was an error.
If KeepassX file was compromised, it could affect other applications, websites and even bitwarden. It seems to target LP for now
Seems werid to me.
 
  • Like
Reactions: Venustus

printing

Level 1
Nov 14, 2020
42
If the master password was (possibly) obtained from a locally encrypted KeePassX database as original poster on Hacker news feared then the issue is with the users device security not Lastpass.
Does that means other accounts in the Keepass database may be compromised?
 

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,449
If KeepassX file was compromised, it could affect other applications, websites and even bitwarden. It seems to target LP for now
Seems werid to me.
KeePass databases are stored locally, so your system that would be compromised in that case.

In the case of LastPass you have no control whasoever over their systems.

I've seen multiple excuses from LastPass, which shows even them don't know what is going on, they just trying to put out the fire.
 

JasonUK

Level 5
Apr 14, 2020
201
I've seen multiple excuses from LastPass, which shows even them don't know what is going on, they just trying to put out the fire.
I've noted that too. Lastpass' device-type changes earlier in the year didn't really worry me but the whiff (again) around this password manager is the proverbial straw that broke the camel's back. I've deleted my Lastpass vault and will stick to locally stored Keepass XC for now although I'll probably give Bitwarden another go too (wasn't impressed last time).
 

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,009
I've noted that too. Lastpass' device-type changes earlier in the year didn't really worry me but the whiff (again) around this password manager is the proverbial straw that broke the camel's back. I've deleted my Lastpass vault and will stick to locally stored Keepass XC for now although I'll probably give Bitwarden another go too (wasn't impressed last time).
Another alternative could be 1Password.
 

Vasudev

Level 32
Verified
Nov 8, 2014
2,145
Just checked Lastpass via browser login and it seems 2FA and other settings haven't been changed/modified
 
  • Wow
Reactions: Venustus

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,155
LastPass has 25 million users. So far there are no reports of their encrypted vault data ever being hacked. And even if it does get hacked someday, the chances that your bank account will be first to go are kind of low.
 
  • Like
Reactions: JB007

Dark Knight

Level 4
Aug 17, 2013
180
"And even if it does get hacked someday, the chances that your bank account will be first to go are kind of low."

25 million users or not, if you are paying a service to keep your credentials safe then it should be unhackable, doesn't matter if my account is the first to go or not, someones account will be the first to go is what matters.

It is not like this has not happened to them before and in the future I think we will eventually find this incident actually has but as of right now I think LastPass is just doing damage control.

I think it kind of silly they way you are playing it off ..... what if it was your account they decided to empty? probably wouldn't like it too much would ya?

LastPass has made Millions if not Billions of $$ storing peoples lives but yet cannot ever seem to get their house in order, use their service and you deserve whatever happens.

I would almost bet my bottom dollar the owner of LP doesn't even use his own service.
 
  • Like
Reactions: Venustus
Status
Not open for further replies.