- Mar 13, 2022
- 599
LastPass says employee’s home computer was hacked and corporate vault taken
Already smarting from a breach that stole customer vaults, LastPass has more bad news.
arstechnica.com
LastPass says employee’s home computer was hacked and corporate vault taken
- Thread starter MuzzMelbourne
- Start date
arstechnica.com
- Jul 27, 2015
- 5,459
Same source as OP.
LastPass: The crooks used a keylogger to crack a corporatre password vault
Seems the crooks implanted a keylogger via a vulnerable media app (LastPass politely didn’t say which one!) on a developer’s home computer.
nakedsecurity.sophos.com
- May 27, 2013
- 284
last pass the story that just won't go away, does anyone actually still use this anymore?Would you be brave enough to use LastPass after all this?
piquiteco
Level 14
- Oct 16, 2022
- 626
Yes, some people still use Lastpass.
No, because you have many password manager alternatives.
- Apr 13, 2014
- 859
Fresh email from LastPass…….
Dear LastPass Customer,
We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.
Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.
Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.
Please review the Security Bulletin and make any necessary changes to your account.
In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.
The Team at LastPass
Dear LastPass Customer,
We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.
Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.
Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.
Please review the Security Bulletin and make any necessary changes to your account.
In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.
The Team at LastPass
- Apr 24, 2016
- 6,601
Fresh email from LastPass…….
Dear LastPass Customer,
We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.
Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.
Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.
Please review the Security Bulletin and make any necessary changes to your account.
In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.
The Team at LastPass
Security Bulletin: Recommended Actions for Free, Premium, and Families Customers
Security is vital to your life online, so we’ve created this guide to help you respond to the recent LastPass incident in a way that meets your personal needs.
support.lastpass.com
- Apr 1, 2019
- 2,786
This is why the US government issues employees locked down laptops. I can’t even log into our HR system on my personal PC. It’s all tied to a credential card and pin.
- Mar 13, 2022
- 599
Great, use 2FA is part of their advice. Shame the DevOps Engineer didn't get the message.
- May 13, 2017
- 2,487
This sums up online password managers. If you can access your passwords on multiple devices via the internet, anyone can.
The problem is not really that the dev was targeted, but that his account allows to access those data. So much for conspiracies.
- Aug 7, 2017
- 267
Security Incident Update and Recommended Actions
And here's an update from the CEO Karim Toubba dated today March 1st '23
And here's an update from the CEO Karim Toubba dated today March 1st '23
The conditional access system based upon the CAC is a joke. The US govt does not issue secure CAC scanners, if at all (subcontractors have to buy their own), and so CAC holders buy cheap scanners online that have malicious code that steals the data off the CAC. Tell that to the DoD which has multiple breaches across all 5 branches, along with at least 100,000+ stolen identities.
The answer is a very simple one. LastPass did not put MFA authentication in front of the corporate vault. LastPass's enterprise security just required MFA for the initial authentication to the front system. That is not the DevOps Engineer's fault. He's not the LastPass security administrator. He's just the developer.
The DevOps Engineer needs access to corporate resources in the vault (which contained no user data) to work with the development pipeline. The threat actor got access to shared cloud resources. WIth a typical enterprise software vault costing about $20,000 each, no company with sane senior managers is going to buy 15 of them to segregate everything just so customers can "feel good." A company is going to buy a single software vault and stuff everything in there that they can. If LastPass customers want that to change and want much better security, then they need to reach deep into their pockets and start paying $75 or $100 per year for the service instead of $0.
It is one hell of a spectacle to watch the outrage over the compromise of a product whose user base are mostly freeloaders.
The public never wants to pay, and yet expects perfect security. When they are willing to pay, they're the biggest cheapskates, then turn around and point the finger and play the blame game.
- Jul 27, 2015
- 5,459
What have we done to secure LastPass
Beyond the actions we have already taken as described in the detailed incident sections, we are prioritizing areas of further investment in security, privacy, and operational best practices. Further we are hiring to expand our security expertise across all dimensions. Many of these items were...
support.lastpass.com
- Nov 9, 2022
- 284
LastRide is the better name now. They should quit their business and still have some pride then.
Even the Titanic did not have as much holes as LP.
Even the Titanic did not have as much holes as LP.
- Feb 7, 2023
- 1,737
Just like the argument that we had on the Comodo thread, you are right and not right.
Whether it’s free or paid software, they should ensure that good security practices are followed by all employees, devices and data are secured and the most critical information can’t be accessed from employee’s unmanaged PCs. This is highly sensitive data and keeping it safe should be somewhat of a priority. If a free model is not sustainable to achieve that then they should put a price tag on it.
But you can’t just gather users data for years (charging for very minor features that not everyone needs) and then after 3 breaches be like “Oopsie… well we are for free…”.
- Mar 2, 2023
- 794
After all this fiasco, I totally deleted my LastPass account a couple of days ago. Even though that information is out there, it's still something proactive I could do on my part.
- Aug 7, 2017
- 267
At my request Support restored my account (family subs) that dates back to 2012 (they do NOT delete your account fully from the backend!), but I ain't going back to LP, ever.
Their verbose responses are not very convincing to me. They're are essentially playing a CYA PLUS a 'soothe customer feathers' operation & hoping it doesn't lead to wider legal repercussions given they got hacked numerous times in the past.
Their verbose responses are not very convincing to me. They're are essentially playing a CYA PLUS a 'soothe customer feathers' operation & hoping it doesn't lead to wider legal repercussions given they got hacked numerous times in the past.
- Mar 2, 2023
- 794
They do not delete your account fully? Is this why I've gotten a couple of update emails from them, even though I supposedly totally deleted my account?
- Nov 9, 2022
- 284
The operative word is "should." They are not required to do anything. Strict security costs money and lots of it. So without enough revenue, shortcuts are taken and things are not done. People are not going to get the security that they want for $0 or $3 per month.
Nobody is required to provide secure software or a secure service. You can argue that they should do so on ethical grounds, but at the end of the day they only provide what they are legally required to provide. There is no contract between a software publisher or service provider and the general public. Their EULAs and terms of service basically state that everything is provided "As Is."
LastPass should charge a lot more than what it does now, and eliminate the free tier. But you know if they did that then the cheap public would not pay.
They would never say "Oopsie... well we are for free..." but at that same time they used reasonable security and in their terms of service they are not responsible. If the government and general public want to put security responsibility onto software publishers and service providers, then those companies will just pass the increased costs onto the public - who are too cheap to pay. So those providers will be regulated out of existence and it will be the public that suffers as products leave the market with no one willing to assume the liability.
@Trident I am not saying that companies are not negligent. Because to some degree, it can be debated, all of them are. Except for some small company that is run by a security enthusiast who puts security as the company's first priority and willingly spends the big money for it, everybody else executes security imperfectly. Mistakes are made. Shortcuts are taken. Employees are not security-minded or thorough. Etc. Budgets are not sufficient. Security roles are understaffed.
Last edited by a moderator:
Similar threads
