LastPass says employee’s home computer was hacked and corporate vault taken

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
They are not required to do anything. Strict security costs money and lots of it
They are still required to do something in some countries, under some applicable laws.

$36 per year (not aware of the price as I don’t use them but it’s what you’ve mentioned) multiplied by even 300 000 customers is still enough to provide acceptable level or security for customers data.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,825
At my request Support restored my account (family subs) that dates back to 2012 (they do NOT delete your account fully from the backend!), but I ain't going back to LP, ever.

Their verbose responses are not very convincing to me. They're are essentially playing a CYA PLUS a 'soothe customer feathers' operation & hoping it doesn't lead to wider legal repercussions given they got hacked numerous times in the past.
Do you mean they restored your entire vault from that far back?
 
F

ForgottenSeer 98186

They are still required to do something in some countries, under some applicable laws.
If they were required to do so, then LastPass would have been fined by regulators plus sued in civil courts and the plaintiffs would win their cases. Someone would have to prove that LastPass was negligent. I know the general public thinks every company is negligent when something goes wrong, but I am talking about the legal standard of negligence.
 
  • Like
Reactions: Azure and Trident

Jengo

Level 6
Well-known
Nov 9, 2022
292
If they were required to do so, then LastPass would have been fined by regulators plus sued in civil courts and the plaintiffs would win their cases. Someone would have to prove that LastPass was negligent. I know the general public thinks every company is negligent when something goes wrong, but I am talking about the legal standard of negligence.
You remind me of someone that was here years ago. ForgottenSeer 58943, is this you ?
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
You remind me of someone that was here years ago. ForgottenSeer 58943, is this you ?
It can’t be ForgottenSeer 58943. He/she used to leave incorrect information, extremely far away from the reality left and right. The information from Oerlink is mostly factual, if not it expresses a personal opinion.

ForgottenSeer 58943 was a bullshitter and as such he disappeared. Also, he used to say and believe that everything is “extremely insecure” and the whole security industry is pointless.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
Do you mean they restored your entire vault from that far back?
I deleted my data before deleting 2 accounts i.e. my wife's and my account in December. However, at my specific request, both accounts were restored without data about 2 weeks post deletion . My premium Family subscription wasn't restored. So, I am really not sure how current their backup was.

The point is, these guys do NOT delete accounts permanently. Some legacy data will remain in their system OR data backups for an indefinite period of time. In which case, users that deleted their accounts/data after August '22 breach, or even earlier, may still have their data floating around in their backups/archives.
 
  • Like
Reactions: Gandalf_The_Grey

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,825
I deleted my data before deleting 2 accounts i.e. my wife's and my account in December. However, at my specific request, both accounts were restored without data about 2 weeks post deletion . My premium Family subscription wasn't restored. So, I am really not sure how current their backup was.

The point is, these guys do NOT delete accounts permanently. Some legacy data will remain in their system OR data backups for an indefinite period of time. In which case, users that deleted their accounts/data after August '22 breach, or even earlier, may still have their data floating around in their backups/archives.
Okay, well that is unfortunate. But, I guess better than them keeping the password data for 10+ years. I was under the impression they kept account data for 30 days post deletion to prevent accidental deletion.

I wiped my family accounts in 2019.
 
  • Like
Reactions: R2D2 and Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
The point is, these guys do NOT delete accounts permanently. Some legacy data will remain in their system OR data backups for an indefinite period of time. In which case, users that deleted their accounts/data after August '22 breach, or even earlier, may still have their data floating around in their backups/archives.
The attackers may have been unable to access the company backups. They should be managed according to the 3-2-1 rule (again, should) and the attackers are probably not even interested in that. Since the first breach, they have been trying to get their hands on the sweet and rather large pot of honey and they kept coming back for that.
Now they got what they wanted.

LastPass must investigate if anything else was accessed apart from this vault and must notify everyone affected. In the meantime users may wanna change their passwords, enable 2FA where supported and use authenticator apps instead of text messages.

Reminder for all Apple users that we do have Key Chain (built-in password manager) which also has authenticator capabilities (generating 2FA codes). Zero-knowledge encryption was recently introduced for iCloud as well which can be enabled.
 
F

ForgottenSeer 98186

The attackers may have been unable to access the company backups. They should be managed according to the 3-2-1 rule (again, should) and the attackers are probably not even interested in that. Since the first breach, they have been trying to get their hands on the sweet and rather large pot of honey and they kept coming back for that.
Now they got what they wanted.

LastPass must investigate if anything else was accessed apart from this vault and must notify everyone affected. In the meantime users may wanna change their passwords, enable 2FA where supported and use authenticator apps instead of text messages.

Reminder for all Apple users that we do have Key Chain (built-in password manager) which also has authenticator capabilities (generating 2FA codes). Zero-knowledge encryption was recently introduced for iCloud as well which can be enabled.

Biometrics (finger print) and hardware keys.

A hack of the 2FA TOTP service provider, Authy, is the whole reason that LastPass got breached in the first place. 2FA is now considered insecure and will become 3FA. In some respects people are better off using an open source Authenticator app.

The complaint about the hardware keys is that they can be expensive, people lose them easily, and not every web service provider has incorporated them (again because the implementation back-end expense is high).

People can get a nice FIDO2 hardware key from Thetis for about $25. For lots of people outside of economically developed countries, that is expensive. Then it will only cover their use on the most widely used websites. FIDO2 works for Bitwarden, but LastPass is not there yet. It will probably take them another couple of years.
 
  • Like
Reactions: R2D2 and Trident

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
A hack of the 2FA TOTP service provider, Authy, is the whole reason that LastPass got breached in the first place. 2FA is now considered insecure and will become 3FA. In some respects people are better off using an open source Authenticator app.
I have already begun the process of moving away from Authy slowly and systematically after last years Twilio breach. Have not deleeted my account just yet but that will happen in the near future.

Aegis on Android and Raivo OTP on iOS are IMHO one of the best out there. Another choice is 2FAS on both platforms.
 
  • Like
Reactions: Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,675
LastPass Employee Could've Prevented Hack With a Software Update
The hacker exploited a vulnerability in the Plex Media Server software that was patched in May 2020. 'The version that addressed this exploit was roughly 75 versions ago,' Plex says.

It turns out the massive breach at LastPass could have been stopped, or at least delayed, if a company employee had updated a piece of software on their home computer.

This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.

At the time, LastPass said(Opens in a new window) only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.

PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee's home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.

Plex told PCMag the vulnerability is CVE-2020-5741(Opens in a new window), which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,825
  • HaHa
Reactions: Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
Sheesh I update my small home server anytime it alerts me to an update.
Your post left me without words 😀
What the hell is this streaming server and why a developer with this salary needs it. Why is it not updated? A lot of why-s there.
 
  • Like
Reactions: TairikuOkami

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,825
Your post left me without words 😀
What the hell is this streaming server and why a developer with this salary needs it. Why is it not updated? A lot of why-s there.
Well Plex is nice for non-pirates like me who want to preserve their blu ray collection and not get one out every time the kids watch a movie that’s not streaming. My server is just on my pc and serves my home. It isn’t accessible remotely.
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,528
One of the 4 top devs has not updated his personal computer, for years! It makes you wonder, what they do not do at work? Lastpass is definitelly on mine zero-trust list.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top