Lastpass says hackers accessed customer data in new breach

[piquiteco]

LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.

Lastpass says hackers accessed customer data in new breach

LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.

The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.

"We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said.

"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information."

Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack.

It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."

 

[CyberTech]

laughs in Bitwarden and 1Password

 

[I Walk MY Way]

Really last pass Omg how many security incidents are they planning to have?
Is last pass going for the world record of security breached incident's

 

[R2D2]

Lastpass attracts hackers like honey does flies. This is an an issue I realise..and I'm big fan. Wont renew and possibly delete my account when the subs expires

 

[Freki123]

LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information."

So for me it reads like the didn't bother to change passwords after the August incident. I mean if I can get in with information stolen in August something is "strange".

 

[dinosaur07]

Pretty risky to use this anymore. I'd avoid it at any cost.

 

[Razza]

Lasspass must have poor security practises or just totally incompetent, a competent organisation after a security breach would change passwords and rotating ever API/access key, it's a total joke a cadential they managed to steal from August 2022 still is valid.

My workplace currently uses lastpass, I've heard rumours from people higher in the company IT department than me it's getting replaced hopefully soon than later, zero credibility at the moment .

 

[I Walk MY Way]

Lasspass and security practises = Joke

 

[plat]

He links directly to the LastPass blog. They are trying to be "transparent." It seems this is fallout from that earlier breach but LastPass claims customers' passwords remain "safe" due to proprietary encryption. But this whole thing is like chewing gum stuck to the sole of one's shoe, it seems.

If you're worried about your password/s, Mr. Hunt is hopefully on it.

Spoiler

 

[SearchLight]

I bought LastPass Premium in October, and yesterday after getting an email 3 months later from LP about another breach in August, I deleted my account. Imo, you don't tell your customers three months after the fact but when it happens. It is like they were trying to hide it , and in the meantime one's vault could potentially become compromised. Of course, they stated that everyone's passwords were fully protected. I feel LP has lax security practices. Maybe they need to do an independent third party security audit in order to find their weaknesses, and plug the holes so as to restore faith in their product again. In the meantime, I will be looking elsewhere.

 

[Dark Knight]

I really do not understand how this company is still in business and how all it's users have just not walked away from it.
How many breaches does this company have to have before people wise up? Eventually there will be a breach that will be very costly, not to Lastpass but it's users

 

[R2D2]

So I read this today: Parsing LastPass’ data breach notice: What LastPass said — and hasn't said about its second data breach this year

WTH!! Very disappointed with LP's Management and system security. I am moving on, an active subs notwithstanding to Bitwarden or 1 Password. LP is to hackers what honey is to bees and bears.

 

[tipo]

Looks like you're safer using the browser 's built in password manager than LastPass. It's what, the third time this year?

 

[plat]

More fallout from the LastPass breach:

Lastpass: Hackers stole customer vault data in cloud storage breach

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.

www.bleepingcomputer.com

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.

This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information.

Toubba added in a new update to the original statement that Lastpass' cloud storage was accessed using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

Twitter

 

[I Walk MY Way]

it just keeps on going, LastPass what a total joke

 

[Viking]

What, again ??

 

[piquiteco]

What, again ??

No, it's a report of the previous breach, what the hackers stole

 

[R2D2]

And this is precisely why I deleted my data and family data (not accounts) from LP and will not return till LP does something about hardening their systems to intrusions.

 

[Azure]

More fallout from the LastPass breach:

Lastpass: Hackers stole customer vault data in cloud storage breach

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.

www.bleepingcomputer.com

Twitter

On one side, it sounds like if you have a strong master password users should be okay.

However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass.

On the other side, however, if LastPass lets users set very simple passwords, then there might be a problem.
I haven’t used LastPass in quite some time so I don’t recall if they allow users to set password like abc123 as master passwords

 

[piquiteco]

On the other side, however, if LastPass lets users set very simple passwords, then there might be a problem.
I haven’t used LastPass in quite some time so I don’t recall if they allow users to set password like abc123 as master passwords

LastPass does not allow users to set passwords like abc123 as master passwords. I just checked

Spoiler: Minimum requirements

The minimum requirements of the master password that LastPass accepts is pretty weak. Minimum requirements: At least 12 characters, At least 1 number, At least 1 lower case letter, At least 1 upper case letter. Where are the special characters? for example: !@#$%^&*