Lastpass says hackers accessed customer data in new breach

R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
Divine_Barakah said:
In case you have to, store 2FA keys in a separate vault (with its own Master Password) if your PM supports multiple vaults.
Click to expand...
1PW does, but Bitwarden doesn't as far as I know.

2FA tokens are in separate apps and soft copies of recovery codes are encrypted and uploaded to the cloud + stored locally. I just can't trust PMs as much as I did before. The past 3 weeks have been a painful experience for this former LP user. :)

PS - @piquiteco ^^^^ :)
 
  • Applause
  • Like
Reactions: Divine_Barakah and piquiteco
piquiteco

piquiteco

Level 14
Thread author
Oct 16, 2022
626
Divine_Barakah said:
In case you have to, store 2FA keys in a separate vault (with its own Master Password) if your PM supports multiple vaults.
Click to expand...
It has to be like this to make spoiler more convenient, but also if it falls into the hands of a hacker he will have a party.:LOL:
1673773867765.png

R2D2 said:
2FA tokens are in separate apps and soft copies of recovery codes are encrypted and uploaded to the cloud + stored locally. I just can't trust PMs as much as I did before. The past 3 weeks have been a painful experience for this former LP user. :)
Click to expand...
I think you had an unpleasant and pretty bad experience with LP, because you literally put all your eggs in one basket, you believed it, you put your trust in a PM that you would never have problems, I know what it is like +800 PWs, revoke all of 2FA, generate new recovery backup codes, create new security questions and answers, it is labor intensive, then you need to replicate in backup, sync on other devices...just thinking about it gives me the chills :eek:
 
  • Like
Reactions: Divine_Barakah and R2D2
R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
piquiteco said:
....just thinking about it gives me the chills
Click to expand...
I am still experiencing the chills and it's not entirely due to the weather. :D

But seriously, this is my bad. I curse LP and their management for their lapses but admit I should've been wary and cautious after reading about repeated attacks on LP over the years. One of them was bound to succeed and it did...in Aug '22. What was disclosed in Aug was just the trailer, the movie was yet to begin.

I hate to think how many accounts..like this Youtuber's, have been compromised. And he is not a noob! Obviously the hackers tried their luck with a well known personality giving weight to the theory they'll attack high value targets first. Luckily I am just small fry. Phew!

What unfolds in the next few months remains to be seen. It won't be good. Just batten down the hatches (2FA, passwords, recovery codes) as the full force of the hacker storm
approaches.

PS - This may or may not be a coincidence. I have seen a massive increase in the number of spam mails at my Gmail account.
 
Last edited:
  • +Reputation
Reactions: piquiteco
Divine_Barakah

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
@piquiteco I know that having 2 vaults with completely different master passwords are a pain and very inconvenient, but I believe it is worth the hassle to avoid stuations such as LP’s.

You know it might be a good idea to contact password managers support and suggest that they automatically store 2FA in a separate vault that is encrypted individually with sth like a secret key without the need to use a new master password? I believe this will be more convenient and will also be more secure than storing 2FA in the same vault.

piquiteco said:
It has to be like this to make spoiler more convenient, but also if it falls into the hands of a hacker he will have a party.
Click to expand...
Lol, this way you will save the hacker much time and they will be grateful for you.

Anyway, I personally do not like the idea of storing both passwords and 2FA keys in the same password manager. Why? If you lose access ro your password manager, then you are doomed. Passwords are easy to reset, but what about 2FA? Imagine that youll need to contact the supoort for 200 sites and that youll need to provide proof that youre the owner. Just imagining this terrifies me.
 
  • Like
  • Hundred Points
Reactions: Stopspying, roger_m and piquiteco
piquiteco

piquiteco

Level 14
Thread author
Oct 16, 2022
626
R2D2 said:
And the bad news doesn't end. Enterprise customers also affected. I really wonder how GoTo/Lastpass will survive if they cannot secure user/customer data.

LastPass owner GoTo says hackers stole customers’ backups
Click to expand...
This is not good, what lousy news, it will resonate and propagate across the web, I believe it tarnishes their reputation, if it hasn't already. This will not sound good in the ears of the LP's Corporate Clients.
 
vtqhtr413

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,484

LastPass Password Manager: increase this setting to improve security significantly​

It has been a couple of months since LastPass suffered what is arguably the worst data breach to ever affect the password manager industry. The way the entire scenario was handled by the company, and the lack of transparency circling the aftermath of the attack resulted in many users switching to rival services.If you are a regular reader, you may be aware about our stance towards LastPass. We don't recommend using it because of incidents in the past and how these were handled, and advise users to migrate to Bitwarden, KeePass or 1Password. However, the fact remains that there are still thousands of users who are still using LastPass. This article is meant to help those people who plan to continue using the service, you might as well take the time to ensure that your account is as secure as possible.
Click to expand...
www.ghacks.net

How to increase the server-side KDF iterations in LastPass - gHacks Tech News

Learn how to change the server-side KDF iterations in LastPass, and set the count to the value recommended by OWASP.
www.ghacks.net
 
  • Applause
  • Like
  • +Reputation
Reactions: R2D2, plat, harlan4096 and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
If You Use LastPass, You Need to Change All of Your Passwords ASAP
Are you a LastPass user? This popular password manager was the target of a major data breach last December, which means many people’s passwords and personal data were exposed to nefarious entities.

According to LastPass CEO, Karim Toubba, there was a security incident in August that led to unauthorized parties stealing customer data in December. However, this is not a unique event for LastPass since it’s been having security incidents since 2011.

What kind of data was exposed? According to Toubba, hackers got their hands on unencrypted data such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.

There was also vault data stolen, containing both unencrypted and encrypted information such as usernames and passwords for all visited sites.

Let’s pause for a second here. This is a password manager. They’re holding the keys to your kingdom, so to speak. Anyone sensible would think that they’d do well what they’re supposed to do, that is, storing your passwords securely.

Even more alarming is the fact that this has been happening since at least 2011, and nobody knows how many other undisclosed events might have happened so far.
Click to expand...
www.ghacks.net

LastPass Got Hacked, Yet Once More - gHacks Tech News

LastPass was the target of a recent security breach, exposing a treasure trove of users’ data. Read our article to find out what happened..
www.ghacks.net
 
  • Like
  • Thanks
Reactions: plat, R2D2, roger_m and 4 others
R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
Not that it means much now but this is what GRC's site indicated about my Lastpass password vulnerability to brute force attacks. This is what it was when the hackers downloaded encrypted customer vaults. I think I am safe at least for now. ;)

GRC.png
 
  • Love
  • Like
  • Wow
Reactions: I Walk MY Way, plat and mlnevese
mlnevese

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,533
R2D2 said:
Not that it means much now but this is what GRC's site indicated about my Lastpass password vulnerability to brute force attacks. This is what it was when the hackers downloaded encrypted customer vaults. I think I am safe at least for now. ;)

View attachment 272963
Click to expand...
Just for 91.92 thousand trillion centuries... then you have to worry. Or if you are unlucky it may happen in their first try 😉
 
  • Like
  • HaHa
Reactions: I Walk MY Way, blackice, R2D2 and 1 other person

Similar threads

Gandalf_The_Grey
    • Wow
    • +Reputation
    • Sad
Security News American Express credit cards exposed in third-party data breach
Replies
1
Views
1,133
Security News
Dave Russo
Dave Russo
Gandalf_The_Grey
    • +Reputation
    • Wow
Security News Fujitsu found malware on IT systems, confirms data breach
Replies
0
Views
501
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Security News Mint Mobile discloses new data breach exposing customer data
Replies
0
Views
965
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top