Lastpass says hackers accessed customer data in new breach

[piquiteco]

One thing that I dont like about SP is the fact you need to enter your master password when you sign in to your sticky password on a new device. I just do not get it why you have to use your master password to sign in even though your data is not synced to the cloud.

I didn't really understand much of what you said, but let's go there. Whenever you install SP for the first time on a new device, you need to enter a unique PIN, which is sent to your email when you first installed SP, to authorize this new device to mark as trusted, and then consequently you enter your master password, regardless of whether you will sync in the cloud or not, unfortunately SP requires this step. About the fact that you need to type your master password in SP every time in a new device, is for security reasons, yes it is inconvenient, but all password managers are like that. Your master password is the key that decrypts the database. On the cell phone you can already use biometrics, iris reader, PIN to make it more convenient for you to have to keep entering your master password every time you use SP. Even so, SP from time to time for security reasons will require you to enter your master password.

 

[R2D2]

I've used or purchased/subscribed to nearly every major password manager out there. IMHO the safest ones I think are, Keepass/KeepassXC or Enpass and Sticky Password simply because they allow local syncs. In the past, 1Password did that too with version 7 and lower but not any more. Agilebits believe customers should store data in 1Password's cloud. It was a wrong decision and I think after this Lastpass fiasco all PM companies will have to actively consider enabling or adding local sync instead of the mandatory cloud if only to assure jittery customers.

 

[R2D2]

Jeremi M Gosney - His thoughts

a) Ditch LP for BW or 1Password
b) Change passwords for all your accounts especially critical ones

 

[Manifestation]

Jeremi M Gosney - His thoughts

a) Ditch LP for BW or 1Password
b) Change passwords for all your accounts especially critical ones

For me this is a bad advice. He is asking users to migrate to products which have the same flaws even if they supposedly were not hacked.

One more thing, password managers, including Bw and 1P, allow and even encourage user to store 2FA keys in the vault. Thus, if they get hacked, it would be a nightmare.

 

[R2D2]

The only safe vault is one on your PC that you can sync with your mobile phone locally on your LAN and that also assumes your machine(s) are well secured and aren't infected with trojans and the likes that create backdoors and your mobile has a lock. You trade a bit of safety for convenience. What you want to give up and how much is up to the individual. BW can be privately hosted too in case you wish to go down that road.

If I had to choose 2 local sync capable PMs it would be either Sticky Password or Enpass but neither is as polished and IMO easy to use as 1Password or BW. And yes I have lifetime licenses of both but neither is used much. Keepass is another option (my archival PM) and can be synced via Dropbox, Google Drive etc however mobile app support is still iffy and the Keepass interface is very basic, an app tailored to geeks. My family would hate it within minutes and I can never really hope to have them use Keepass or KeepassXC instead of 1PW or BW. There are a few decent Android/iOS mobile apps that can work with Keepass databases but some are paid, some are pretty raw.

 

[mlnevese]

It doesn't really matter if hackers get access to your online vault files as they are strongly encrypted. 1Password, for instance, goes as far as using a double key encryption, so good luck decrypting it before the sun becomes a big red ball of plasma...

You are in trouble only if you are using an amazingly weak key that may be broken by a brute force attack, Abcde12345, for instance. With services that use double key encryption even that won't be an immediate danger to you because they have to get the second key right as well. Or if any password manager out there uses an incredibly weak encryption algorithm, which I think is not the case for any of them. Or even worst if the password manager keeps your master key as a plain text file anywhere in their servers, which I hop none of them are stupid enough to do because if any of them are, even local stored vaults will be useless because all the hacker has to do is copy your vault and the text file.

Of course, if any company out there uses a backdoor and that is discovered, you're in trouble.

 

[plat]

Well, if I had this password manager, I would have switched to another one yesterday. I feel kind of scammed myself--having thumbs-upped and even defended LastPass in a previous post for its "transparancy"--only to find that there was lying by omission. Or did I read this wrongly? I dunno. Anyway.

One person's opinion on this breach:

Spoiler

He would know--first-hand, right? (creator of haveibeenpwned site).

 

[piquiteco]

It was a wrong decision and I think after this Lastpass fiasco all PM companies will have to actively consider enabling or adding local sync instead of the mandatory cloud if only to assure jittery customers.

I completely agree in what you said.

Spoiler: Synchronization

 

[roger_m]

 

[piquiteco]

For those of you who use Lastpass and saw this news, don't panic because of this icident. If you are worried that your data was stolen even though you know it is encrypted and you are thinking about it, then activate the two-step verification (2FA) on the most important and sensitive accounts little by little, then slowly activate it on the other accounts. Remember to backup the keys that generate the tokens or QRCODES and keep them in a safe place and backup them in several different places as a precaution, generate the alternate backup codes as well and save them in a safe place, one day you may need them in the future. Regarding your master password, I recommend you not to use a common password like this

Spoiler: Password Master

jL47F4xbTY-o+u&vqeeGuUg.yQBjBJGp*gN@

because this kind of password you can forget, a human being will have difficulty memorizing passwords like this, even if you do, a sophisticated computer with modern GPUs or maybe even a quantum computer, they can crack them in a matter of days, hours, minutes or maybe in seconds. Instead of using a master password like the one I mentioned above, use a passphrase because a strong and unique password is usually longer and only you know you created it, so it would be almost impossible to break it. Here is an example of a Passphrase

Spoiler: Example of Passphrase

*R@mpage3 samba3 tartar+2=playgoer 4&strove@mate rnal4nadir.prey 3obligate5 Tarpon Billiard2 acetone1 Mohawk@Real9 creol3*

NOTE: Do not use this password that I mentioned above anywhere, and much less this Passphrase, just cited as an example, it serves only for educational purposes. Now use your creativity to create a strong password or unique and exclusive Passphrase that only you know. Don't be lazy to create a strong password, create a password or Passphrase as long as you can, including words, numbers, uppercase and lowercase letters, special characters and spaces and then write it down on a paper and memorize it and be safe. I hope this tip helps people a lot.

It doesn't really matter if hackers get access to your online vault files as they are strongly encrypted. 1Password, for instance, goes as far as using a double key encryption, so good luck decrypting it before the sun becomes a big red ball of plasma...

Correct, 1password you have the Secret Key, even if a hacker finds out your master password somehow, he won't be able to access your vault data.

Spoiler: Secret Key

 

[plat]

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

arstechnica.com

The intrusion disclosed in August that allowed hackers to steal LastPass source code and proprietary technical information appears related to a separate breach of Twilio, a San Francisco-based provider of two-factor authentication and communication services. The threat actor in that breach stole data from 163 of Twilio’s customers. The same phishers who hit Twilio also breached at least 136 other companies, including LastPass.
Thursday’s update said that the threat actor could use the source code and technical information stolen from LastPass to hack a separate LastPass employee and obtain security credentials and keys for accessing and decrypting storage volumes within the company’s cloud-based storage service.

Does anyone think LastPass is going to come out of this alive?

 

[eXDj]

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

arstechnica.com

Does anyone think LastPass is going to come out of this alive?

waith to see

 

[Andrezj]

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

arstechnica.com

Does anyone think LastPass is going to come out of this alive?

yes, it will, just like the 135 other companies that were breached in the twilio hack will survive
the world does not take much notice or move much when cybersecurity events are reported
there have been far worse cybersecurity events and with those the world public did not do much of anything
it is unlikely there will be a mass exodus from lastpass that causes it to collapse

 

[mlnevese]

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

arstechnica.com

Does anyone think LastPass is going to come out of this alive?

Probably. Not the first time something like it happens to them.

 

[piquiteco]

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

arstechnica.com

Does anyone think LastPass is going to come out of this alive?

Interesting. I read the article. Thanks! for sharing. It is worrying, this is bad for Lastpass on one hand, but on the other hand, it serves as a lesson for other password manager companies, that dealing with this data in the cloud is no joke, it is valuable target for hackers. Let's hope that it really is encrypted and that hackers never get access, otherwise it can be a big headache for Lastpass users.

 

[Cleo]

As someone who changes their master password at least a couple of times per year I'd like to know which versions of my encrypted vault were taken.

 

[Azure]

As someone who changes their master password at least a couple of times per year I'd like to know which versions of my encrypted vault were taken.

Probably the one from the beginning of August

 

[upnorth]

Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)

My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

LastPass Breach - Schneier on Security

www.schneier.com

Another article/report that I can recommend:

you should change your master password first, before changing any passwords inside the vault, as a way of ensuring that any crooks who may already have figured out your old master password can’t view any of the new passwords in your updated vault.

Oh, and one more thing: an appeal to X-Ops teams, IT staff, sysadmins and technical writers everywhere.

When you want to say you’ve changed your passwords, or to recommend others to change theirs, can you stop using the misleading word rotate, and simply use the much clearer word change instead? Please don’t talk about “rotating credentials” or “password rotation”, because the word rotate, especially in computer science, implies a structured process that ultimately involves repetition.

For example, in a committee with a rotating chairperson, everyone gets a go at leading meetings, in a predetermined cycle, e.g. Alice, Bob, Cracker, Dongle, Mallory, Susan… and then Alice once again. And in machine code, the ROTATE instruction explicitly circulates the bits in a register. If you ROL or ROR (machine code mnemonics that denote rotation thats goes leftwards or goes rightwards in Intel nomenclature) sufficiently many times, those bits will return to their original value. That is not at all what you want when you set out to change your passwords!

LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…

The crooks now know who you are, where you live, which computers are yours, where you go online… and they got those password vaults, too.

nakedsecurity.sophos.com

 

[Freki123]

Somebody just explained the Lastpass pr statements. Fun to read (as long as you are not the Lastpass company)

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

palant.info

 

[plat]

Somebody just explained the Lastpass pr statements. Fun to read (as long as you are not the Lastpass company)

Yeah, I read this. It crystallizes what I and prob. a lot of others were already thinking and feeling: that the public statements painting LastPass as a "gosh, guys, let me heroically put the cards on the table but we can be easily forgiven" kind of place is in fact trying in a very oily way to throw the hounds off.

I never even used this software and I'm kind of feeling it here. Disappointing at the minimum.