Lastpass says hackers accessed customer data in new breach

[R2D2]

The LastPass disclosure of leaked password vaults is being torn apart by security experts

Looks like this crisis will result in LP's credibility dying..that is, if it's not dead already.

 

[Stopspying]

YouTube

- The LastPass Hack Was Worse Than We Thought - Mental Outlaw's take on this.

 

[Arequire]

Looks like this crisis will result in LP's credibility dying

It should've died after the last breach. I think it's fair to say they're clearly incapable of securing their infrastructure.

 

[plat]

Restating what is becoming the obvious.

Spoiler

Out of curiosity, if I search LastPass via Duck Duck Go, this is what I got:

Spoiler

Probably cleaned up much of its act in a hurry and behind the scenes. But I myself would never trust them for anything after all these disclosures.

 

[piquiteco]

Probably cleaned up much of its act in a hurry and behind the scenes. But I myself would never trust them for anything after all these disclosures.

More in wikipedia will stay forever that incident and also in the Internet Archive, impossible to erase the digital tracks nowadays.

Spoiler: 2022 security incidents Lastpass

Spoiler: This page was last edited

 

[Divine_Barakah]

Here at MT, we are security conscious people. If anyone of us is using a cloud password manager, sooner or later we will be victims.

Cloud password managers are valuable targets for hackers.

Now each and every password manager brags about being AES encrypted, bit is it not the same ecryption that ransomware uses? Security companies such as Emsisoft and Bitdefender cracked many ransomware, so that means our password vaults can be cracked too?

 

[Zero Knowledge]

Now each and every password manager brags about being AES encrypted, bit is it not the same ecryption that ransomware uses? Security companies such as Emsisoft and Bitdefender cracked many ransomware, so that means our password vaults can be cracked too?

Anything is possible (side channel attacks) but breaking AES is not going to happen for many years with current computer hardware. Hackers are not breaking the encryption per say but there are vulnerabilities in the server side or databases holding the encrypted data and then I imagine they use credential stuffing attacks from other breaches or brute force attacks to gain entry to encrypted vaults.

*edit* If it was phishing then they had full access to all of their servers/databases/vaults/customer info. The above still stands. They are not breaking AES.

 

[R2D2]

Here at MT, we are security conscious people. If anyone of us is using a cloud password manager, sooner or later we will be victims.

There's truth in that.

When it's in the cloud a PM service can, and depending on how attractive a target it is for e.g. Lastpass, will be a target of hackers multiple times. This LP incident was supposedly via a phishing attempt not a break in via normal hacking methods so it basically paved the way for those hackers to grab what they wanted in their own sweet time over the next few months. Hackers grabbed a portion of their source code and customer data. Meanwhile LP unfortunately sat on its a$$ hoping and praying, engaging forensic experts to tell them what the problem is and who did it. The horse had already bolted. I wonder how much of a cover up LP is doing. They've messed up badly on several counts. What they disclosed in their blog stinks of a CYA operation and it seems a lawyer or set of lawyers drafted it. It's not the whole truth.

So what do you guys @ MT use for password management? Keepass and the likes?

 

[Zero Knowledge]

stinks of a CYA operation and it seems a lawyer or set of lawyers drafted it

100% correct, lawyers would be all over this now and I imagine they are directing the PR response.

 

[piquiteco]

@Zero Knowledge Thanks! for answering @Divine_Barakah's question about the encrypted PMs.

 

[Divine_Barakah]

So what do you guys @ MT use for password management? Keepass and the likes?

Personally I am using Enpass with WIfI sync. I used Sticky Password, but there is no custom field support so I dropped it in favor of Enpass.

 

[R2D2]

so I dropped it in favor of Enpass.

Right, I have a lifetime subs to Enpass but over at their forum there have been questions raised about code and security audits and the reply from them hasn't been the most forthcoming IMHO. I believe they had an audit done some years back (pre covid) and while they plugged security issues the audit report wasn't detailed enough or convincing. After which I gave Enpass a pass and shifted back to LP (Sigh! I know, I know ). And the latest audit reports are right here....from Jul '22.

Security Audit Report

Can some MT folks take a peep at those reports and let us know what you all think?

 

[Divine_Barakah]

Right, I have a lifetime subs to Enpass but over at their forum there have been questions raised about code and security audits and the reply from them hasn't been the most forthcoming IMHO. I believe they had an audit done some years back (pre covid) and while they plugged security issues the audit report wasn't detailed enough or convincing. After which I gave Enpass a pass and shifted back to LP (Sigh! I know, I know ). And the latest audit reports are right here....from Jul '22.

Security Audit Report

Can some MT folks take a peep at those reports and let us know what you all think?

I do agree that security audits when it comes to Enpass are concerning, but for it is not mich of a risk for the data is stored locally in my case. Unless Enpass is directly targetted by a piece of malware or the device is compromised (it is game over for any password manager), i have nothing to fear.

When you have your data available and accessible only locally, you have more control over the security. If the data is stored on the company’s servers, you have no control over its security and you have to trust the company and its security.

Personally, the only option that I completely trust is Keepass, but it is very inconvenient for it does not provide cross-platform compatibility. So we are left for either SP or Enpass. I am not aware of any other offline password managers.

 

[R2D2]

1password upto ver 7 had local sync till the gee whiz kids at Agilebits stopped it from v8 onwards. I have a perpetual license for v7 but again it would function much like Keepass and no guarantee it'll work with W11 and browser extensions.

I use KeepassXC as an archival solution to be honest it's too painful to use on a regular basis but Enpass and Sticky Password are in consideration.

What happened to LP can happen to any cloud PM company including BW, 1PW, Dashlane etc. Once the hacker is in the system via some phishing or social engg. method all bets are off.

 

[Divine_Barakah]

Can some MT folks take a peep at those reports and let us know what you all think?

I see the latest security assessment of the Windows app was conducted in July 2022. I am going to read the audit and see how thorough it is.

 

[Divine_Barakah]

1password upto ver 7 had local sync till the gee whiz kids at Agilebits stopped it from v8 onwards. I have a perpetual license for v7 but again it would function much like Keepass and no guarantee it'll work with W11 and browser extensions.

I know they killed it and that caused back fire, but guess what, users will move on and forget about it. I wholeheartedly hate the new version and I am not fond of subscriptions. The Electron thing added insult to injury. Thus, I left 1P behind.

 

[Zero Knowledge]

I wouldn't take security audits that seriously, much like AV tests they can lack credibility and I image (haven't dealt with personally) there many rouges audit firms. It also gives people a false sense of security because they only test with known vulnerabilities and design/implementation mistakes/issues when it comes to security and encryption. It doesn't mean the software is 100% secure, it's only secure at current knowledge and understanding and it the future that could/will/almost certainly change when a new bug class/exploit/vulnerability is found.

 

[Divine_Barakah]

I wouldn't take security audits that seriously, much like AV tests they can lack credibility and I image (haven't dealt with personally) there many rouges audit firms. It also gives people a false sense of security because they only test with known vulnerabilities and design/implementation mistakes/issues when it comes to security and encryption. It doesn't mean the software is 100% secure, it's only secure at current knowledge and understanding and it the future that could/will/almost certainly change when a new bug class/exploit/vulnerability is found.

From what I see, almost all password manager (which are audited), hired Cure53 to make the security assessment (this includes Dashlane, 1Password, Enpass, Remembear, and NordPass). While I do not take the results for granted, those assessment might shed some light on how much effort those companies put into their software.

Another very important thing is that companies might choose to publish only parts of the security audits reports hiding severe issues. They might also determine the scope of assessment. Enpass, for example, only asked for their Windows client to be assessed in July 2022 and not their mobile apps.

 

[Zero Knowledge]

Another very important thing is that companies might choose to publish only parts of the security audits reports hiding severe issues. They might also determine the scope of assessment. Enpass, for example, only asked for their Windows client to be assessed in July 2022 and not their mobile apps.

Exactly! The company only publishes what they want people to see. And your right, scope is very important for audits and especially for pen tests. There are certain areas that you cannot touch or go near. The companies ordering the audit determine what you can and can't do with their software/hardware.

 

[Divine_Barakah]

Exactly! The company only publishes what they want people to see. And your right, scope is very important for audits and especially for pen tests. There are certain areas that you cannot touch or go near. The companies ordering the audit determine what you can and can't do with their software/hardware.

Thus, we conclude that password managers are tools of convenience rather than security. I know this might sound radical, but I believe that there are many shortcomings in the password manager due to convenience. Otherwise, password managers would be impossible to use by end consumers.

At the end of the day, it is up to good practises, by users. If one uses a weak master password or even opt in to save it and have it entered for them or even save it in a plain txt file, then there is no point of using a password manager no matter how secure it is.