Lastpass says hackers accessed customer data in new breach

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Restating what is becoming the obvious.

Out of curiosity, if I search LastPass via Duck Duck Go, this is what I got:
lastpass.PNG
Probably cleaned up much of its act in a hurry and behind the scenes. But I myself would never trust them for anything after all these disclosures.
 

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
Probably cleaned up much of its act in a hurry and behind the scenes. But I myself would never trust them for anything after all these disclosures.
More in wikipedia will stay forever that incident and also in the Internet Archive, impossible to erase the digital tracks nowadays.
1672388570583.png
1672388675433.png
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Here at MT, we are security conscious people. If anyone of us is using a cloud password manager, sooner or later we will be victims.

Cloud password managers are valuable targets for hackers.

Now each and every password manager brags about being AES encrypted, bit is it not the same ecryption that ransomware uses? Security companies such as Emsisoft and Bitdefender cracked many ransomware, so that means our password vaults can be cracked too?
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Now each and every password manager brags about being AES encrypted, bit is it not the same ecryption that ransomware uses? Security companies such as Emsisoft and Bitdefender cracked many ransomware, so that means our password vaults can be cracked too?
Anything is possible (side channel attacks) but breaking AES is not going to happen for many years with current computer hardware. Hackers are not breaking the encryption per say but there are vulnerabilities in the server side or databases holding the encrypted data and then I imagine they use credential stuffing attacks from other breaches or brute force attacks to gain entry to encrypted vaults.

*edit* If it was phishing then they had full access to all of their servers/databases/vaults/customer info. The above still stands. They are not breaking AES.
 
Last edited:

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
Here at MT, we are security conscious people. If anyone of us is using a cloud password manager, sooner or later we will be victims.
There's truth in that.

When it's in the cloud a PM service can, and depending on how attractive a target it is for e.g. Lastpass, will be a target of hackers multiple times. This LP incident was supposedly via a phishing attempt not a break in via normal hacking methods so it basically paved the way for those hackers to grab what they wanted in their own sweet time over the next few months. Hackers grabbed a portion of their source code and customer data. Meanwhile LP unfortunately sat on its a$$ hoping and praying, engaging forensic experts to tell them what the problem is and who did it. The horse had already bolted. I wonder how much of a cover up LP is doing. They've messed up badly on several counts. What they disclosed in their blog stinks of a CYA operation and it seems a lawyer or set of lawyers drafted it. It's not the whole truth.

So what do you guys @ MT use for password management? Keepass and the likes?
 
Last edited:

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
so I dropped it in favor of Enpass.
Right, I have a lifetime subs to Enpass but over at their forum there have been questions raised about code and security audits and the reply from them hasn't been the most forthcoming IMHO. I believe they had an audit done some years back (pre covid) and while they plugged security issues the audit report wasn't detailed enough or convincing. After which I gave Enpass a pass and shifted back to LP (Sigh! I know, I know :( ). And the latest audit reports are right here....from Jul '22.

Security Audit Report

Can some MT folks take a peep at those reports and let us know what you all think?
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Right, I have a lifetime subs to Enpass but over at their forum there have been questions raised about code and security audits and the reply from them hasn't been the most forthcoming IMHO. I believe they had an audit done some years back (pre covid) and while they plugged security issues the audit report wasn't detailed enough or convincing. After which I gave Enpass a pass and shifted back to LP (Sigh! I know, I know :( ). And the latest audit reports are right here....from Jul '22.

Security Audit Report

Can some MT folks take a peep at those reports and let us know what you all think?
I do agree that security audits when it comes to Enpass are concerning, but for it is not mich of a risk for the data is stored locally in my case. Unless Enpass is directly targetted by a piece of malware or the device is compromised (it is game over for any password manager), i have nothing to fear.

When you have your data available and accessible only locally, you have more control over the security. If the data is stored on the company’s servers, you have no control over its security and you have to trust the company and its security.

Personally, the only option that I completely trust is Keepass, but it is very inconvenient for it does not provide cross-platform compatibility. So we are left for either SP or Enpass. I am not aware of any other offline password managers.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
1password upto ver 7 had local sync till the gee whiz kids at Agilebits stopped it from v8 onwards. I have a perpetual license for v7 but again it would function much like Keepass and no guarantee it'll work with W11 and browser extensions.

I use KeepassXC as an archival solution to be honest it's too painful to use on a regular basis but Enpass and Sticky Password are in consideration.

What happened to LP can happen to any cloud PM company including BW, 1PW, Dashlane etc. Once the hacker is in the system via some phishing or social engg. method all bets are off.
 
  • Like
Reactions: Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Can some MT folks take a peep at those reports and let us know what you all think?
I see the latest security assessment of the Windows app was conducted in July 2022. I am going to read the audit and see how thorough it is.
 
  • Like
Reactions: R2D2

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
1password upto ver 7 had local sync till the gee whiz kids at Agilebits stopped it from v8 onwards. I have a perpetual license for v7 but again it would function much like Keepass and no guarantee it'll work with W11 and browser extensions.
I know they killed it and that caused back fire, but guess what, users will move on and forget about it. I wholeheartedly hate the new version and I am not fond of subscriptions. The Electron thing added insult to injury. Thus, I left 1P behind.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
869
I wouldn't take security audits that seriously, much like AV tests they can lack credibility and I image (haven't dealt with personally) there many rouges audit firms. It also gives people a false sense of security because they only test with known vulnerabilities and design/implementation mistakes/issues when it comes to security and encryption. It doesn't mean the software is 100% secure, it's only secure at current knowledge and understanding and it the future that could/will/almost certainly change when a new bug class/exploit/vulnerability is found.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
I wouldn't take security audits that seriously, much like AV tests they can lack credibility and I image (haven't dealt with personally) there many rouges audit firms. It also gives people a false sense of security because they only test with known vulnerabilities and design/implementation mistakes/issues when it comes to security and encryption. It doesn't mean the software is 100% secure, it's only secure at current knowledge and understanding and it the future that could/will/almost certainly change when a new bug class/exploit/vulnerability is found.
From what I see, almost all password manager (which are audited), hired Cure53 to make the security assessment (this includes Dashlane, 1Password, Enpass, Remembear, and NordPass). While I do not take the results for granted, those assessment might shed some light on how much effort those companies put into their software.

Another very important thing is that companies might choose to publish only parts of the security audits reports hiding severe issues. They might also determine the scope of assessment. Enpass, for example, only asked for their Windows client to be assessed in July 2022 and not their mobile apps.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Another very important thing is that companies might choose to publish only parts of the security audits reports hiding severe issues. They might also determine the scope of assessment. Enpass, for example, only asked for their Windows client to be assessed in July 2022 and not their mobile apps.

Exactly! The company only publishes what they want people to see. And your right, scope is very important for audits and especially for pen tests. There are certain areas that you cannot touch or go near. The companies ordering the audit determine what you can and can't do with their software/hardware.
 
  • +Reputation
Reactions: Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Exactly! The company only publishes what they want people to see. And your right, scope is very important for audits and especially for pen tests. There are certain areas that you cannot touch or go near. The companies ordering the audit determine what you can and can't do with their software/hardware.
Thus, we conclude that password managers are tools of convenience rather than security. I know this might sound radical, but I believe that there are many shortcomings in the password manager due to convenience. Otherwise, password managers would be impossible to use by end consumers.

At the end of the day, it is up to good practises, by users. If one uses a weak master password or even opt in to save it and have it entered for them or even save it in a plain txt file, then there is no point of using a password manager no matter how secure it is.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top