Lastpass says hackers accessed customer data in new breach

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Thanks for the link.

And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first.
This really sucks.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814

"Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
[…]
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
That’s bad. It’s not an epic disaster, though.
These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)
Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:
I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.
If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)
My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.
If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything."
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
And this time CNET has this to say about Lastpass here Best Password Manager to Use for 2023:

Previously, we had selected LastPass as our "best paid password manager." However, because of the severity of these incidents, we've decided (as of late December 2022) to temporarily remove LastPass from our list of recommendations, pending a re-review of the service in early 2023. Potential customers and anyone who's uncomfortable with LastPass's continuing security challenges should take a close look at the alternatives presented elsewhere in this story.

This time around LP isn't getting away and will pay the price. Deservedly so. It is just the beginning of a downslide.
 
Last edited:

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
I missed this post from Dec 28th but I think it is still worth highlighting here more detail about the failings of Lastpass -

"LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.
LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.

Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk...."

I missed this post from Dec 28th but I think it is still worth highlighting here more detail about the failings of Lastpass -

"LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.
LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.

Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk...."
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Some quotes:
You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.
Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
or even opt in to save it and have it entered for them ….then there is no point of using a password manager no matter how secure it is.
1Password saves the master password inside the vault, which can be deleted should the user wishes.

OC was deleted, but the replies are visible in this reddit post, shared below.
reddit user:

I'm not sure why you're worried?

The 1Password entry is created inside a locked vault. It's like keeping a spare set of keys inside your house; it's not a security issue.

Leaving a password manager unlocked in public is a user behaviour issue that no password manager can guard against. If you leave your password manager unlocked and unattended in public, anyone could just use the export feature to export all your passwords. Or create themselves a copy of the emergency kit and steal it. Or simply use your password manager to log into your accounts and reset all your passwords and lock you out of your own accounts.

In other words, a password manager isn't designed to protect you if you leave it unlocked where anyone could access its contents. So don't do that.

1Password Security Team:

This is a great answer.

Keep in mind that using that Starter Kit item to fill your data into 1Password on the web actually has a security benefit: avoiding phishing attempts. 1Password will only fill your credentials into a genuine copy of 1Password on the web, at the exact correct URL. Humans may not be as good at detecting if they’ve come across a fake or imitation. In this sense, keeping your credentials within 1Password for use is safer than not doing so.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
  • Like
Reactions: R2D2 and roger_m

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
@Divine_Barakah I began changing passwords to my most critical websites as soon as I read of the breach on the morning of Dec 22/23 and fully migrated to 1PW and Bitwarden. After taking a backup, my LP account and that of my family members were deleted an active family subscription notwithstanding.

I've been a Bitwarden subscriber since 2017 all thanks to the good folks here at MalwareTips. Happened 2-3 months after I signed up at this forum in Aug '17 (subbed to BW in Nov '17 IIRC) . And of course I thought I'd give a new startup based offering an open source PM a chance. I am so glad I did. :)

I've used and/or subscribed to nearly every PM out there starting with the granndaddy of 'em all Roboform which was a good app but and LP quickly became my favourite. Yes, stupid of me not to see the writing on the wall years ago when the hack attacks began.

Anyway, I've changed passwords to nearly all the several hundred sites I had in LP, disabled renabled 2FA on the critical ones to generate new tokens, regenerated new backup recovery codes. Ditto for my family members' accounts.

It has been a very painful and tedious job over the past 2+ weeks and still continues for minor sites. Unfortunately there's nothing I can do about the safe/secure notes but cross my fingers & hope they're not decrypted as they contain a lot of personal and other data. I am so darned angry with LP!!
 
Last edited:

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
@Divine_Barakah I began changing passwords to my most critical websites as soon as I read of the breach on the morning of Dec 22/23 and fully migrated to 1PW and Bitwarden. After taking a backup, my LP account and that of my family members were deleted an active family subscription notwithstanding.

I've been a Bitwarden subscriber since 2017 all thanks to the good folks here at MalwareTips. Happened 2-3 months after I signed up at this forum in Aug '17 (subbed to BW in Nov '17 IIRC) . And of course I thought I'd give a new startup based offering an open source PM a chance. I am so glad I did. :)

I've used and/or subscribed to nearly every PM out there starting with the granndaddy of 'em all Roboform which was a good app but and LP quickly became my favourite. Yes, stupid of me not to see the writing on the wall years ago when the hack attacks began.

Anyway, I've changed passwords to nearly all the several hundred sites I had in LP, disabled renabled 2FA on the critical ones to generate new tokens, regenerated new backup recovery codes. Ditto for my family members' accounts.

It has been a very painful and tedious job over the past 2+ weeks and still continues for minor sites. Unfortunately there's nothing I can do about the safe/secure notes but cross my fingers & hope they're not decrypted as they contain a lot of personal and other data. I am so darned angry with LP!!
Calling yourself stupid for you trusted a password manager is not right. Lastpass is one of the best PMs functionality wise. I feel sorry for them because it seems their end is inevitable now.

So glad that you migrated to BW. Regarding your safe memos, I am going to say one thing. Please do not put all your eggs in one basket. One more thing, it is wise to not sync your private data to the cloud to avoid situations such as lastpass’s. I do know it is a little inconvenient, but is it worth the risk?

I do not want to spread paranoia, but believe me BW can suffer the same as LP. Unfortunately, self-hosting Bw is not an easy task. Thus, it is up to you if you want to keep your data synced to the cloud or migrate to another offline PM.

Now for sure can anybody here at MT or even MT itself offer an instance of BW hosted at MT servers? That would be nice right?
 
  • Thanks
  • Like
Reactions: Stopspying and R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
Calling yourself stupid for you trusted a password manager is not right. Lastpass is one of the best PMs functionality wise. I feel sorry for them because it seems their end is inevitable now.

So glad that you migrated to BW. Regarding your safe memos, I am going to say one thing. Please do not put all your eggs in one basket. One more thing, it is wise to not sync your private data to the cloud to avoid situations such as lastpass’s. I do know it is a little inconvenient, but is it worth the risk?

I do not want to spread paranoia, but believe me BW can suffer the same as LP. Unfortunately, self-hosting Bw is not an easy task. Thus, it is up to you if you want to keep your data synced to the cloud or migrate to another offline PM.

Well, I am quite clued into the IT industry having worked in it for decades on both desktop & enterprise applications so I blame myself for not having seen the writing on the wall. :)

You're right about the 'eggs in one basket' bit - all my new recovery codes are now downloaded to my PC, stored on a NAS and USB hard drive and copies encrypted using good ol' Ccryptomator and stored on multiple cloud drives. Never again will I begin using my PM to store personal data.

And you're absolutely 100% right, what happened to LP could happen to any cloud based PM service so we have to make our choices. Though I have Sticky Password and Enpass + use Keepass as an archiver, BW, 1PW and Dashlane have that ease of use that makes them so enjoyable to use especially for non geeks like my wife and other family members. There would be howls of protest if were ever to push Keepass or similar as a solution. LOL! :D
 
  • Applause
Reactions: Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Well, I am quite clued into the IT industry having worked in it for decades on both desktop & enterprise applications so I blame myself for not having seen the writing on the wall. :)

You're right about the 'eggs in one basket' bit - all my new recovery codes are now downloaded to my PC, stored on a NAS and USB hard drive and copies encrypted using good ol' Ccryptomator and stored on multiple cloud drives. Never again will I begin using my PM to store personal data.

And you're absolutely 100% right, what happened to LP could happen to any cloud based PM service so we have to make our choices. Though I have Sticky Password and Enpass + use Keepass as an archiver, BW, 1PW and Dashlane have that ease of use that makes them so enjoyable to use especially for non geeks like my wife and other family members. There would be howls of protest if were ever to push Keepass or similar as a solution. LOL! :D
Cryptomator a nice piece of software. I can’t imagine my life without it.

SP and Enpass are great especially for syncing passwords over WIFI. Enpass does offer a family plan and is currently on sale $24/year.

While Dashlane is great, I am using it btw, it is cloud based so I would not store anything critical in it. Enpass, on the other hand, can be used offline and that provides peace of mind. Enpass is fully-featured not like Keepass.
 
  • Like
Reactions: R2D2
G

Guilhermesene

Hello guys,

I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?

Thank you all! 🙂
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top