Lastpass says hackers accessed customer data in new breach

I Walk MY Way

Level 6
Verified
Well-known
May 27, 2013
281
o_Oo_O Dont think of last pass as a Password Manager think of it a a IQ test, last pass has failed on security lied and been far from truthful about security incidents, why would you trust them with your data? Would you ask a fraudster to look after your money ?
 
G

Guilhermesene

o_Oo_O Dont think of last pass as a Password Manager think of it a a IQ test, last pass has failed on security lied and been far from truthful about security incidents, why would you trust them with your data? Would you ask a fraudster to look after your money ?
Yes, I understand and I won't do that.

As I am new and have NEVER used the service, I was just curious to know if some users will continue to use it and if it is safe.

Right now all my passwords are managed by KeePass (fully offline). It is a pity that LastPass reached this point, for the short time I "used" the service, about 30 minutes, it seemed to me to be a great password manager.
 
  • Like
Reactions: Divine_Barakah

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Hello guys,

I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?

Thank you all! 🙂
Functionalit wise, Lastpass is great. In terms of security, any cloud password manager is not to be trusted no matter how they market it.

Please any password manager that offers offline syncing (via wifi). Sticky Password and Enpass both offer such functionality.
 
  • Thanks
Reactions: Guilhermesene
G

Guilhermesene

Functionalit wise, Lastpass is great. In terms of security, any cloud password manager is not to be trusted no matter how they market it.
Cool, that's good to know. That's what I thought, as a password manager (in terms of functionality) it seemed excellent to me, but it has this other downside that you mentioned.

I have a lifetime license of SP, however, I don't know if it works on MacOS as well.

I would like something similar to LastPass that syncs between my devices (android, mac and windows). The way is to continue using KeePass despite the difficulty in synchronizing between devices.
 
  • Like
Reactions: Divine_Barakah

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Cool, that's good to know. That's what I thought, as a password manager (in terms of functionality) it seemed excellent to me, but it has this other downside that you mentioned.

I have a lifetime license of SP, however, I don't know if it works on MacOS as well.

I would like something similar to LastPass that syncs between my devices (android, mac and windows). The way is to continue using KeePass despite the difficulty in synchronizing between devices.
Users complained on Trustpilot on SP functionality on Mac. Anyway, give it a try and see how it works. Then try Enpass and see how it works and then you can decide what works best fir you.
 
  • Thanks
Reactions: Guilhermesene

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge
While the hackers don't know the master passwords, by having copies of the vaults in their possession, they have an unlimited amount of time to crack them. Think about how bad people are at coming up with secure passwords on their own, and now imagine how many LastPass users were using weak master passwords when the vaults were stolen. The fallout's not going to be pretty.
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
While the hackers don't know the master passwords, by having copies of the vaults in their possession, they have an unlimited amount of time to crack them. Think about how bad people are at coming up with secure passwords on their own, and now imagine how many LastPass users are using weak master passwords. The fallout's not going to be pretty.
Exactly, it is a gample I am not willing to take.

But what users are doing is unrational. Most of them migrated to BW, which is also cloud-based. The fact that jt is open source does not make things any better. The data is stored in the cloud and the same thing can happen.
 
G

Guilhermesene

Exactly, it is a gample I am not willing to take.

But what users are doing is unrational. Most of them migrated to BW, which is also cloud-based. The fact that jt is open source does not make things any better. The data is stored in the cloud and the same thing can happen.
Really you are right.

Right now I'm using KeePassXC (because it works on both Mac and Windows) and I keep everything offline with backup copies on other external devices that are also protected by Bitlocker.

Even though the synchronization between the devices is a little inconvenient, I'll keep it that way, for the sake of greater security.

Thank you for your answers and for your attention. @Divine_Barakah and @Arequire.
 
  • Like
Reactions: Divine_Barakah

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
"We have determined that an unauthorized party,[U] using information obtained in the August 2022 incident, was able to gain access[/U] to certain elements of our customers' information."

How on earth do you have a security incident and still manage to keep the same configurations? Even more, how do you get information compromised and don't take the necessary measures as to avoid stolen information being used to attack again?
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
I don’t think the problem is being a cloud pw in itself. But rather how badly Lastpass handle the security of its users.

If they had

- Encrypted website URLs
- Properly notified users of weak master passwords
- Properly increase all users password iterations

Could this had prevented the hack? Nah, I don’t think so. But the hack wouldn’t have been as catastrophic as we have today.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Exactly, it is a gample I am not willing to take.

But what users are doing is unrational. Most of them migrated to BW, which is also cloud-based. The fact that jt is open source does not make things any better. The data is stored in the cloud and the same thing can happen.
Ultimately it's a personal decision. There's always risk no matter where you choose to store your data. Obviously this LastPass breach shows how damaging it can be if you choose to store your data on someone else's server, and that data is accessed by a malicious actor, but that doesn't mean it's guaranteed to happen. But even those who opt to store data locally are still at risk of malware infecting their system and exfiltrating that data (which, again, doesn't mean it's guaranteed to happen, but the risk is still present).
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Really you are right.

Right now I'm using KeePassXC (because it works on both Mac and Windows) and I keep everything offline with backup copies on other external devices that are also protected by Bitlocker.

Even though the synchronization between the devices is a little inconvenient, I'll keep it that way, for the sake of greater security.

Thank you for your answers and for your attention. @Divine_Barakah and @Arequire.
I really like KeepassXC, but the absense of dedicated mobile apps made me look elsewhere.

I don’t think the problem is being a cloud pw in itself. But rather how badly Lastpass handle the security of its users.

If they had

- Encrypted website URLs
- Properly notified users of weak master passwords
- Properly increase all users password iterations

Could this had prevented the hack? Nah, I don’t think so. But the hack wouldn’t have been as catastrophic as we have today.
But storing password locally gives more control and peace of mind.

A havk is still a hack. If for example Bw was havked and they informed users that no data was accessed? What would you do? Youll have doubts and most likely you will panic.

Thus, it is sound to keep you data locally stored.
Ultimately it's a personal decision. There's always risk no matter where you choose to store your data. Obviously this LastPass breach shows how damaging it can be if you choose to store your data on someone else's server, and that data is accessed by a malicious actor, but that doesn't mean it's guaranteed to happen. But even those who opt to store data locally are still at risk of malware infecting their system and exfiltrating that data (which, again, doesn't mean it's guaranteed to happen, but the risk is still present).
You are right. Offline password managers have attack vectors, but they are simply not prone to the same attack vectors of online password managers.

A server containing the dafa of millions of users is a valuable target.
 
  • Like
Reactions: Guilhermesene

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
But storing password locally gives more control and peace of mind.

A havk is still a hack. If for example Bw was havked and they informed users that no data was accessed? What would you do? Youll have doubts and most likely you will panic.

Thus, it is sound to keep you data locally stored.

You are right. Offline password managers have attack vectors, but they are simply not prone to the same attack vectors of online password managers.

A server containing the dafa of millions of users is a valuable target.
Remember not all users want control. (it’s the reason why HIPS aren’t popular) they rather have convenience.
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Remember not all users want control. (it’s the reason why HIPS aren’t popular) they rather have convenience.
You have a point here. Tbh if users are responsible of taking care of syncing password using for example Enpass, they might lose all of their passwords. Cloud password managers take care of that but that comes at a price.
 

piquiteco

Level 14
Thread author
Oct 16, 2022
626
I will sync my passwords to the cloud no problem, but I will do the following, keep only a part of the password like this "3zN$KSohZn!vR78&cvXC" the rest that would be suffix or prefix would be basically like this + U4!5J%x^s* I will memorize the rest in my memory and if the cloud service is hacked good luck to the hacker😉
 
  • Like
  • Applause
Reactions: enaph and Azure

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
I will sync my passwords to the cloud no problem, but I will do the following, keep only a part of the password like this "3zN$KSohZn!vR78&cvXC" the rest that would be suffix or prefix would be basically like this + U4!5J%x^s* I will memorize the rest in my memory and if the cloud service is hacked good luck to the hacker😉
I remember a few years ago. In another security forum, a user doing and suggesting what you describe here. Splitting passwords between password managers and IRL
 
  • Like
Reactions: piquiteco

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
I really like KeepassXC, but the absense of dedicated mobile apps made me look elsewhere.
For Keepass, take a look at Keepassium and Strongbox available on iOS, not sure about Android.

I've been a Lastpass refugee/victim thanks to their nonchalant attitude towards security not just recently but going back years when it was clearly their job to educate and update customers/users about the risks & the mitigation strategies users ought to take immediately in case of hack attempts AND strengthen their own defences against such breaches.

Lastpass it seems was a sitting duck. I mean what so called security company employee falls for a phishing scam?! Aren't the employees trained and do they attend refresher courses in data security at regular intervals?

I've used Lastpass for about a decade or maybe just a bit longer, since 2012/13 IIRC. When I look back I think ever since LP changed hands and with the entry of PE investors something fundamentally changed in their outlook. LP became more profit oriented with my subscription increasing from $12/year to $24/year to $36/year, restriction in # of devices that can access the service (2021). Security of data became low priority just as hack attacks increased.

As I said earlier on this thread I blame myself for not seeing the danger signs and moving out instead revelling in the comfort of using, what is even today, one of the most user friendly and complete password managers on the market. And this after coming straight from Roboform an established PM in its own right (and the 1st one I ever used ) but one that hardly gets any love by reviewers or even on social media and other fora. LP does everything so well and it's really hard to fault LPs functionality and ease of use. The UI could do a bit of sprucing up but that's secondary.

I admit what happened to LP can happen to BW or 1Password or other cloud PM but I found Lastpass' approach and response extremely lackadaisical and wanting. The current brouhaha smacks of a CYA operation that is driven by lawyers to minimise the risks of legal fallouts. I get the feeling things are much worse on the inside than LP cares to admit publicly.

Oh well, live and learn.
 
Last edited:

piquiteco

Level 14
Thread author
Oct 16, 2022
626
For Keepass, take a look at Keepassium and Strongbox available on iOS, not sure about Android.
For Android it is Keepass2Android or KeePassDX (y)

I remember a few years ago. In another security forum, a user doing and suggesting what you describe here. Splitting passwords between password managers and IRL
Yes, exactly it was in security forum, I just remember where, later I saw it on Youtube, the curious thing is that the person who uses it this way is a developer seems more paranoid than me. 😁
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top