Lastpass says hackers accessed customer data in new breach

mlnevese

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,536
Guilhermesene said:
Hello guys,

I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?

Thank you all! 🙂
Click to expand...
Breaching the servers and getting access to you vault file doesn't do much actually. It's still necessary to know your vault's password to decrypt the file so, unless you use an extremely weak password, it would take thousands of years to decrypt with current technology.

Actually, depending on your key strength, the heat death of the universe will happen first...

www.ubiqsecurity.com

128 or 256 bit Encryption: Which Should I Use? - Ubiq

Ubiq is an API-based encryption and key management as code (SaaS) platform that enables development, security, and compliance teams to rapidly integrate application-layer encryption into any application in minutes. And empowers teams reduce the risk of data theft, free up precious resources, and...
www.ubiqsecurity.com www.ubiqsecurity.com

How long would it take to brute force AES-256? | ScramBox

scrambox.com scrambox.com
 
  • Like
Reactions: piquiteco and Guilhermesene
Divine_Barakah

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
mlnevese said:
Breaching the servers and getting access to you vault file doesn't do much actually. It's still necessary to know your vault's password to decrypt the file so, unless you use an extremely weak password, it would take thousands of years to decrypt with current technology.

Actually, depending on your key strength, the heat death of the universe will happen first...

www.ubiqsecurity.com

128 or 256 bit Encryption: Which Should I Use? - Ubiq

Ubiq is an API-based encryption and key management as code (SaaS) platform that enables development, security, and compliance teams to rapidly integrate application-layer encryption into any application in minutes. And empowers teams reduce the risk of data theft, free up precious resources, and...
www.ubiqsecurity.com www.ubiqsecurity.com

How long would it take to brute force AES-256? | ScramBox

scrambox.com scrambox.com
Click to expand...
But what if a password manager had a backdoor and the malicious actors got access to that? What about wrong implementation of encryption? What if the password manager lied about storing the master pssword or it derivative.
 
  • Like
Reactions: piquiteco and Guilhermesene
piquiteco

piquiteco

Level 14
Thread author
Oct 16, 2022
626
@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs(y)
1673574968370.png
 
  • Like
Reactions: mlnevese, CyberTech, R2D2 and 1 other person
mlnevese

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,536
piquiteco said:
@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs(y)
View attachment 272016
Click to expand...
They have been adding a lot of features lately. For instance if you use your Google account to login somewhere and have multiple Google accounts it's I'll not only record that you used a Google account but which one should be used. It also works with Facebook and other 3rd party login methods.

I really like it. From all the managers I tested it was the one that better covered my needs. The ability to show your password in big characters is a gift when I have to configure a new TV, for instance.
 
  • Like
  • +Reputation
Reactions: piquiteco, Guilhermesene and R2D2
R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
@piquiteco about 1Password - their customer support is friendly and quite responsive. I think they're flooded, as would be Bitwarden support, with enquiries after the LP fiasco. For good user interface look no further than 1Password. Next is Dashlane and then Bitwarden. In terms of security they all claim to be secure but then Lastpass claimed this too until the #hit hit the fan last month. :D For noobs I'd suggest 1PW without a doubt and for flexibility (self hosting) and geeks it would be Bitwarden. Dashlane is somewhere in the middle. Like LP, Dashlane only has a web UI. They discontinued their desktop app in '21 or '22. Dashlane uses the Argon2 KDF by default but can switch to PBKDF2 in the account setting.

Now more about LP - deleted accounts can be restored but with no guarantee of data being available. I tested this by emailing their support team. They restored my wife's account but could not restore mine. I checked the KDF iteration value was 5000. While my LP account was set 100,100 (default) that I checked before deleting it on Christmas day. I have retained these 2 recreated LP accounts as guinea pigs..test mules.

Also, my wife's BW's account was also set at 5K, since increased to 310K. Please double check your BW settings especially for those accounts created in 2017/18.
 
  • Like
  • Hundred Points
Reactions: piquiteco, Stopspying, mlnevese and 1 other person
Stopspying

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
R2D2 said:
Take a look at this, Steve Gibson cites a method to download and deobfuscate an old LastPass vault. It allows you to prepare an Excel spreadsheet of the contents.

https://www.grc.com/sn/sn-905-notes.pdf
Click to expand...
twit.tv

1 | TWiT.TV

Picture of the Week.LastPass Aftermath.LastPass Vault De-Obfuscator.What more do we know this week regarding LastPass?The most alarming discovery by listeners.Understanding the sca…
twit.tv

 
  • Like
  • Wow
Reactions: piquiteco, I Walk MY Way, R2D2 and 2 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Well, this prob. deserves its own thread (I dunno) but someone big has joined the password manager breach train!

www.bleepingcomputer.com

NortonLifeLock warns that hackers breached Password Manager accounts

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.
www.bleepingcomputer.com www.bleepingcomputer.com

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.

According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms.

"Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said.
Click to expand...

LastPass people be like...happy? My GIF wouldn't move so I deleted it. Sorry.
 
  • Wow
  • +Reputation
Reactions: piquiteco, Gandalf_The_Grey, Guilhermesene and 3 others
Divine_Barakah

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
I have recently started encountring sync and Ui issues in Enpass, so I migrated to Roboform. I enabled 2FA and increased the encryption iteration to 300000. I tried increasing it to 500000 but the vault took too long to decrypt on my iPhone.

Increasing encryption iteration is good against brute force attacks.
 
  • Like
  • Sad
Reactions: piquiteco, roger_m, Gandalf_The_Grey and 2 others
G

Guilhermesene

Good thing I use everything OFFLINE (obviously with backup copies on 2 external hard drives of 4tb each).

When I say everything, I literally mean everything.

My personal files, documents etc, plus KeePass password vault.

I don't trust anything in the cloud.
 
  • Like
  • Applause
Reactions: piquiteco, R2D2, plat and 2 others
R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
The way things are going it's going to be safer to use a product with local sync (Enpass, Sticky Password) or manual sync (Keepass) to keep your data safe.

It seems there was a concerted set of intrusion attempts (some successful like Lastpass and Norton) against these companies in 2022. Whether by hacker gangs or hostile countries is only a guess. It's only a matter of time before hackers turn their attention to 1Password, Bitwarden and Dashlane.

All we users/subscribers can do is go with local sync or use cloud PMs employing really strong passwords/passphrases along with 2FA to secure accounts. But I am more interested in what these companies are planning to tackle this menace instead of boasting "We've never been hacked" as 1Password and Dashlane have been trumpeting since the LP fiasco. They were not hacked because Lastpass is a larger and more attractive target plus it was possibly easier to break LP defences.
 
  • Applause
  • Like
  • Hundred Points
Reactions: Guilhermesene, piquiteco and Divine_Barakah

Similar threads

Gandalf_The_Grey
    • Wow
    • +Reputation
    • Sad
Security News American Express credit cards exposed in third-party data breach
Replies
1
Views
1,143
Security News
Dave Russo
Dave Russo
Gandalf_The_Grey
    • +Reputation
    • Wow
Security News Fujitsu found malware on IT systems, confirms data breach
Replies
0
Views
506
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Wow
Security News Chipmaker Nexperia confirms breach after ransomware gang leaks data
Replies
0
Views
1,210
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top