Lastpass says hackers accessed customer data in new breach

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,761
Hello guys,

I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?

Thank you all! 🙂
Breaching the servers and getting access to you vault file doesn't do much actually. It's still necessary to know your vault's password to decrypt the file so, unless you use an extremely weak password, it would take thousands of years to decrypt with current technology.

Actually, depending on your key strength, the heat death of the universe will happen first...


 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Breaching the servers and getting access to you vault file doesn't do much actually. It's still necessary to know your vault's password to decrypt the file so, unless you use an extremely weak password, it would take thousands of years to decrypt with current technology.

Actually, depending on your key strength, the heat death of the universe will happen first...


But what if a password manager had a backdoor and the malicious actors got access to that? What about wrong implementation of encryption? What if the password manager lied about storing the master pssword or it derivative.
 

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs(y)
1673574968370.png
 

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,761
@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs(y)
They have been adding a lot of features lately. For instance if you use your Google account to login somewhere and have multiple Google accounts it's I'll not only record that you used a Google account but which one should be used. It also works with Facebook and other 3rd party login methods.

I really like it. From all the managers I tested it was the one that better covered my needs. The ability to show your password in big characters is a gift when I have to configure a new TV, for instance.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
@piquiteco about 1Password - their customer support is friendly and quite responsive. I think they're flooded, as would be Bitwarden support, with enquiries after the LP fiasco. For good user interface look no further than 1Password. Next is Dashlane and then Bitwarden. In terms of security they all claim to be secure but then Lastpass claimed this too until the #hit hit the fan last month. :D For noobs I'd suggest 1PW without a doubt and for flexibility (self hosting) and geeks it would be Bitwarden. Dashlane is somewhere in the middle. Like LP, Dashlane only has a web UI. They discontinued their desktop app in '21 or '22. Dashlane uses the Argon2 KDF by default but can switch to PBKDF2 in the account setting.

Now more about LP - deleted accounts can be restored but with no guarantee of data being available. I tested this by emailing their support team. They restored my wife's account but could not restore mine. I checked the KDF iteration value was 5000. While my LP account was set 100,100 (default) that I checked before deleting it on Christmas day. I have retained these 2 recreated LP accounts as guinea pigs..test mules.

Also, my wife's BW's account was also set at 5K, since increased to 310K. Please double check your BW settings especially for those accounts created in 2017/18.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
Take a look at this, Steve Gibson cites a method to download and deobfuscate an old LastPass vault. It allows you to prepare an Excel spreadsheet of the contents.

https://www.grc.com/sn/sn-905-notes.pdf

 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Well, this prob. deserves its own thread (I dunno) but someone big has joined the password manager breach train!


Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.

According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms.

"Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said.

LastPass people be like...happy? My GIF wouldn't move so I deleted it. Sorry.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
I have recently started encountring sync and Ui issues in Enpass, so I migrated to Roboform. I enabled 2FA and increased the encryption iteration to 300000. I tried increasing it to 500000 but the vault took too long to decrypt on my iPhone.

Increasing encryption iteration is good against brute force attacks.
 
G

Guilhermesene

Good thing I use everything OFFLINE (obviously with backup copies on 2 external hard drives of 4tb each).

When I say everything, I literally mean everything.

My personal files, documents etc, plus KeePass password vault.

I don't trust anything in the cloud.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
The way things are going it's going to be safer to use a product with local sync (Enpass, Sticky Password) or manual sync (Keepass) to keep your data safe.

It seems there was a concerted set of intrusion attempts (some successful like Lastpass and Norton) against these companies in 2022. Whether by hacker gangs or hostile countries is only a guess. It's only a matter of time before hackers turn their attention to 1Password, Bitwarden and Dashlane.

All we users/subscribers can do is go with local sync or use cloud PMs employing really strong passwords/passphrases along with 2FA to secure accounts. But I am more interested in what these companies are planning to tackle this menace instead of boasting "We've never been hacked" as 1Password and Dashlane have been trumpeting since the LP fiasco. They were not hacked because Lastpass is a larger and more attractive target plus it was possibly easier to break LP defences.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top