Lastpass says hackers accessed customer data in new breach

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
b) NEVER store your 2FA tokens OR recovery codes in your PM.
I already said this in another post, you can even store it in a PM, as long as it is offline. For example keepass, keepassXC,etc.. Never that password manager can touch the network remember this. 😉
 
  • Like
Reactions: CyberTech and R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
In case you have to, store 2FA keys in a separate vault (with its own Master Password) if your PM supports multiple vaults.
1PW does, but Bitwarden doesn't as far as I know.

2FA tokens are in separate apps and soft copies of recovery codes are encrypted and uploaded to the cloud + stored locally. I just can't trust PMs as much as I did before. The past 3 weeks have been a painful experience for this former LP user. :)

PS - @piquiteco ^^^^ :)
 

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
In case you have to, store 2FA keys in a separate vault (with its own Master Password) if your PM supports multiple vaults.
It has to be like this to make spoiler more convenient, but also if it falls into the hands of a hacker he will have a party.:LOL:
1673773867765.png

2FA tokens are in separate apps and soft copies of recovery codes are encrypted and uploaded to the cloud + stored locally. I just can't trust PMs as much as I did before. The past 3 weeks have been a painful experience for this former LP user. :)
I think you had an unpleasant and pretty bad experience with LP, because you literally put all your eggs in one basket, you believed it, you put your trust in a PM that you would never have problems, I know what it is like +800 PWs, revoke all of 2FA, generate new recovery backup codes, create new security questions and answers, it is labor intensive, then you need to replicate in backup, sync on other devices...just thinking about it gives me the chills :eek:
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
....just thinking about it gives me the chills
I am still experiencing the chills and it's not entirely due to the weather. :D

But seriously, this is my bad. I curse LP and their management for their lapses but admit I should've been wary and cautious after reading about repeated attacks on LP over the years. One of them was bound to succeed and it did...in Aug '22. What was disclosed in Aug was just the trailer, the movie was yet to begin.

I hate to think how many accounts..like this Youtuber's, have been compromised. And he is not a noob! Obviously the hackers tried their luck with a well known personality giving weight to the theory they'll attack high value targets first. Luckily I am just small fry. Phew!

What unfolds in the next few months remains to be seen. It won't be good. Just batten down the hatches (2FA, passwords, recovery codes) as the full force of the hacker storm
approaches.

PS - This may or may not be a coincidence. I have seen a massive increase in the number of spam mails at my Gmail account.
 
Last edited:
  • +Reputation
Reactions: piquiteco

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
@piquiteco I know that having 2 vaults with completely different master passwords are a pain and very inconvenient, but I believe it is worth the hassle to avoid stuations such as LP’s.

You know it might be a good idea to contact password managers support and suggest that they automatically store 2FA in a separate vault that is encrypted individually with sth like a secret key without the need to use a new master password? I believe this will be more convenient and will also be more secure than storing 2FA in the same vault.

It has to be like this to make spoiler more convenient, but also if it falls into the hands of a hacker he will have a party.
Lol, this way you will save the hacker much time and they will be grateful for you.

Anyway, I personally do not like the idea of storing both passwords and 2FA keys in the same password manager. Why? If you lose access ro your password manager, then you are doomed. Passwords are easy to reset, but what about 2FA? Imagine that youll need to contact the supoort for 200 sites and that youll need to provide proof that youre the owner. Just imagining this terrifies me.
 

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
And the bad news doesn't end. Enterprise customers also affected. I really wonder how GoTo/Lastpass will survive if they cannot secure user/customer data.

LastPass owner GoTo says hackers stole customers’ backups
This is not good, what lousy news, it will resonate and propagate across the web, I believe it tarnishes their reputation, if it hasn't already. This will not sound good in the ears of the LP's Corporate Clients.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609

LastPass Password Manager: increase this setting to improve security significantly​

It has been a couple of months since LastPass suffered what is arguably the worst data breach to ever affect the password manager industry. The way the entire scenario was handled by the company, and the lack of transparency circling the aftermath of the attack resulted in many users switching to rival services.If you are a regular reader, you may be aware about our stance towards LastPass. We don't recommend using it because of incidents in the past and how these were handled, and advise users to migrate to Bitwarden, KeePass or 1Password. However, the fact remains that there are still thousands of users who are still using LastPass. This article is meant to help those people who plan to continue using the service, you might as well take the time to ensure that your account is as secure as possible.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
If You Use LastPass, You Need to Change All of Your Passwords ASAP
Are you a LastPass user? This popular password manager was the target of a major data breach last December, which means many people’s passwords and personal data were exposed to nefarious entities.

According to LastPass CEO, Karim Toubba, there was a security incident in August that led to unauthorized parties stealing customer data in December. However, this is not a unique event for LastPass since it’s been having security incidents since 2011.

What kind of data was exposed? According to Toubba, hackers got their hands on unencrypted data such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.

There was also vault data stolen, containing both unencrypted and encrypted information such as usernames and passwords for all visited sites.

Let’s pause for a second here. This is a password manager. They’re holding the keys to your kingdom, so to speak. Anyone sensible would think that they’d do well what they’re supposed to do, that is, storing your passwords securely.

Even more alarming is the fact that this has been happening since at least 2011, and nobody knows how many other undisclosed events might have happened so far.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
Not that it means much now but this is what GRC's site indicated about my Lastpass password vulnerability to brute force attacks. This is what it was when the hackers downloaded encrypted customer vaults. I think I am safe at least for now. ;)

GRC.png
 

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,761
Not that it means much now but this is what GRC's site indicated about my Lastpass password vulnerability to brute force attacks. This is what it was when the hackers downloaded encrypted customer vaults. I think I am safe at least for now. ;)

View attachment 272963
Just for 91.92 thousand trillion centuries... then you have to worry. Or if you are unlucky it may happen in their first try 😉
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top