Lastpass says hackers accessed customer data in new breach

Restating what is becoming the obvious.

Out of curiosity, if I search LastPass via Duck Duck Go, this is what I got:
lastpass.PNG
Probably cleaned up much of its act in a hurry and behind the scenes. But I myself would never trust them for anything after all these disclosures.
 
  • Like
  • Applause
Reactions: mlnevese, Stopspying, piquiteco and 1 other person
plat said:
Probably cleaned up much of its act in a hurry and behind the scenes. But I myself would never trust them for anything after all these disclosures.
Click to expand...
More in wikipedia will stay forever that incident and also in the Internet Archive, impossible to erase the digital tracks nowadays.
1672388570583.png
1672388675433.png
 
  • Like
Reactions: plat, mlnevese, Stopspying and 2 others
Here at MT, we are security conscious people. If anyone of us is using a cloud password manager, sooner or later we will be victims.

Cloud password managers are valuable targets for hackers.

Now each and every password manager brags about being AES encrypted, bit is it not the same ecryption that ransomware uses? Security companies such as Emsisoft and Bitdefender cracked many ransomware, so that means our password vaults can be cracked too?
 
  • Like
Reactions: plat, Stopspying, piquiteco and 1 other person
Divine_Barakah said:
Now each and every password manager brags about being AES encrypted, bit is it not the same ecryption that ransomware uses? Security companies such as Emsisoft and Bitdefender cracked many ransomware, so that means our password vaults can be cracked too?
Click to expand...
Anything is possible (side channel attacks) but breaking AES is not going to happen for many years with current computer hardware. Hackers are not breaking the encryption per say but there are vulnerabilities in the server side or databases holding the encrypted data and then I imagine they use credential stuffing attacks from other breaches or brute force attacks to gain entry to encrypted vaults.

*edit* If it was phishing then they had full access to all of their servers/databases/vaults/customer info. The above still stands. They are not breaking AES.
 
Last edited:
  • Like
  • Thanks
Reactions: plat, Stopspying, Divine_Barakah and 2 others
Divine_Barakah said:
Here at MT, we are security conscious people. If anyone of us is using a cloud password manager, sooner or later we will be victims.
Click to expand...
There's truth in that.

When it's in the cloud a PM service can, and depending on how attractive a target it is for e.g. Lastpass, will be a target of hackers multiple times. This LP incident was supposedly via a phishing attempt not a break in via normal hacking methods so it basically paved the way for those hackers to grab what they wanted in their own sweet time over the next few months. Hackers grabbed a portion of their source code and customer data. Meanwhile LP unfortunately sat on its a$$ hoping and praying, engaging forensic experts to tell them what the problem is and who did it. The horse had already bolted. I wonder how much of a cover up LP is doing. They've messed up badly on several counts. What they disclosed in their blog stinks of a CYA operation and it seems a lawyer or set of lawyers drafted it. It's not the whole truth.

So what do you guys @ MT use for password management? Keepass and the likes?
 
Last edited:
  • Like
Reactions: plat, Stopspying, Divine_Barakah and 2 others
Divine_Barakah said:
so I dropped it in favor of Enpass.
Click to expand...
Right, I have a lifetime subs to Enpass but over at their forum there have been questions raised about code and security audits and the reply from them hasn't been the most forthcoming IMHO. I believe they had an audit done some years back (pre covid) and while they plugged security issues the audit report wasn't detailed enough or convincing. After which I gave Enpass a pass and shifted back to LP (Sigh! I know, I know :( ). And the latest audit reports are right here....from Jul '22.

Security Audit Report

Can some MT folks take a peep at those reports and let us know what you all think?
 
  • Like
Reactions: Divine_Barakah and Stopspying
R2D2 said:
Right, I have a lifetime subs to Enpass but over at their forum there have been questions raised about code and security audits and the reply from them hasn't been the most forthcoming IMHO. I believe they had an audit done some years back (pre covid) and while they plugged security issues the audit report wasn't detailed enough or convincing. After which I gave Enpass a pass and shifted back to LP (Sigh! I know, I know :( ). And the latest audit reports are right here....from Jul '22.

Security Audit Report

Can some MT folks take a peep at those reports and let us know what you all think?
Click to expand...
I do agree that security audits when it comes to Enpass are concerning, but for it is not mich of a risk for the data is stored locally in my case. Unless Enpass is directly targetted by a piece of malware or the device is compromised (it is game over for any password manager), i have nothing to fear.

When you have your data available and accessible only locally, you have more control over the security. If the data is stored on the company’s servers, you have no control over its security and you have to trust the company and its security.

Personally, the only option that I completely trust is Keepass, but it is very inconvenient for it does not provide cross-platform compatibility. So we are left for either SP or Enpass. I am not aware of any other offline password managers.
 
1password upto ver 7 had local sync till the gee whiz kids at Agilebits stopped it from v8 onwards. I have a perpetual license for v7 but again it would function much like Keepass and no guarantee it'll work with W11 and browser extensions.

I use KeepassXC as an archival solution to be honest it's too painful to use on a regular basis but Enpass and Sticky Password are in consideration.

What happened to LP can happen to any cloud PM company including BW, 1PW, Dashlane etc. Once the hacker is in the system via some phishing or social engg. method all bets are off.
 
  • Like
Reactions: Divine_Barakah
R2D2 said:
1password upto ver 7 had local sync till the gee whiz kids at Agilebits stopped it from v8 onwards. I have a perpetual license for v7 but again it would function much like Keepass and no guarantee it'll work with W11 and browser extensions.
Click to expand...
I know they killed it and that caused back fire, but guess what, users will move on and forget about it. I wholeheartedly hate the new version and I am not fond of subscriptions. The Electron thing added insult to injury. Thus, I left 1P behind.
 
  • Like
Reactions: Zero Knowledge and R2D2
I wouldn't take security audits that seriously, much like AV tests they can lack credibility and I image (haven't dealt with personally) there many rouges audit firms. It also gives people a false sense of security because they only test with known vulnerabilities and design/implementation mistakes/issues when it comes to security and encryption. It doesn't mean the software is 100% secure, it's only secure at current knowledge and understanding and it the future that could/will/almost certainly change when a new bug class/exploit/vulnerability is found.
 
  • Like
Reactions: Divine_Barakah and R2D2
Zero Knowledge said:
I wouldn't take security audits that seriously, much like AV tests they can lack credibility and I image (haven't dealt with personally) there many rouges audit firms. It also gives people a false sense of security because they only test with known vulnerabilities and design/implementation mistakes/issues when it comes to security and encryption. It doesn't mean the software is 100% secure, it's only secure at current knowledge and understanding and it the future that could/will/almost certainly change when a new bug class/exploit/vulnerability is found.
Click to expand...
From what I see, almost all password manager (which are audited), hired Cure53 to make the security assessment (this includes Dashlane, 1Password, Enpass, Remembear, and NordPass). While I do not take the results for granted, those assessment might shed some light on how much effort those companies put into their software.

Another very important thing is that companies might choose to publish only parts of the security audits reports hiding severe issues. They might also determine the scope of assessment. Enpass, for example, only asked for their Windows client to be assessed in July 2022 and not their mobile apps.
 
  • Like
  • Applause
Reactions: R2D2 and Zero Knowledge
Divine_Barakah said:
Another very important thing is that companies might choose to publish only parts of the security audits reports hiding severe issues. They might also determine the scope of assessment. Enpass, for example, only asked for their Windows client to be assessed in July 2022 and not their mobile apps.
Click to expand...

Exactly! The company only publishes what they want people to see. And your right, scope is very important for audits and especially for pen tests. There are certain areas that you cannot touch or go near. The companies ordering the audit determine what you can and can't do with their software/hardware.
 
  • +Reputation
Reactions: Divine_Barakah
Zero Knowledge said:
Exactly! The company only publishes what they want people to see. And your right, scope is very important for audits and especially for pen tests. There are certain areas that you cannot touch or go near. The companies ordering the audit determine what you can and can't do with their software/hardware.
Click to expand...
Thus, we conclude that password managers are tools of convenience rather than security. I know this might sound radical, but I believe that there are many shortcomings in the password manager due to convenience. Otherwise, password managers would be impossible to use by end consumers.

At the end of the day, it is up to good practises, by users. If one uses a weak master password or even opt in to save it and have it entered for them or even save it in a plain txt file, then there is no point of using a password manager no matter how secure it is.
 

You may also like...