LastPass Data Breach

[The_Chief]

- SEE UPDATE -

This does not shake my faith in LastPass at all... if anything, it strengthens my trust in the password manager. First, LastPass isn't stupid enough to store password data on a shared, third-party server. That information would be superficial at best. A previous intrusion attempt only accessed a developer test platform. In both intrusions, no critical user data was breached. Users' many passwords, and other sensitive data in their "vault", are encrypted behind a single master password: and LastPass has taken great pains to ensure that no code exists which would allow anyone else to decrypt the vault. Until I learn otherwise, I will continue to be a strong advocate for LastPass.

Lastpass says hackers accessed customer data in new breach

UPDATE:

My faith was shattered after the revelation that the breach was far worse than LastPass had initially disclosed. I would not recommend LastPass as a password manager, no matter what remedies they take, due to their slow reaction to the breach, deceptive disclosures and lack of proactive measures.

 

[The_Chief]

Users' vaults are only as secure as their master password! If someone is using LastPass to generate & store unique, complex passwords for every site, program and application; and storing it all in a vault that can be opened with "123456", they're wasting their time & money! There are plenty of resources on creating a strong but memorable password. The master password should always be backed up, locked in a safe or secure place so it's not lost.

 

[Dannydet]

I've used them for years without a problem.
Just don't lose your master password!!!!!

 

[svim]

LastPass has a good reputation for being transparent and open about when it gets breached. When something does occur, LastPass takes active steps to correct the problem, notifies its users if they need to any corrective measures, and posts a report on the matter. It doesn't just claim to be a responsible player in the tech services field, it is an actively reliable service.
In contrast, there's a long list of other companies that put a lot of effort into deceptive marketing babble and gaslighting the public when they get 'hacked' -- Equifax, Microsoft, Yahoo, Facebook, etc., etc.

 

[nickdalzell]

Still, this gives me reason to never trust anything stored in 'the cloud'. Data breaches are why I don't use password managers, and tend to use a really long, complicated password. Sometimes, the old way is best.

I'm quite honestly surprised at how naive some of you are. I mean, this kind of news would make me question my trust in this kind of service if I were a part of it. I'd be disconnecting my account ASAP just to be safe. While it didn't cause any real issues this time, there's always next time. Never say never.

 

[ocnbrze]

Still, this gives me reason to never trust anything stored in 'the cloud'. Data breaches are why I don't use password managers, and tend to use a really long, complicated password. Sometimes, the old way is best.

I'm quite honestly surprised at how naive some of you are. I mean, this kind of news would make me question my trust in this kind of service if I were a part of it. I'd be disconnecting my account ASAP just to be safe. While it didn't cause any real issues this time, there's always next time. Never say never.

like it has been said......everything is encrypted and to get the key you need the master password.

this kind of breach is normal. there was no major data leak from this attack. "It(LastPass) also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."

looks like the hackers were just fishing, but did not find anything of importance. the fact that they were detected says a lot and the fact that they have gotten law enforcement is good as well.

these kind of breaches happens all the time. i am confident that my identity is safe as well as my passwords. i have been using them for a very long time and never once had an issue with any of my account info stored on LastPass.

and it is not being niave. i have full confidence that LastPass will patch up any holes in their security so that this kind of thing does not happen again. i am not worried about my accounts as i monitor them pretty good. and there will always be a next time. hackers are relentless. but they will attack anyone or any company. so anybody that has an online presence is open for attack.

 

[nickdalzell]

Yeah, and before January 28, 1986, NASA never thought a space shuttle explosion could ever happen.

 

[svim]

A lot of fear-mongering types like to claim password managers are a fool's game but the fact is passwords themselves are flawed so a reputable, secure password manager service is viable addition to help reduce the risk. Personally I prefer Bitwarden over LastPass but that's just me. LastPass has been audited a number of times by independent security firms and passes each time, notably a reason why there are a lot of 'naive' security-focused LastPass users out there, a lot of them in the online security market.

 

[nickdalzell]

It isn't fear mongering. You're far more secure keeping them on a piece of paper inside a safe vs. on the 'cloud' where anyone can get hold of it eventually. "Data breaches are normal" yeah...Sure. The only way my passwords can be breached is if someone broke into my home and then the safe.

LastPass has had two breaches this year alone! I think ten more before that. Anything in the 'cloud' is never yours or secure. It's going to leak eventually.

It annoys me that cautious skepticism and being wary are labeled 'fear mongering' by futurists as if it were some crazy conspiracy theory. Equally as annoying as being labeled a 'luddite' because I prefer older tech.

 

[Dannydet]

I just like to stay off the grid completely....
Like right now...
..
"Crickets"......

 

[nickdalzell]

Having healthy caution for everything new and 'online' and being leery about anything cloud-based is not akin to wanting society to revisit the 19th century. Yet another futurist fallacy I hear often.

"those horses were just fine before cars came right?"

Go frell yourself! Heck, at least horses are still there. My HTC Thunderbolt is dead for all intents and purposes because futurists working the carriers. Still has me miffed.

I'd love to find a good used Chrysler Cordoba B-body, beautiful car, wonderful ride, but due to Obama doing the whole 'Cash for Clunkers' mess, there ain't a car on the road older than 1997.

 

[The_Chief]

[QUOTE="nickdalzell, post: 8091029, member: 567916"I'm quite honestly surprised at how naive some of you are. I mean, this kind of news would make me question my trust in this kind of service if I were a part of it.[/QUOTE]

Who's naive? The person who acknowledges that hacking attempts happen; or the person who thinks that an intrusion attempt is some sign of weak security? EVERY website and internet user is subject to hacking: no one is immune to that. It requires diligence and best practices to reduce risk... but there's no way to eliminate it without logging off and unplugging.

 

[ocnbrze]

It isn't fear mongering. You're far more secure keeping them on a piece of paper inside a safe vs. on the 'cloud' where anyone can get hold of it eventually. "Data breaches are normal" yeah...Sure. The only way my passwords can be breached is if someone broke into my home and then the safe.

LastPass has had two breaches this year alone! I think ten more before that. Anything in the 'cloud' is never yours or secure. It's going to leak eventually.

It annoys me that cautious skepticism and being wary are labeled 'fear mongering' by futurists as if it were some crazy conspiracy theory. Equally as annoying as being labeled a 'luddite' because I prefer older tech.

Why get a phone that's hooked up to the internet then. Just get a flip phone like a Jitterbug and be done with it.

 

[jhtalisman]

but due to Obama doing the whole 'Cash for Clunkers' mess, there ain't a car on the road older than 1997.

Well there's a flat out lie.

 

[Dannydet]

Can we stick to the issue and keep this civil?
Just agree to disagree and move on.

 

[The_Chief]

When I started this thread, my faith in LastPass was not shaken. It is now.

A data breach occurred in August; then no further news until November; and now they send out an email with a link to their latest blog post. FIVE PARAGRAPHS in, LastPass admits that customer vaults were copied!
While accessing the vault data would require a customer's master password (which LastPass claims it doesn't store), the fact that a hacker could get that far into LastPass' infrastructure leaves me with very little confidence in their security practices.

Then the blog boasts about the 100,100 iterations of the PBKDF2 security algorithm... even though the default setting is only 5000 iterations. If LastPass recommends changing the setting to the maximum, why isn't the maximum set as the default?

Does anyone here have experience with Keeper as a password manager? I'm looking at Keeper as a replacement... but would love to hear about your personal experience with it.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

 

[Dannydet]

Thanks for the update.
I'll be looking elsewhere for a password manager.

 

[Unforgiven]

Bitwarden

 

[The_Chief]

Here's more information on the data breach, and it's not good.

While usernames and passwords were encrypted, URLs were not. and that's bad news because individual LastPass users are linked to specific websites. While hackers could go through the process of brute force hacking to guess the master passwords, the human race will likely be exitinct before successful intrusion occurs. And for what? Credentials for Android Forums?

More likely are phishing scam emails sent to users. Scammers will likely invoke the LastPass data breach and offer a fake link to change the password. Any such email must be suspicious - never click a link in an email you were not expecting! Always open the browser, type the address in and go to the legitimate site.

https://cybernews.com/news/lastpass-tells-more-about-breach-researchers-frustrated/

Here's the action plan LastPass is implementing in response to the event:

"In response to the August 2022 incident, we eradicated any further potential access to the LastPass development environment by decommissioning that environment in its entirety and rebuilding a new environment from scratch. We also replaced and further hardened developer machines, processes, and authentication mechanisms.

We have added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defense with a leading managed endpoint detection and response vendor to supplement our own team. We have also continued to execute our plans of implementing a new, fully dedicated, set of LastPass development and production environments. 

In response to this most recent incident, we are actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security. We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed."

While it took an intrusion, I'm increasingly confident that LastPass has learned a valuable (if costly) lesson. if the above steps are implemented and LastPass adds features to beat the competition, it will be the #1 password manager of choice.

Based on everything I've read over the past couple of days, and since we just renewed our family plan five weeks ago, I'm going to stay with LastPass on a probationary basis. If they fail again, however, I'll move to Dashlane or other manager in a heartbeat.

 

[The_Chief]

More information - and more bad news...

https://www.theverge.com/2022/12/28...-disclosure-encryption-cybersecurity-rebuttal

LastPass has apparently refused repeated requests to encrypt URLs, metadata, etc. They are also being very deceptive about how bad the breach was. This breach, and the fallout from it, are catastrophic enough for me to write off our annual renewal; transfer to another password manager; and start changing EVERY SINGLE PASSWORD we had stored.

 

[The_Chief]

After a lot of research, I've finally made a decision about which password manager we will use going forward (it helps that tomorrow starts a brand new calendar year).

While many people would consider it pricey, DASHLANE has the most robust security protocols in the industry. It has never been breached... in fact, its system is specifically built to prevent breaches from even occuring.

Over the next day or two, I'll be starting the family plan and importing all the LastPass data to Dashlane. Using Dashlane's password scoring system, I can easily change the most vulnerable credentials first and work my way down the list.

Everyone has their preference of manager app, and I'm glad yours works well for you. I just hope Dashlane works out for us.

 

[susie1470]

Surely appreciate the info. I made the decision between LastPass and Bitwarden and chose LastPass. Signed up for premium late in 2022. Wonder if LP will refund $$ if you choose to go elsewhere? Any info?

 

[The_Chief]

LastPass refund policy is 30 days. I highly doubt they will start handing out refunds beyond that, because they know the company may be on financial fumes this time next year. Between very few renewals and possible class actions & legal fees, I think LastPass is going to pinch every penny.

We renewed November 19, so I'm right there with you as far as frustration goes.

UPDATE: In fact, the first class action lawsuit has already been filed by someone who claims he lost $53,000 in Bitcoin due to the breach. LastPass will, undoubtedly, claim that such users did not follow their "best practices. It will be interesting to see how the jury responds, considering the "best practices" are not the default settings.

 

[The_Chief]

And there goes another one....

https://www.bleepingcomputer.com/ne...t-hackers-breached-password-manager-accounts/

 

[Dannydet]

Let's face it.
If a hacker wants to get access to anything, they will!
Nothing online is safe and never was from the get go.
My Hotmail account was hacked back in 2006, and what a friggen headache that was to clean up. I'm tech savvy for the most part, since I'm a graphic designer and have been using windows and macs for years, but as I get older I'm getting more and more worried that I'll be hacked again with more damage compared to last.
I don't know what the answer is other than running a secure firewall, 2 factor authentication, VPN, malware, ransomware utilities....
Just Ugh.....
And usernames and passwords are a joke!