Notice of Recent Security Incident.......LastPass

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684
LastPass
Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass's Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.

We thank you for your patience while we work through our investigation.

Sincerely,
The Team at LastPass

Karim Toubba

LastPass CEO
 


KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
I don't know enough about the LastPass infrastructure, specifically about how they store the credentials. I also don't know how they accessed the information - like did they manage to grab the database(s) and which database(s) they were able to score before they were noticed?

Encryption is important, but there's something called a 'rainbow attack' which may apply here. If logging into your account is the action that decrypts the passwords, well...
 

sphen

Active Member
Joined
Dec 12, 2022
Messages
131
Reaction score
132
Credits
1,713
The text in the original post above is missing the embedded link in the "Zero Knowledge architecture" that appeared in the original post on LastPass' website. Here is that link, where you can see their "Zero Knowledge" security architecture:

https://www.lastpass.com/security/zero-knowledge-security

Scroll down until you see the diagram showing how the Master Password is converted into an encryption key. If the customer is using the basic product without multi-factor authentication, then the effective strength of the key is the strength of the user-chosen Master Password. LastPass provides guidance on how to choose a strong Master Password. I view that as their "get-out-of-jail-free card". The truth is that most people choose poor passwords, and LastPass knows it. If a vault is compromised because of a weak Master Password, LastPass can point to their guidance and claim that the user did not follow it.

If the attacker exfiltrated copies of user password vaults, then they can bypass LastPass and apply whatever resources are available to them to attack the vaults.

Furthermore, there is no time limit. There may be new tools, new methods, or previously unknown vulnerabilities that may be exploited to attack the vaults whenever those capabilities appear in the future.

In my opinion, the convenience of being able to sync multiple devices with a common password vault stored on the internet is not worth the long term risks. I have been opposed to the practice ever since LastPass debuted it many years ago. The risks were obvious then, and now they have come home to roost.

My advice to LastPass users would be to:
  • Change the Master Password immediately. Make sure it is strong. Very very strong.
  • Go through each individual password in your LastPass vault one by one and change them. Yes, it means changing them for each website or other use, but it also means that if the LastPass attacker cracks your vault, they get nothing because the passwords have all been changed. Yes, it will take a lot of effort.
  • Think about the tradeoffs between the extra convenience and the long term risks associated with storing passwords on the internet.
    • Consider using a locally stored password vault instead, with appropriate safeguards and regular backups, the same as what you should be doing for your computer anyway.
 
OP
Condobloke

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684

sphen

Active Member
Joined
Dec 12, 2022
Messages
131
Reaction score
132
Credits
1,713
My worst fears confirmed in the latest update 22 December 2022.

See my post #3 above, especially my advice to LastPass users at the bottom of the post, repeated here.

My advice to LastPass users would be to:
  • Change the Master Password immediately. Make sure it is strong. Very very strong.
  • Go through each individual password in your LastPass vault one by one and change them. Yes, it means changing them for each website or other use, but it also means that if the LastPass attacker cracks your vault, they get nothing because the passwords have all been changed. Yes, it will take a lot of effort.
  • Think about the tradeoffs between the extra convenience and the long term risks associated with storing passwords on the internet.
    • Consider using a locally stored password vault instead, with appropriate safeguards and regular backups, the same as what you should be doing for your computer anyway.
 

CrazedNerd

Well-Known Member
Joined
Mar 31, 2021
Messages
924
Reaction score
395
Credits
7,841
I got similar notices from at&t and yahoo (twice from yahoo actually) that the information they store was compromised. It never effected me in any way...
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
So, I too got an email. I had signed up for their service and never actually used it. Amusingly, I could still remember my master password, even though I never once used their services.

I made sure by flipping through and noting there were no saved passwords or anything like that.

I decided I'd just cancel the service. Lo and behold, I can't find an option anywhere to terminate my account with them. That's a bit disappointing. I hope I missed the link to do so and that they're not really that incompetent.
 
OP
Condobloke

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684
 
OP
Condobloke

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684
They have an ongoing habit of keeping the "cancel" mechanism out of sight.

It has never been obvious.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
OP
Condobloke

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684
Try This

 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
That appears to start the process. Thanks!

For the life of me, I couldn't find the option anywhere. Now, they'll send me an email about how to start deleting the account. Yeah...
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
It made me confirm it multiple times (reasonable, I guess).

Under the reasons, I selected 'other' and the reason I gave was, "I can no longer have faith in your security."
 
OP
Condobloke

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684
lol.....that would be my answer as well.....in fact if I remember correctly, I gave them a "i can get ripped of anywhere, I don't need to use your companies product to experience that"

I didn't get a reply.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
I'm half tempted to write a quick article detailing how to completely remove your account from LastPass...

I've got a bit of a readership at this point.
 

sphen

Active Member
Joined
Dec 12, 2022
Messages
131
Reaction score
132
Credits
1,713
I'm half tempted to write a quick article detailing how to completely remove your account from LastPass...

I've got a bit of a readership at this point.
... and please add your recommendations for a local-only password manager alternative, and how to safely back it up.

In case anyone cares, I have been using the standalone 1Password application for a long time, but always in local-only mode. It is one of the applications that I will replace when I upgrade macOS. I dislike how 1Password created a LastPass-like monster with internet sync, shared passwords, etc. They make it very difficult to find the standalone application for purchase, trying to force everyone into their subscription model. No thank you and no longer.

I plan to replace 1Password with free software. In this case, open source is a good idea, and I will inspect the source code. Eventually I plan to migrate my personal laptop to Linux, and want to be using the same software on both platforms to make the transition easier.

What are people using for local-only password management these days? Keepass? Bitwarden (local only)? Something else?
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
... and please add your recommendations

I don't really have any recommendations, as I don't use one.

My favorite password manager is "forgot password". If I can't recall the password (and I often can't) I just reset it to something complicated and call it good. When I access the site again, I'll just reset my password.

I don't do this for all sites, but I do it for quite a few.
 

BigBadBeef

Active Member
Joined
Sep 23, 2021
Messages
254
Reaction score
104
Credits
2,365
"Hear all, trust nothing"
Rule of acquisition 190, of Star Trek's Ferengi rules of acquisition.

Do not automatically assume they were being truthful about there being no data stolen.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
I'm moving as fast as I can. The wind is rocking my house. It's amazing. It's the midst of a 'bomb cyclone' and I'm well and truly impressed with Mother Nature.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Latest posts

Top