Notice of Recent Security Incident.......LastPass

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
8,180
Reaction score
6,656
Credits
54,576
LastPass
Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass's Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.

We thank you for your patience while we work through our investigation.

Sincerely,
The Team at LastPass

Karim Toubba

LastPass CEO
 


I don't know enough about the LastPass infrastructure, specifically about how they store the credentials. I also don't know how they accessed the information - like did they manage to grab the database(s) and which database(s) they were able to score before they were noticed?

Encryption is important, but there's something called a 'rainbow attack' which may apply here. If logging into your account is the action that decrypts the passwords, well...
 
The text in the original post above is missing the embedded link in the "Zero Knowledge architecture" that appeared in the original post on LastPass' website. Here is that link, where you can see their "Zero Knowledge" security architecture:

https://www.lastpass.com/security/zero-knowledge-security

Scroll down until you see the diagram showing how the Master Password is converted into an encryption key. If the customer is using the basic product without multi-factor authentication, then the effective strength of the key is the strength of the user-chosen Master Password. LastPass provides guidance on how to choose a strong Master Password. I view that as their "get-out-of-jail-free card". The truth is that most people choose poor passwords, and LastPass knows it. If a vault is compromised because of a weak Master Password, LastPass can point to their guidance and claim that the user did not follow it.

If the attacker exfiltrated copies of user password vaults, then they can bypass LastPass and apply whatever resources are available to them to attack the vaults.

Furthermore, there is no time limit. There may be new tools, new methods, or previously unknown vulnerabilities that may be exploited to attack the vaults whenever those capabilities appear in the future.

In my opinion, the convenience of being able to sync multiple devices with a common password vault stored on the internet is not worth the long term risks. I have been opposed to the practice ever since LastPass debuted it many years ago. The risks were obvious then, and now they have come home to roost.

My advice to LastPass users would be to:
  • Change the Master Password immediately. Make sure it is strong. Very very strong.
  • Go through each individual password in your LastPass vault one by one and change them. Yes, it means changing them for each website or other use, but it also means that if the LastPass attacker cracks your vault, they get nothing because the passwords have all been changed. Yes, it will take a lot of effort.
  • Think about the tradeoffs between the extra convenience and the long term risks associated with storing passwords on the internet.
    • Consider using a locally stored password vault instead, with appropriate safeguards and regular backups, the same as what you should be doing for your computer anyway.
 
My worst fears confirmed in the latest update 22 December 2022.

See my post #3 above, especially my advice to LastPass users at the bottom of the post, repeated here.

My advice to LastPass users would be to:
  • Change the Master Password immediately. Make sure it is strong. Very very strong.
  • Go through each individual password in your LastPass vault one by one and change them. Yes, it means changing them for each website or other use, but it also means that if the LastPass attacker cracks your vault, they get nothing because the passwords have all been changed. Yes, it will take a lot of effort.
  • Think about the tradeoffs between the extra convenience and the long term risks associated with storing passwords on the internet.
    • Consider using a locally stored password vault instead, with appropriate safeguards and regular backups, the same as what you should be doing for your computer anyway.
 
I got similar notices from at&t and yahoo (twice from yahoo actually) that the information they store was compromised. It never effected me in any way...
 
So, I too got an email. I had signed up for their service and never actually used it. Amusingly, I could still remember my master password, even though I never once used their services.

I made sure by flipping through and noting there were no saved passwords or anything like that.

I decided I'd just cancel the service. Lo and behold, I can't find an option anywhere to terminate my account with them. That's a bit disappointing. I hope I missed the link to do so and that they're not really that incompetent.
 
 
They have an ongoing habit of keeping the "cancel" mechanism out of sight.

It has never been obvious.
 
Try This

 
That appears to start the process. Thanks!

For the life of me, I couldn't find the option anywhere. Now, they'll send me an email about how to start deleting the account. Yeah...
 
It made me confirm it multiple times (reasonable, I guess).

Under the reasons, I selected 'other' and the reason I gave was, "I can no longer have faith in your security."
 
And, finally, I have unsubscribed from their mailing list.

Thanks!
 
lol.....that would be my answer as well.....in fact if I remember correctly, I gave them a "i can get ripped of anywhere, I don't need to use your companies product to experience that"

I didn't get a reply.
 
I'm half tempted to write a quick article detailing how to completely remove your account from LastPass...

I've got a bit of a readership at this point.
 
I'm half tempted to write a quick article detailing how to completely remove your account from LastPass...

I've got a bit of a readership at this point.
... and please add your recommendations for a local-only password manager alternative, and how to safely back it up.

In case anyone cares, I have been using the standalone 1Password application for a long time, but always in local-only mode. It is one of the applications that I will replace when I upgrade macOS. I dislike how 1Password created a LastPass-like monster with internet sync, shared passwords, etc. They make it very difficult to find the standalone application for purchase, trying to force everyone into their subscription model. No thank you and no longer.

I plan to replace 1Password with free software. In this case, open source is a good idea, and I will inspect the source code. Eventually I plan to migrate my personal laptop to Linux, and want to be using the same software on both platforms to make the transition easier.

What are people using for local-only password management these days? Keepass? Bitwarden (local only)? Something else?
 
... and please add your recommendations

I don't really have any recommendations, as I don't use one.

My favorite password manager is "forgot password". If I can't recall the password (and I often can't) I just reset it to something complicated and call it good. When I access the site again, I'll just reset my password.

I don't do this for all sites, but I do it for quite a few.
 
"Hear all, trust nothing"
Rule of acquisition 190, of Star Trek's Ferengi rules of acquisition.

Do not automatically assume they were being truthful about there being no data stolen.
 
I'm moving as fast as I can. The wind is rocking my house. It's amazing. It's the midst of a 'bomb cyclone' and I'm well and truly impressed with Mother Nature.
 

Staff online


Top