LastPass security breach keeps getting worse, admits parent company

[Alfonso Maruccia]

Facepalm: After compromising LastPass, unknown hackers were able to breach the servers of other services offered by LastPass parent company GoTo. A new message from the CEO explains the true extent of the security incident but offers no actual remediation to its customers.

GoTo, the company formerly know as LogMeIn that acquired LastPass in 2021, released a new statement regarding the security breach it experienced back in August 2022. According to GoTo CEO Paddy Srinivasan, after breaching LasPass servers, the unknown cyber-criminals were able to further compromise GoTo's entire portfolio of services and products.

The ongoing investigation into the LastPass breach determined "a threat actor exfiltrated encrypted backups from a third-party cloud storage service," Srinivasan wrote. The aforementioned cloud service was hosting data for the following GoTo product: business communication tool Central, online meeting service join.me, VPN service Hamachi, and remote access tool RemotelyAnywhere.

Furthermore, the black hat hackers were able to obtain an encryption key with which they could have decrypted "a portion" of the stolen encrypted backups. The affected data, Srinivasan said, varies by product and "may include" account usernames, salted and hashed passwords, a portion of the multi-factor authentication (MFA) settings, as well as some product settings and licensing information.

GoTo's CEO said the company does not store or collect full credit card, bank details or end user personal information such as birth dates, home addresses, or Social Security numbers on its servers. LastPass, on the other hand, was collecting and storing "company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses" of its customers before the breach.

Currently, GoTo is only providing "recommendations" to affected users. The company is still contacting each customer directly to "provide additional information and recommend actionable steps for them to take to further secure their accounts."

All account passwords were salted and hashed in accordance with best practices, GoTo said. Out of an abundance of caution, GoTo is also going to "reset the passwords of affected users and/or reauthorize MFA settings where applicable." User accounts will be migrated to an enhanced Identity Management Platform, to provide additional security with more robust authentication mechanisms.

GoTo has 800,000 enterprise and private users, but the company is still refusing to disclose how many of them were affected by the LastPass breach.

Permalink to story.

https://www.techspot.com/news/97381-lastpass-owner-hackers-stole-encrypted-backups.html

 

[wiyosaya]

Surprise, surprise. Who would have thunk keeping all your passwords on some internet service would be problematic? /s

 

[Slappy McPhee]

Honestly who cares at this point? The chances of someone's data being smashed for the common person is slim. Secondly, this is great news to hear as it will continue to push toward a non-password world.

 

[aztecrat]

It kinda sucks that they know what sites I've signed up to. But good luck cracking those encrypted passwords!

 

[Plutoisaplanet]

Surprise, surprise. Who would have thunk keeping all your passwords on some internet service would be problematic? /s

At the same time though, storing your login for every single account means it’s easy enough to change all of your passwords because you have an actual list. So as long as the data is encrypted, then it’ll take time to crack it and give users more than enough time to change all passwords. In other words, this is still much better security than sharing a password for all your services. Otherwise, eventually someone who successfully hacks one of many services we all use will attempt to password stuff unrelated services you hadn’t thought of and steal your information surreptitiously.

That said, I’ve never trusted LastPass. It’s better than nothing, but they run so cheaply that I question they spend enough money on security. Plus, they’re so popular that they draw too much attention to themselves, and they’ve had numerous security incidents over the years. I’ve been using Dashlane for years and have been satisfied with its comparable features. I don’t hear people talk about them nearly as much, and they typically market to Enterprise customers. They’re also never been hacked apparently.

 

[Arbie]

"LastPass". Well, they named it right.

 

[toooooot]

How the heck are you supposed to use these password apps when the exact apps are now targeted by hackers? ... There is no solution.

 

[polord]

Good old pencil and paper….

 

[Mariabliss]

Honestly who cares at this point? The chances of someone's data being smashed for the common person is slim. Secondly, this is great news to hear as it will continue to push toward a non-password world.

What would you suggest instead of passwords then? Biometrics?

That's probably more secure but it's ultimately still a form of password just a more complicated type.

 

[wiyosaya]

At the same time though, storing your login for every single account means it’s easy enough to change all of your passwords because you have an actual list. So as long as the data is encrypted, then it’ll take time to crack it and give users more than enough time to change all passwords. In other words, this is still much better security than sharing a password for all your services. Otherwise, eventually someone who successfully hacks one of many services we all use will attempt to password stuff unrelated services you hadn’t thought of and steal your information surreptitiously.

There is no need to use the same login credentials across sites. If a site wants an e-mail address, I use https://sneakemail.com/ this is just as effective as using a random password for each site since it is highly unlikely that a random e-mail address will be tied back to any user who uses them. If a site wants a user name, I use a phrase for a password that is easily remembered, and obviously, different for each site. This is consistent with current password recommendations that CERT specifies and believe it or not, makes it easy, for me anyway, to remember any passwords for which I use a phrase without using a password manager. The only problem is sites that force you to change your password - which is NOT consistent with the current password recommendations of CERT and is considered LESS Secure since on sites where that is the policy, people typically only change 1 character in their password.

That said, I’ve never trusted LastPass. It’s better than nothing, but they run so cheaply that I question they spend enough money on security. Plus, they’re so popular that they draw too much attention to themselves, and they’ve had numerous security incidents over the years. I’ve been using Dashlane for years and have been satisfied with its comparable features. I don’t hear people talk about them nearly as much, and they typically market to Enterprise customers. They’re also never been hacked apparently.

Right there with you. IMO, password managers are for the lazy.

 

[BadThad]

I just use Chrome and a good old pen and paper.

 

[StrikerRocket]

Use a password tool which stores password database *locally* only, like Sticky Password when configured to do so. It can synchronize between machines and mobile via LAN, and nothing is stored on the cloud. Database is stored locally and encrypted.
Keepass is also a good choice, open source, no storage online.

 

[Slappy McPhee]

What would you suggest instead of passwords then? Biometrics?

That's probably more secure but it's ultimately still a form of password just a more complicated type.

They have been discussing other options for the last few years to go passwordless. Far above my pay grade to make suggestions.

 

[Mariabliss]

They have been discussing other options for the last few years to go passwordless. Far above my pay grade to make suggestions.

I was mainly just asking since you suggested it, and I hadn't heard of this concept of passwordless before. It's not as if either of us need to be qualified to have a hypothetical discussion on it after all. But maybe a bit off topic.

Though if we have no password what stops me from taking someone elses bank card and racking up a large bill? Without a pin (aka a password) there's no verification.