LastPass breach: it's worse than initially thought

A

Alfonso Maruccia

Posts: 1,016   +301
Staff
Facepalm: LastPass, one of the most popular password manager services out there, was breached this past August. The company is now saying that the damage done by the unknown hackers is much worse than was initially assessed. Users should change their passwords asap.

In the original report about the data breach incident discovered in August, LastPass said that "only" the company's source code and proprietary information were compromised. Users' data and passwords remained safe and unsoiled. Now, a follow-up security notice on that same incident is saying otherwise: the malicious actors were able to access some users' data too.

The black hat hackers obtained the cloud storage access key and dual storage container decryption keys, LastPass says. With the stolen keys, they were able to further compromise the platform's security by copying a backup that contained "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service."

The cyber-criminals were also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format. The container includes both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

However, LastPass said, the encrypted fields "remain secure" even when in cyber-criminals' hands, as they were generated with a 256-bit AES-based encryption algorithm and "can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture." Zero Knowledge means that LastPass doesn't know the master password needed to decrypt the data, while decryption itself is performed only on the local LastPass client and never online.

As for credit card data, LastPass partially stores it in a different cloud environment. And there are no indications that such data was accessed – so far, at least. All things considered, LastPass is trying to send the message that, despite the extended breach of the company's platform, users' encrypted data should still be safe from any nefarious intent.

That's not like saying that there are no risks or dangers coming from the breach, however. A very determined malicious actor could try to brute-force the encrypted passwords, LastPass says, even though the attempt would be "extremely difficult" as the company routinely tests "the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls."

There could be additional risks concerning phishing attacks or brute-forcing attacks against online accounts associated with users' LastPass vaults. In this case, LastPass remarked that they will never call, email, or text a user and ask them to click on a link to verify their personal information. They will never ask to know a vault's master password, either. As an extreme security measure, users of the online password manager are advised to change their master password and all the passwords stored in the vault anyway.

Permalink to story.

https://www.techspot.com/news/97061-lastpass-breach-worse-than-initially-thought.html

 
These guys get hit too often. That's why I dropped them a while back and Uber just a couple days ago.
 
Good thing I dumped that leaky pig for Bitwarden and never looked back.

And they switched to a fully paid version too!!
 
  • Like
Reactions: meric
zaku49 said:
Any of these services will eventually be compromised, I am shocked people actually use them.
Click to expand...
Many people prefer not to use the same pass for every service/page. Me for example, I have like 400 passwords for different pages/services/etc and I do not want to store all those in a text file in local pc. Sure can do that but some of these password managers are cross platform so they are available in all platforms necessary.
 
  • Like
Reactions: MaestroIT
inhility said:
At this point literal paper notebook is the best online security ironically.
Click to expand...

Yeah I only save locally and copy down passwords, but with how often a lot of sites require password changes and the ridiculous requirements for each password---when they're the ones that keep getting hacked---I just generate the password in the browser and figure I'll just use the reset password option when needed. I also don't have many accounts, and for unimportant stuff I use a throwaway email and never put in any personal info or payment info. I also use a VPN, adblock and script blocking to protect my privacy. Even then these companies will get hacked, give away your info, and then all they ever do is offer credit monitoring months later without telling you when a breach happens, so you might already have had a potential fraudulent charge. This is why I also mostly just buy off Amazon, they never seem to have a security breach, but virtually every other online retailer I've ever used seems to.

Even then your employer might just sell your data or give it away, so you're still not totally safe. Until there are real, stiff punishments for not protecting customer data, this will keep happening. It has nothing to do with password strength, that's moving the onus off the company and into the user in most cases.
 
meric said:
Many people prefer not to use the same pass for every service/page. Me for example, I have like 400 passwords for different pages/services/etc and I do not want to store all those in a text file in local pc. Sure can do that but some of these password managers are cross platform so they are available in all platforms necessary.
Click to expand...

The best way to do it would be with a text file that's stored in a cloud service and on your computer. You'd use a program like WinRAR to add a complex password to the file that "ONLY YOU" would know and it would be very hard to crack. If someone did happen to hack the free file storage company that you're using they'd just see a zipped-up folder called "my taco list" and not even waste their time trying to open the file.
Also keep in mind, that it's actually just easier to hack the password providers you're using than waste their time browsing your computer for a file containing all your passwords, also being able to hide it also make it not worth their time.
 
Last edited:
  • Like
Reactions: BuckarooBonzaii and psycros
hahahanoobs said:
These guys get hit too often. That's why I dropped them a while back and Uber just a couple days ago.
Click to expand...
Popular stuff gets hit often.

Also, if you don't get reports about a company's incident, that doesn't mean they never get hacked, it means they keep those incidents secret. If you think the latter is more desirable, be my guest to use them.
 
It makes pefrect sense, there will be more and more people who put all of their passwords in apps like this. It means hacking into it is the best way to steal as many passwords as it is possible.
Not very good for people because you cant remember very complex passwords and cant trust apps that will be hacked
 
bviktor said:
Popular stuff gets hit often.

Also, if you don't get reports about a company's incident, that doesn't mean they never get hacked, it means they keep those incidents secret. If you think the latter is more desirable, be my guest to use them.
Click to expand...
Popular and competent are two diff things.
Don't ignore obvious red flags!
 
  • Like
Reactions: RudyBob
Such services will always be a very enticing target for attackers, especially if they are closed source and not auditied. That is why it is always better to either use local open source password manager or use an open source service with zero knowledge encryption.
 
You don't want to store your passwords on your PC cause that is not secure so you store your passwords on a cloud (someone else's PC you have no control over). Brilliant thinking.
 
  • Like
Reactions: hk2000, Geralt and RudyBob
BuckarooBonzaii said:
The best password manager is yourself. In general if you want the job done right do it yourself.
Click to expand...
zaku49 said:
The best way to do it would be with a text file that's stored in a cloud service and on your computer. You'd use a program like WinRAR to add a complex password to the file that "ONLY YOU" would know and it would be very hard to crack. If someone did happen to hack the free file storage company that you're using they'd just see a zipped-up folder called "my taco list" and not even waste their time trying to open the file.
Also keep in mind, that it's actually just easier to hack the password providers you're using than waste their time browsing your computer for a file containing all your passwords, also being able to hide it also make it not worth their time.
Click to expand...


Why do people suggest more complicated methods to store passwords?

As much as you can remember, you can't remember passwords for tens of hundreds of sites, unless you use the same password for multiple sites, which is a bad bad way.

Using methods that keep the database locally, and don't sync or autofill on browsers is just an inconvenience.

Online password managers, with a correctly implemented zero-knowledge protection scheme, are still a more secure and convenient way to use the internet.
 
Any software can be hacked, so I use a writing notebook like for language learning with A, B, C, ... Register. You can only lose it.
 
A friend of mine ran into a lot of problems with this Lastpass joke. He has to change all of his credit cards, bank pins, passwords, etc., and move to another password manager. Thank God all my stuff is safe with Kaspersky.
 
Nobina said:
You don't want to store your passwords on your PC cause that is not secure so you store your passwords on a cloud (someone else's PC you have no control over). Brilliant thinking.
Click to expand...
Yes, you are right. But unfortunately, a guy like me with 120+ passwords, pins, etc. cannot deal with all that stuff without an online password manager. For now, it is the best invention we have. It is not perfect, anyway.
 
Geralt said:
Yes, you are right. But unfortunately, a guy like me with 120+ passwords, pins, etc. cannot deal with all that stuff without an online password manager. For now, it is the best invention we have. It is not perfect, anyway.
Click to expand...
What about offline password managers? I got 349, not that I use all of them, ofcourse.
 
Nobina said:
What about offline password managers? I got 349, not that I use all of them, ofcourse.
Click to expand...
I considered that, but it's troublesome to share with other people in your family. Online is automatically done for everyone accessing the vault.
 
Geralt said:
I considered that, but it's troublesome to share with other people in your family. Online is automatically done for everyone accessing the vault.
Click to expand...
Security vs. Convenience, there's always going to be a tradeoff.
 
You must log in or register to reply here.

Similar threads

midian182
Beware: Fake LastPass app sneaks onto Apple's App Store
Replies
3
Views
244
m4a4
m4a4
midian182
Disney Plus begins crackdown against password sharing
Replies
15
Views
383
ShadowDeath
S
midian182
  • Locked
Mark Zuckerberg seeks to avoid personal liability in social media addiction lawsuits
2
Replies
28
Views
542
ZedRM
ZedRM

Latest posts

Back