LastPass says it was hacked, tells users not to worry

midian182

Posts: 9,662   +121
Staff member
What just happened? LastPass, whose approximately 33 million users and 100,000 business customers make it the world's most popular password manager, has been hacked. The platform's source code and proprietary information were stolen, but the company says there's no evidence the intruder accessed users' encrypted master passwords, vaults, or other data.

LastPass sent an email to users informing them that an unauthorized party had gained access to portions of its development environment. The unusual activity was detected two weeks ago. The hacker took portions of the site's internal source code and documents relating to technical information.

"After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults," states a LastPass blog post.

Unlike the Plex hack reported yesterday, LastPass isn't advising its users to change their passwords—Plex's accessed data did include emails, usernames, and encrypted passwords.

The LastPass intruder gained access through a single compromised developer account, though there are no details on how this happened. The company says it has deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm. LastPass adds that it has implemented additional enhanced security measures and sees no further evidence of unauthorized activity

Despite being massively popular and an excellent piece of software, this isn't the first time LastPass has made headlines for the wrong reasons. In 2019, the company patched a security flaw that could have allowed hackers to scrape login details from the last site users visited. There was also a browser extension vulnerability in 2017.

In December, LastPass users began reporting login attempts from unknown locations using their correct master passwords. The company claimed these were likely the result of people reusing passwords across multiple sites—ironically, the very thing password managers are designed to discourage—but others claim they originated from another LastPass browser extension vulnerability.

LastPass users should download the authenticator app to help safeguard their account by requiring two-factor authentication codes when signing in.

Permalink to story.

 
TL;DR = If you stop using LastPass, you may want to also actually delete your LastPass account.

This news is concerning, of course. I switched over from LastPass to a different password manager some time ago. Then I realized that, even though I am not using the LastPass service anymore, my account was just sitting there, with my sensitive info. So I re-logged back in to LastPass and deleted my account, once I was satisfied with the new one. Others may want to think about that if they are in the same situation.

If you are thinking about getting or changing password managers, I would recommend choosing one that can handle importing/exporting the data so you can more easily change managers in the future. Many of them can do that. And yes, I was able export the LastPass data, then import it to the new p/w manager fairly easily.

So yeah, make sure you export your login data before deleting the account if you want to keep that info.
 
In December, LastPass users began reporting login attempts from unknown locations using their correct master passwords.
I actually first time noticed this about 6 years ago. Somebody simply logged into my LP account from another country, where I never went. Seemed they got in first try. I got no warnings, no notices. My master password was unique for LP too; very long and complex. Found out about it when I took a look at the log-in logs out of curiosity. My PC didn't seem to be compromised, by anything that popular AVs could detect. Computer didn't feel wrong either. As if the hack occurred by using something very simple, or even LP server side.
That's when I decided, **** that service, I'll use KeePass then.
 
Stopped using then a few years back ... just before they changed hands. There tech is sub-par anyhow.
Also - - nothing is hack proof if the trouble makers work it from the inside. Fact!
 
TL;DR = If you stop using LastPass, you may want to also actually delete your LastPass account.

This news is concerning, of course. I switched over from LastPass to a different password manager some time ago. Then I realized that, even though I am not using the LastPass service anymore, my account was just sitting there, with my sensitive info. So I re-logged back in to LastPass and deleted my account, once I was satisfied with the new one. Others may want to think about that if they are in the same situation.

If you are thinking about getting or changing password managers, I would recommend choosing one that can handle importing/exporting the data so you can more easily change managers in the future. Many of them can do that. And yes, I was able export the LastPass data, then import it to the new p/w manager fairly easily.

So yeah, make sure you export your login data before deleting the account if you want to keep that info.

Good idea. I was having this exact thought last night reading the email from LP. I switched when LP when to a different pay model, but as you rightfully point out, my password data is still sitting there. Time to clear that crap out.
 
Passwords and vaults were not compromised

Possibly, if they had access to the development environment one has to wonder if they can't use that to reverse engineer access to user data at some point. This is not good for LP and I'd say combined with the negative opinions over their pricing model change, they might rename them selves to Last Leg, as they are just about on their last leg.
 
Account deleted and switched to another 6 months ago.

Turns out I was right about having a bad feeling about LP.
 
This just serves to highlight the risk/reward decision required about passwords and their use. Risks of using third party agents to keep your passwords - as above (for all of them). Rewards - ease of use. Reward of using personally encrypted list (in say spreadsheet or document table format with file encryption) - virtually zero. Cost of personal encryption - minutes, totaling hours annually for personal time. I use a sort of hybrid - keep all my passwords in an Excel spreadsheet, encrypted with the standalone AxCrypt (no longer sold or supported but still available) or WinRAR (paid verson) or Microsoft file encryption built into office PLUS Firefox Account password manager for cloud storage (to make it slightly easier to automatically enter username and password while using my personal computers. If I need a password generator the best is to take random events from you past and string them together and add a few capital letter and nonalfa/num from your keyboard. So called online "random password generators" are rarely close to random and if their site was hacked like LP's and the source code stollen then the the passwords can be compromised.
 
I use LastPass (moved over from Dashlane a year or so ago). I know there are risks but I have 2FA enabled so that if an unknown device accesses LastPass I'm notified and have to provide approval. That seems a good precaution to me. I don't keep any banking or money info on the site.
 
I have never used a cloud based password manager, and never will, exactly for these reasons, simply can't trust 'em.
Instead I have a simple text file on my computer and phone containing all my logins encrypted via AES-256 with a strong master password. Even if the encrypted file gets stolen, it's protected. ;)
 
Back