LastPass user information exposed in data breach

midian182

Posts: 8,476   +104
Staff member
What just happened? LastPass, the popular password manager that boasts over 33 million customers and 100,000 business users, has been hacked, again. The company says that, unlike the last time, user data was exposed in this latest incident, but the company stresses that passwords were not compromised.

LastPass CEO Karim Toubba writes that LastPass recently detected unusual activity within a third-party cloud storage service that the organization and affiliate GoTo currently share.

It's been determined that the hackers were able to gain access to "certain elements" of customers' data. This was achieved using information acquired from the hack on LastPass in August when cybercriminals took portions of the site's internal source code and documents relating to propriety technical information. The hackers gained access on that occasion using a compromised developer account and snooped around the systems for four days before being discovered and booted.

Any security breach on a password manager is going to raise concerns over stolen passwords, obviously, but LastPass emphasizes that these remain safe thanks to its Zero Knowledge architecture, which ensures only the user knows the master password and encryption occurs only on the device level. As such, LastPass is not recommending that users change their passwords.

Toubba said LastPass is continuing to work on understanding the scope of the incident and identifying what specific information has been accessed. It has engaged leading security firm Mandiant and alerted law enforcement.

Despite being massively popular and an excellent piece of software, this marks another occasion where LastPass' security practices have come under question. In 2019, the company patched a security flaw that could have allowed hackers to scrape login details from the last site users visited. There was also a browser extension vulnerability in 2017.

In December, LastPass users reported that people were attempting to log in to their accounts from unknown locations using their correct master passwords. The company claimed these were likely the result of customers reusing passwords across multiple sites.

If you are a LastPass user concerned by these incidents, downloading the authenticator app to help safeguard your account by requiring two-factor authentication codes when signing in adds an extra layer of protection.

Permalink to story.

 

Hodor

Posts: 418   +300
No worries, nothing tangible has been stolen. Just a bunch of zeroes and ones.
 

Revolution 11

Posts: 235   +329
This is happening often enough with LastPass that it is no longer a coincidence but a security problem with this specific password manager. If I was a LastPass user, I would transfer all my accounts/usernames/passwords to another service, delete my LastPass account, and change my passwords on the new password manager immediately.

This is no longer 2015, there are superior password managers. If you want a paid version, 1Password is superior to anything LastPass has offered for years. If you want a free/open-source version, Bitwarden is the best choice here.
 

bviktor

Posts: 1,152   +1,684
These incidents aren't filling customers with confidence

Actually, they do. ALL companies have breaches, all the time. If you don't hear from your supplier's incidents, all that means that they keep them secret. Transparency is key.
 

bviktor

Posts: 1,152   +1,684
This is happening often enough with LastPass that it is no longer a coincidence but a security problem with this specific password manager. If I was a LastPass user, I would transfer all my accounts/usernames/passwords to another service, delete my LastPass account, and change my passwords on the new password manager immediately.

This is no longer 2015, there are superior password managers. If you want a paid version, 1Password is superior to anything LastPass has offered for years. If you want a free/open-source version, Bitwarden is the best choice here.

You're right, it's no coincidence - it happens because LastPass is the most popular PW manager, and hackers obviously aim for the biggest possible reach.

Nevertheless, from a financial POV Bitwarden definitely makes more sense as it remains free for personal use,even on multiple devices. Also, Lastpass still deson't have an equivalent to Bitwarden Send.
 

PEnnn

Posts: 1,009   +1,358
And yet, every rag seems to push LastPass as their favorite, even after the first major breach! Now we have another breach...where hackers "were able to gain access to "certain elements" of customers' data.'...

Even the lowly and free KeePass beats LastPass any day when it comes to security.
 

waclark

Posts: 781   +487
This is happening often enough with LastPass that it is no longer a coincidence but a security problem with this specific password manager. If I was a LastPass user, I would transfer all my accounts/usernames/passwords to another service, delete my LastPass account, and change my passwords on the new password manager immediately.

This is no longer 2015, there are superior password managers. If you want a paid version, 1Password is superior to anything LastPass has offered for years. If you want a free/open-source version, Bitwarden is the best choice here.
I did exactly that. Just deleted my LastPass account but it's not current as I have been using other means for the past couple of years. Still, I didn't want any vestiges of old passwords hanging around out there. LP has not convinced me that they are secure any more.
 

Slappy McPhee

Posts: 257   +162
This is happening often enough with LastPass that it is no longer a coincidence but a security problem with this specific password manager. If I was a LastPass user, I would transfer all my accounts/usernames/passwords to another service, delete my LastPass account, and change my passwords on the new password manager immediately.

This is no longer 2015, there are superior password managers. If you want a paid version, 1Password is superior to anything LastPass has offered for years. If you want a free/open-source version, Bitwarden is the best choice here.


This is laughable. At least LP is being transparent. The reason why 1Password for example isn't in the news about breaches is that they aren't being targeted as heavily. It will most likely eventually come. There is always someone smarter, stronger hardware, and better software to assist hackers coming down the pike. Who wants to have to change their PW managers and **** around with that type of thing every year or two?
 

Theinsanegamer

Posts: 3,950   +6,951
This is laughable. At least LP is being transparent. The reason why 1Password for example isn't in the news about breaches is that they aren't being targeted as heavily. It will most likely eventually come. There is always someone smarter, stronger hardware, and better software to assist hackers coming down the pike. Who wants to have to change their PW managers and **** around with that type of thing every year or two?
Or, now hear me out on this - LastPass is run like absolute garbage with a leaky codebase that is much easier to crack then the competition.
 

Slappy McPhee

Posts: 257   +162
Or, now hear me out on this - LastPass is run like absolute garbage with a leaky codebase that is much easier to crack then the competition.
With their flexibility comes risk. It is what it is. From what I can tell nobody that I know has actually had their PWs and secured notes in the app compromised. Have to truly wonder what has been and I am sure that it will shake out, but like I said; at least they are being transparent.
 

krisstarr

Posts: 29   +16
Another healthy reminder for those who store everything "in the cloud", that 'the cloud' really means "someone else's hard disk"...
Just deleted my lastpass account - time to find another password manager

I use google Chrome password protection, it is free and it goes with my browser.
I used Last Pass years ago, this must be at least the 3rd major breach since I quit after there first one.
 

trparky

Posts: 1,159   +1,318
And it seems that things just got worse for Lastpass because according to an article over at Betanews.com, not only did the data that was mentioned here get stolen by hackers but also yes, data faults as well.

https://betanews.com/2022/12/23/las...-data-and-password-vaults-grabbed-by-hackers/

Yes, this is about as bad as it possibly can get folks. If you ask me, Lastpass is done. If anyone has any passwords stored by Lastpass, do not pass Go, do not collect $200, change your passwords NOW and delete your Lastpass account now and let Lastpass die. I wouldn't be surprised if Lastpass is dead within the next few months because honestly, there's no walking back from this. Stick a fork in them, they're done.