Users report LastPass master passwords possibly compromised, company assures there's no...

Daniel Sims

Daniel Sims

Posts: 1,372   +43
Staff
In brief: LastPass users began reporting login attempts from unknown locations using correct master passwords earlier this week. The password manager company claims these likely came from reused passwords uncovered from unrelated hacks, but some users disagree and have suggested various theories.

LastPass users on the Hacker News forum are reporting login attempts on old and inactive accounts. However, it does not appear to be isolated to defunct credentials. Others report getting email notifications of strange login attempts on newer active accounts.

After looking into the reports, LastPass released a statement claiming it doesn’t think the service itself was compromised. The company believes the credentials came from past unrelated service hacks. Some users on Hacker News say they got login notifications after recently switching to new, unique passwords.

One theory on the forum suggests that someone is exploiting a LastPass browser extension vulnerability through an exceptionally well-crafted phishing site. The site is connected to an IP address associated with more than one of the login attempts, which appears to be from Brazil. Some other attempts came from India, and at least one other came from Thailand.

It's important to note that none of the login attempts have penetrated LastPass' two-factor authentication, which you should probably already be using for any service that offers it. Concerned users should also consider changing their master passwords.

Permalink to story.

https://www.techspot.com/news/92778-users-report-lastpass-master-passwords-possibly-compromised.html

 
I used LastPass when it first came out for a bit then stopped when I thought more about security. Your passwords are never safe with any company, so I went with the biggest names because they have the bigger reputation to protect and bigger bankroll, where this other guys don't have that. I moved to Google [Chrome]and now Microsoft [Edge]. They have the means to do the most. More than any other.

Both are also far bigger targets then the little guys poppin up claiming your data is safe, but no one is safe. You're lying to yourself if you think that. Insurance exists for a reason.

This isn't an I told you so moment, it's the truth. Same applies to browsers. They're all security focused now. Just pick which one you like better for how it improves your productivity, but again, I'd steer towards the established browsers unless you have a specific use for another like having an integrated VPN or adblocker or something. But don't say X browser is more secure than Y browser. Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's impossible. You have to just trust your safe, because the only alternative is stay off the internet. The way security and privacy protection is now is fine for 90%+ of us.
 
hahahanoobs said:
Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's
Click to expand...
I used to run, "NoScript" with Firefox. It would tell you what scripts were being blocked. But, I simply couldn't log in to my banking sites anymore, while it was running.. So it was secure as all get out,but unfortunately, almost completely unusable.

I don't run Opera in a privacy mode, but then Google has never been able to sell me anything whatsoever with their "Targeted Ads" either

As for passwords, I live alone, (as y'all might expect), they're in a book next to the chair. Sure it's primitive, but it is secure.
 
  • Like
Reactions: Underdog, Phylop, fb020997 and 3 others
Hopefully people are not using their browser to store such a crucial password - that plus 2FA , and soon coming to the masses "bio keys" of some sort should be enough for most folks
 
winjer said:
Good thing I switched from LastPass to Bitwarden a couple of years ago.
Click to expand...

Same, I jumped ship when I realized that the LastPass extensions were the reason why any web browser I used slowed down drastically. Firefox slowed to a halt and Chrome wouldn't be much better. Then one day I noticed I forgot to reinstall it after a format and reinstall of windows. Within a few hours my browsers were slow again. Disabling the extension didn't fix it either. So when I uninstalled it and noticed the problem went away I found Bitwarden and never looked back. Also around that time LastPass went back to 1 device for free users.
 
captaincranky said:
I used to run, "NoScript" with Firefox. It would tell you what scripts were being blocked. But, I simply couldn't log in to my banking sites anymore, while it was running.. So it was secure as all get out,but unfortunately, almost completely unusable.

I don't run Opera in a privacy mode, but then Google has never been able to sell me anything whatsoever with their "Targeted Ads" either

As for passwords, I live alone, (as y'all might expect), they're in a book next to the chair. Sure it's primitive, but it is secure.
Click to expand...

My method was to add note pad on my cell phone with the word "pass" and there I will have my passwords&screen names or you can always take a pic of it and save the photo on your favorites.
 
captaincranky said:
I used to run, "NoScript" with Firefox. It would tell you what scripts were being blocked. But, I simply couldn't log in to my banking sites anymore, while it was running.. So it was secure as all get out,but unfortunately, almost completely unusable.

I don't run Opera in a privacy mode, but then Google has never been able to sell me anything whatsoever with their "Targeted Ads" either

As for passwords, I live alone, (as y'all might expect), they're in a book next to the chair. Sure it's primitive, but it is secure.
Click to expand...
Paper + pencil that's the best Password Manager worth investing or a bit more modern for faster search - old notebook with broken NIC & Wi-Fi for extra security :).

Never invested in any cloud/online PM and never will.
 
hahahanoobs said:
I used LastPass when it first came out for a bit then stopped when I thought more about security. Your passwords are never safe with any company, so I went with the biggest names because they have the bigger reputation to protect and bigger bankroll, where this other guys don't have that. I moved to Google [Chrome]and now Microsoft [Edge]. They have the means to do the most. More than any other.

Both are also far bigger targets then the little guys poppin up claiming your data is safe, but no one is safe. You're lying to yourself if you think that. Insurance exists for a reason.

This isn't an I told you so moment, it's the truth. Same applies to browsers. They're all security focused now. Just pick which one you like better for how it improves your productivity, but again, I'd steer towards the established browsers unless you have a specific use for another like having an integrated VPN or adblocker or something. But don't say X browser is more secure than Y browser. Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's impossible. You have to just trust your safe, because the only alternative is stay off the internet. The way security and privacy protection is now is fine for 90%+ of us.
Click to expand...
LastPass only keeps your passwords in an encrypted form that needs your master password to unencrypt,
 
ypsylon said:
Paper + pencil that's the best Password Manager worth investing or a bit more modern for faster search - old notebook with broken NIC & Wi-Fi for extra security :).

Never invested in any cloud/online PM and never will.
Click to expand...
Paper & pencil ? That's just too much work for today's work ethic...
 
  • Like
Reactions: captaincranky
ypsylon said:
Paper + pencil that's the best Password Manager worth investing or a bit more modern for faster search - old notebook with broken NIC & Wi-Fi for extra security :).

Never invested in any cloud/online PM and never will.
Click to expand...
Using RoboForm and have 840 saved login, and most with generated password. Good luck with paper and pencil :)
 
It's hard to use secure passwords with a notebook and if you ask me stupid to try. Like I said a good password manager doesn't have access to your passwords they store the passwords in an encrypted way that needs your master password to decrypt, far safer than a notepad you leave lying around.
 
r00lz said:
Using RoboForm and have 840 saved login, and most with generated password. Good luck with paper and pencil :)
Click to expand...
That's so very special. I don't know where you find the time to participate in that many forums, download from that many torrents, or the money to shop in that many stores, but "happy roboforming". (Or whatevere the f**k it's called). :) .(y) (Y)
 
hahahanoobs said:
I used LastPass when it first came out for a bit then stopped when I thought more about security. Your passwords are never safe with any company, so I went with the biggest names because they have the bigger reputation to protect and bigger bankroll, where this other guys don't have that. I moved to Google [Chrome]and now Microsoft [Edge]. They have the means to do the most. More than any other.

Both are also far bigger targets then the little guys poppin up claiming your data is safe, but no one is safe. You're lying to yourself if you think that. Insurance exists for a reason.

This isn't an I told you so moment, it's the truth. Same applies to browsers. They're all security focused now. Just pick which one you like better for how it improves your productivity, but again, I'd steer towards the established browsers unless you have a specific use for another like having an integrated VPN or adblocker or something. But don't say X browser is more secure than Y browser. Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's impossible. You have to just trust your safe, because the only alternative is stay off the internet. The way security and privacy protection is now is fine for 90%+ of us.
Click to expand...
I don't think this is a browser discussion, is it? This is about a password manager, and possibly the LastPass browser extension which would be used with Edge or Chrome. Now, if you're talking about having Edge or Chrome manage passwords that is different. The issue there is not all passwords are entered into a web page in a browser so using Edge or Chrome won't be very useful for that.

While MS and Google do have big reputations to protect, they are also primary targets for attacks so in some ways going with a smaller company may be safer due to not being on hackers radar.
 
Apple stores my passwords on my account and these are only given up with my face. The only other thing is my gaming PC, which I dont use for online banking or anything critical, I just have my steam, epic, GOG etc accounts on there, all of which have 2 factor authentication.

Writing passwords on a piece of paper is actually probably quite secure these days, at least more so than trusting these small third parties who make money by selling your info. My problem with that is I would probably lose the piece of paper and then lose access to everything.
 
waclark said:
I don't think this is a browser discussion, is it? This is about a password manager, and possibly the LastPass browser extension which would be used with Edge or Chrome. Now, if you're talking about having Edge or Chrome manage passwords that is different. The issue there is not all passwords are entered into a web page in a browser so using Edge or Chrome won't be very useful for that.

While MS and Google do have big reputations to protect, they are also primary targets for attacks so in some ways going with a smaller company may be safer due to not being on hackers radar.
Click to expand...
Both browsers I mentioned have a password manager....
 
You must log in or register to reply here.

Similar threads

A
Hackers attempted to trick LastPass employee with cloned voice of CEO
Replies
12
Views
106
kimo1
kimo1
midian182
Beware: Fake LastPass app sneaks onto Apple's App Store
Replies
3
Views
249
m4a4
m4a4
midian182
LastPass user information exposed in data breach
Replies
19
Views
1K
trparky
T

Latest posts

Back