Users report LastPass master passwords possibly compromised, company assures there's no...

Daniel Sims

Posts: 453   +18
Staff
In brief: LastPass users began reporting login attempts from unknown locations using correct master passwords earlier this week. The password manager company claims these likely came from reused passwords uncovered from unrelated hacks, but some users disagree and have suggested various theories.

LastPass users on the Hacker News forum are reporting login attempts on old and inactive accounts. However, it does not appear to be isolated to defunct credentials. Others report getting email notifications of strange login attempts on newer active accounts.

After looking into the reports, LastPass released a statement claiming it doesn’t think the service itself was compromised. The company believes the credentials came from past unrelated service hacks. Some users on Hacker News say they got login notifications after recently switching to new, unique passwords.

One theory on the forum suggests that someone is exploiting a LastPass browser extension vulnerability through an exceptionally well-crafted phishing site. The site is connected to an IP address associated with more than one of the login attempts, which appears to be from Brazil. Some other attempts came from India, and at least one other came from Thailand.

It's important to note that none of the login attempts have penetrated LastPass' two-factor authentication, which you should probably already be using for any service that offers it. Concerned users should also consider changing their master passwords.

Permalink to story.

 

hahahanoobs

Posts: 4,447   +2,417
I used LastPass when it first came out for a bit then stopped when I thought more about security. Your passwords are never safe with any company, so I went with the biggest names because they have the bigger reputation to protect and bigger bankroll, where this other guys don't have that. I moved to Google [Chrome]and now Microsoft [Edge]. They have the means to do the most. More than any other.

Both are also far bigger targets then the little guys poppin up claiming your data is safe, but no one is safe. You're lying to yourself if you think that. Insurance exists for a reason.

This isn't an I told you so moment, it's the truth. Same applies to browsers. They're all security focused now. Just pick which one you like better for how it improves your productivity, but again, I'd steer towards the established browsers unless you have a specific use for another like having an integrated VPN or adblocker or something. But don't say X browser is more secure than Y browser. Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's impossible. You have to just trust your safe, because the only alternative is stay off the internet. The way security and privacy protection is now is fine for 90%+ of us.
 

captaincranky

Posts: 18,739   +7,680
Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's
I used to run, "NoScript" with Firefox. It would tell you what scripts were being blocked. But, I simply couldn't log in to my banking sites anymore, while it was running.. So it was secure as all get out,but unfortunately, almost completely unusable.

I don't run Opera in a privacy mode, but then Google has never been able to sell me anything whatsoever with their "Targeted Ads" either

As for passwords, I live alone, (as y'all might expect), they're in a book next to the chair. Sure it's primitive, but it is secure.
 

kiwigraeme

Posts: 1,041   +773
Hopefully people are not using their browser to store such a crucial password - that plus 2FA , and soon coming to the masses "bio keys" of some sort should be enough for most folks
 

ShadowDeath

Posts: 190   +169
Good thing I switched from LastPass to Bitwarden a couple of years ago.

Same, I jumped ship when I realized that the LastPass extensions were the reason why any web browser I used slowed down drastically. Firefox slowed to a halt and Chrome wouldn't be much better. Then one day I noticed I forgot to reinstall it after a format and reinstall of windows. Within a few hours my browsers were slow again. Disabling the extension didn't fix it either. So when I uninstalled it and noticed the problem went away I found Bitwarden and never looked back. Also around that time LastPass went back to 1 device for free users.
 

Dimitrios

Posts: 1,058   +863
I used to run, "NoScript" with Firefox. It would tell you what scripts were being blocked. But, I simply couldn't log in to my banking sites anymore, while it was running.. So it was secure as all get out,but unfortunately, almost completely unusable.

I don't run Opera in a privacy mode, but then Google has never been able to sell me anything whatsoever with their "Targeted Ads" either

As for passwords, I live alone, (as y'all might expect), they're in a book next to the chair. Sure it's primitive, but it is secure.

My method was to add note pad on my cell phone with the word "pass" and there I will have my passwords&screen names or you can always take a pic of it and save the photo on your favorites.
 

ypsylon

Posts: 506   +510
I used to run, "NoScript" with Firefox. It would tell you what scripts were being blocked. But, I simply couldn't log in to my banking sites anymore, while it was running.. So it was secure as all get out,but unfortunately, almost completely unusable.

I don't run Opera in a privacy mode, but then Google has never been able to sell me anything whatsoever with their "Targeted Ads" either

As for passwords, I live alone, (as y'all might expect), they're in a book next to the chair. Sure it's primitive, but it is secure.
Paper + pencil that's the best Password Manager worth investing or a bit more modern for faster search - old notebook with broken NIC & Wi-Fi for extra security :).

Never invested in any cloud/online PM and never will.
 

bexwhitt

Posts: 591   +306
I used LastPass when it first came out for a bit then stopped when I thought more about security. Your passwords are never safe with any company, so I went with the biggest names because they have the bigger reputation to protect and bigger bankroll, where this other guys don't have that. I moved to Google [Chrome]and now Microsoft [Edge]. They have the means to do the most. More than any other.

Both are also far bigger targets then the little guys poppin up claiming your data is safe, but no one is safe. You're lying to yourself if you think that. Insurance exists for a reason.

This isn't an I told you so moment, it's the truth. Same applies to browsers. They're all security focused now. Just pick which one you like better for how it improves your productivity, but again, I'd steer towards the established browsers unless you have a specific use for another like having an integrated VPN or adblocker or something. But don't say X browser is more secure than Y browser. Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's impossible. You have to just trust your safe, because the only alternative is stay off the internet. The way security and privacy protection is now is fine for 90%+ of us.
LastPass only keeps your passwords in an encrypted form that needs your master password to unencrypt,
 

RF Match

Posts: 13   +20
Paper + pencil that's the best Password Manager worth investing or a bit more modern for faster search - old notebook with broken NIC & Wi-Fi for extra security :).

Never invested in any cloud/online PM and never will.
Paper & pencil ? That's just too much work for today's work ethic...
 

r00lz

Posts: 9   +2
Paper + pencil that's the best Password Manager worth investing or a bit more modern for faster search - old notebook with broken NIC & Wi-Fi for extra security :).

Never invested in any cloud/online PM and never will.
Using RoboForm and have 840 saved login, and most with generated password. Good luck with paper and pencil :)
 

bexwhitt

Posts: 591   +306
It's hard to use secure passwords with a notebook and if you ask me stupid to try. Like I said a good password manager doesn't have access to your passwords they store the passwords in an encrypted way that needs your master password to decrypt, far safer than a notepad you leave lying around.
 

captaincranky

Posts: 18,739   +7,680
Using RoboForm and have 840 saved login, and most with generated password. Good luck with paper and pencil :)
That's so very special. I don't know where you find the time to participate in that many forums, download from that many torrents, or the money to shop in that many stores, but "happy roboforming". (Or whatevere the f**k it's called). :) .(y) (Y)
 

waclark

Posts: 348   +236
I used LastPass when it first came out for a bit then stopped when I thought more about security. Your passwords are never safe with any company, so I went with the biggest names because they have the bigger reputation to protect and bigger bankroll, where this other guys don't have that. I moved to Google [Chrome]and now Microsoft [Edge]. They have the means to do the most. More than any other.

Both are also far bigger targets then the little guys poppin up claiming your data is safe, but no one is safe. You're lying to yourself if you think that. Insurance exists for a reason.

This isn't an I told you so moment, it's the truth. Same applies to browsers. They're all security focused now. Just pick which one you like better for how it improves your productivity, but again, I'd steer towards the established browsers unless you have a specific use for another like having an integrated VPN or adblocker or something. But don't say X browser is more secure than Y browser. Most users are basic users meaning basic security and privacy settings are more than enough for them. No one here can tell anyone EXACTLY what is being blocked at all times from the thousands or millions of places that want your data. It's impossible. You have to just trust your safe, because the only alternative is stay off the internet. The way security and privacy protection is now is fine for 90%+ of us.
I don't think this is a browser discussion, is it? This is about a password manager, and possibly the LastPass browser extension which would be used with Edge or Chrome. Now, if you're talking about having Edge or Chrome manage passwords that is different. The issue there is not all passwords are entered into a web page in a browser so using Edge or Chrome won't be very useful for that.

While MS and Google do have big reputations to protect, they are also primary targets for attacks so in some ways going with a smaller company may be safer due to not being on hackers radar.
 

Sausagemeat

Posts: 1,597   +1,422
Apple stores my passwords on my account and these are only given up with my face. The only other thing is my gaming PC, which I dont use for online banking or anything critical, I just have my steam, epic, GOG etc accounts on there, all of which have 2 factor authentication.

Writing passwords on a piece of paper is actually probably quite secure these days, at least more so than trusting these small third parties who make money by selling your info. My problem with that is I would probably lose the piece of paper and then lose access to everything.
 

hahahanoobs

Posts: 4,447   +2,417
I don't think this is a browser discussion, is it? This is about a password manager, and possibly the LastPass browser extension which would be used with Edge or Chrome. Now, if you're talking about having Edge or Chrome manage passwords that is different. The issue there is not all passwords are entered into a web page in a browser so using Edge or Chrome won't be very useful for that.

While MS and Google do have big reputations to protect, they are also primary targets for attacks so in some ways going with a smaller company may be safer due to not being on hackers radar.
Both browsers I mentioned have a password manager....