• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

[WSJ] LastPass, a Password Manager With Millions of Users, Is Hacked (No user data was compromised)

Maiden Voyage

Gold™ Member
Clickbait headline so some editorializing on my part with the thread title.

The company said no information was stolen from its more than 33 million users after an unauthorized party accessed its development environment​


LastPass, an online password manager with more than 33 million users, said some of its source code and proprietary information was stolen, but no customer information had been taken.

Karim Toubba, the company’s chief executive, said Thursday that an unauthorized party had accessed LastPass’s development environment through one of its developer’s accounts. Development environments are typically coding workspaces for software engineers.

Mr. Toubba said on the company’s website that LastPass began investigating after noticing unusual activity two weeks ago, and was working with a cybersecurity and forensics firm. He added that the company had implemented additional security measures.

“We have no evidence that this incident involved any access to customer data or encrypted password vaults,” said Nikolett Bacso-Albaum, a company spokeswoman.

LastPass, which is based in Boston, stores encrypted login information that a user can access online with a master password. The company, which offers both free and paid accounts, says that it cannot see its customers’ data.

Security experts recommend using password managers to store unique logins. Hackers often take credentials stolen from one breach to steal from people who use the same logins on multiple platforms. Companies including Apple Inc., Google, 1Password and Dashlane offer password storage services on which someone can access all of their login credentials using a master password.

Mr. Toubba said the LastPass master passwords weren’t compromised because the company doesn’t store them.

The company said in December that some of its users had received emails about unauthorized login attempts. LastPass said that a malicious or bad actor last year may have tried to access user accounts with information obtained from unaffiliated services that had been breached. No information was stolen, the company added.

LastPass was founded in 2008 and has more than 550 employees worldwide, according to its website.
 
Why would anyone use an online password manager that saves all their passwords on a remote server where you have no control?
I use Bitwarden. Yes, it's online which means there is a risk but I am happy to use it. It's open source, zero knowledge, and end to end encrypted (and meets many standards of compliance and certification). They also offer the option to host it on your own systems if you want. That's beyond me so I let them deal with it. It's not 100% safe but how many times has LastPass been compromised now? Anyone who uses it today is only asking for trouble.

I did use KeePass which was 100% local but it was too much trouble to sync between all my devices.

I do keep an eye on Bitwarden and if there are any signs of quality degrading I will go right back to KeePass.
 
Last edited:
Glad I’m still a caveman that uses pen and paper to record important things.
I have my Bitwarden master password written down on a sticky note and kept in a locked box just incase but I know it. If you asked me what it was I would actually have to think about it but if I had to type it out right now I could do it with pure muscle memory.

Imagine trusting online services or any corporation in general with your passwords or any private data.
How do you store and manage your passwords?
 
Last edited:

Konnor

Member
I have my Bitwarden master password written down on a sticky note and kept in a locked box just incase but I know it. If you asked me what it was I would actually have to think about it but if I had to type it out right now I could do it with pure muscle memory.


How do you store and manager your passwords?

Store them in an file encrypted with Veracrypt (and before anyone says it Veracrypt is incredibly simple, easy to use and free). I manage passwords that don't really matter in Firefox protected with a Master password even though it's not really needed. The passwords that are important are only stored in that aforementioned encrypted file. I also don't store any important passwords on Android because phone OSs are not to be trusted.
 
Last edited:
I use hieroglyphs myself.
i'm going to hack all your devices.

jd2ZRsp.jpg
 
Last edited:
Store them in an file encrypted with Veracrypt (and before anyone says it Veracrypt is incredibly simple). I manage passwords that don't really matter in Firefox protected with a Master password even though it's not really needed. The passwords that are important are only stored in that aforementioned encrypted file. I also don't store any important passwords on Android because phone OSs are not to be trusted.
When I was using KeePass i did think of doing this but it was too much trouble and I couldn't figure it out. Do you sync between devices? I would ditch Bitwarden if I just used my PC but i need my passwords to be on my phone/tablet.
 

Konnor

Member
When I was using KeePass i did think of doing this but it was too much trouble and I couldn't figure it out. Do you sync between devices? I would ditch Bit warden if I just used my PC but i need my passwords to be on my phone/tablet.

Yeah, I get it, it's a matter of priorities, just know you can't trust these fuckers. I get inconvenienced sometimes but I've never had a problem with security in my life but then again I don't have a job that requires something like this and I've memorized the most important passwords.

And no I don't sync anything, it's all on my PC and backups and stays there. If I was going to sync anyway I'd do it only via usb cable and definitely not through some online service's servers. I automatically assume that anything that gets synced through the web is copied to some server and never deleted and I can't trust corporations with competently encrypting anything.
 
Last edited:

Maiden Voyage

Gold™ Member
Update, seems the breach was worse than originally thought.

In Thursday’s update, the company said hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services. The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba wrote, referring to the Advanced Encryption Scheme and a bit rate that’s considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt.

Thursday’s update said that the threat actor could use the source code and technical information stolen from LastPass to hack a separate LastPass employee and obtain security credentials and keys for accessing and decrypting storage volumes within the company’s cloud-based storage service.

Given the sensitivity of the data stored by LastPass, it’s alarming that such a wide breadth of personal data was obtained. While cracking the password hashes would require massive amounts of resources, it's not out of the question, particularly given how methodical and resourceful the threat actor was.
 
Last edited:

analog_future

Resident Crybaby
Jesus Christ, they stole the source code to LastPass? That's huge news, people need to change their passwords immediately!

I got out of there after their previous hack and I'm really glad that I did.


I mean, this definitely isn't good, but exposed passwords are 256-bit AES encrypted, which makes them virtually impossible to access. I'm not a LastPass customer, but there's really nothing to worry about if you are.
 
Last edited:

Maiden Voyage

Gold™ Member
I mean, this definitely isn't good, but exposed passwords are 256-bit AES encrypted, which makes them virtually impossible to access. I'm not a LastPass customer, but there's really nothing to worry about if you are.
LP themselves are saying this is potentially an issue:
Thursday’s update said that the threat actor could use the source code and technical information stolen from LastPass to hack a separate LastPass employee and obtain security credentials and keys for accessing and decrypting storage volumes within the company’s cloud-based storage service.

Given the sensitivity of the data stored by LastPass, it’s alarming that such a wide breadth of personal data was obtained. While cracking the password hashes would require massive amounts of resources, it's not out of the question, particularly given how methodical and resourceful the threat actor was.
 

Pejo

Member
I mean, this definitely isn't good, but exposed passwords are 256-bit AES encrypted, which makes them virtually impossible to access. I'm not a LastPass customer, but there's really nothing to worry about if you are.
Yea the encryption should make it relatively benign, but I know I wouldn't want to hand a safe full of money to a random stranger with unlimited time and feel ok about it. More than that, this really kills trust in the platform. I use Keeper Security, but it brings up a good point for any password manager, you're only as secure as the weakest link. Let's just hope they didn't store the encryption keys/info in the dev environment or somewhere easy to access once they were already "in" the network.
 

SJRB

Gold Member
I mean, this definitely isn't good, but exposed passwords are 256-bit AES encrypted, which makes them virtually impossible to access. I'm not a LastPass customer, but there's really nothing to worry about if you are.

Safeguarding passwords is literally their core business, yet they have been hacked like three times over the last two years.

Not to mention a hack of sourcecode means all kinds of trouble. No one is going to bruteforce encryption but it opens the door to other means.
It just seems to me that lastpass has some critical flaws in their infrastructure.

Why would anyone trust them with what is arguably some of the most important information you can have?
 

Mistake

Member
This reminds me that I need to switch everything over to keepass soon. Never used lastpass, as I still have 500 passwords
 
Last edited:

SJRB

Gold Member
What about Bitwarden? I was recommended that most as an alternative to LP.

I use Bitwarden ever since I left Lastpass and I am very happy. The browser integration and overall UI is almost identical so there's no learning curve.

You can even export your Lastpass data and import it to Bitwarden for an easy transition.

Be sure to delete your Lastpass data before you leave. Completely nuke that shit. There are tutorials on how to do this.
 

Soodanim

Member
I've been using BW for months now and I find it much better in general. I kept my LP active just in case, but it's definitely time I deleted it. I appreciate that the tranparency, but I'm never going back and it's nothing but a security risk.

If BW goes to shit I'll probably just stick with KeePass forever. Less convenient in this increasingly phone-based world, but it won't be taken from a mass fault of what are definitely passwords.

Edit: done. If you want to delete your account too, I found it quicker to google for it than find it in the interface.
 
Last edited:

Goalus

Member
I use Microsoft Authenticator. Works great and is extremely convenient as Edge is available on any device.
 

Soodanim

Member
Update, seems the breach was worse than originally thought.
I read this earlier but I didn't fully digest it. That's so bad! Christmas Eve is password changing day then, I guess. I don't remember what I have and haven't changed since I switched over from LP. What a ball ache. It took me ages last time I did all this. Waiting on emails that take ages to arrive, going into Authy on my phone... thanks hackers, that's exactly how I wanted to spend my day.

Thinking about it, I think the reason I didn't digest it fully at first is because it's nothing new for LP. I'm used to them announcing being hacked, which is pretty fucked up.
 
Last edited:

daveonezero

Banned
I read this earlier but I didn't fully digest it. That's so bad! Christmas Eve is password changing day then, I guess. I don't remember what I have and haven't changed since I switched over from LP. What a ball ache. It took me ages last time I did all this. Waiting on emails that take ages to arrive, going into Authy on my phone... thanks hackers, that's exactly how I wanted to spend my day.

Thinking about it, I think the reason I didn't digest it fully at first is because it's nothing new for LP. I'm used to them announcing being hacked, which is pretty fucked up.
They have had multiple leaks or hacks. Not sure why

1password seems to be good for a more centralized option. I use this as I got my family on it and it would be a pain to switch to Bitwarden.

Then bitwarden and Keepass as the next options if you want more configuration.
 
Last edited:

Maiden Voyage

Gold™ Member
Another bad update

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.


GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” said GoTo CEO Paddy Srinivasan. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

Despite the delay, GoTo provided no remediation guidance or advice for affected customers.
 

Pejo

Member
That feeling when you didn't use Lastpass for managing your passwords.
Relaxed Natalie Dormer GIF


That feeling when you use another online password manager and are worried about it also getting compromised.
1abbf9b02c1328e87bf3255c0963fc9268847fdd.gif


That feeling when it eventually does get hacked and you have to change every password you ever used.
79a5fbf2ae2446ae2cfdd03e815f9bc8.gif


That feeling when you go back to using a password protected excel spreadsheet for your passwords.
margaery-tyrell-got.gif
 
I was considering using a manager, since right now my practice is storing PWs in an encrypted text file on an offline device. The latest news seals the deal that the potential manager won't be LP. I'll look up KP, BW, and other alternatives.
 

Needlecrash

Member
Jesus christ.

So basically, our Lastpass vaults are completely fucked?
Basically, yes. If you're still using LP, change ALL OF YOUR PASSWORDS. And start to shop around for other providers, primarily anything from the European Union (they don't fuck around with privacy due to GDPR).
 
Last edited:

OZ9000

Banned
Basically, yes. If you're still using LP, change ALL OF YOUR PASSWORDS. And start to shop around for other providers, primarily anything from the European Union (they don't fuck around with privacy due to CDPR).
I migrated to Bitwarden 1 month ago. I changed most of my important passwords and have enabled 2FA where possible.

My Lastpass masterpass was very strong. But my question is if the hackers could obtain that?
 

Jennings

Member
Well, switched away from Lastpass for the first time since 2008. What an assload of work changing all my passwords. Lastpass has saved me a ton of work over the years, but dammit, none of that matters when they permit hackers to expose everything.

I guess now I'm just on a ticking clock till this new password manager of mine gets hacked too.
 

BlackTron

Member
Store them in an file encrypted with Veracrypt (and before anyone says it Veracrypt is incredibly simple, easy to use and free). I manage passwords that don't really matter in Firefox protected with a Master password even though it's not really needed. The passwords that are important are only stored in that aforementioned encrypted file. I also don't store any important passwords on Android because phone OSs are not to be trusted.

Thanks I hadn't known about Veracrypt. I still use Truecrypt. When its website said that it was no longer supported with updates and that you should switch to what was built into Windows 10, that made me MORE inclined to keep using an old version of Truecrypt. At the time MS even refused to answer questions whether they would be able to bypass that encryption, if they had to. LOL!

I'm not sure if it's REALLY that much less secure because it's old, but I'm not really guarding fort knox, I just want something on my local system that you can't just walk up to and take the raw ascii away from without even trying.
 

Jinzo Prime

Member
Just keeps getting worse.

LastPass says employee’s home computer was hacked and corporate vault taken​


Ok, so it looks like the hacker got into the Devops computer though his Plex media server, installing a keylogger to get his/her master password to then access to the Amazon server where some customer password data, usernames, emails, LastPass production backups, and database backups were stored.

Still don't know how many, if any, master passwords were compromised, but this raises serious questions about Lasspass security procedures.
 
Last edited:
Top Bottom