Topic: Hackers stolen Last Pass users passwords and sensitivw information (Read 194 times)
February 28, 2023, 06:05:42 PM
It was pretty clear to anyone (I would think anyway) that it was an absolutely horrible idea to put a ton of user passwords for different sites all in one place. I always wondered what sort of person would think that this was a good idea. The cynic in me might even believe the entire company was created just to amass passwords which would later be sold and a "hack" would be blamed. I have no idea where their revenue came from because it was a horrible idea from the start so I never looked into it, but I'd imagine that selling the info they had was much more profitable than keeping it safe. Sometimes you have to use your brain a little and think about people's motivations. I can't think of any good motivation for wanting everyone's passwords for every site...
February 28, 2023, 06:01:50 PM
To surprise of almost no one, LastPass was once again hacked[1]. Regarding the data that was accessed:
[1]https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html
[2]https://libreddit.spike.codes/r/Lastpass/comments/11dijpn/comment/ja9wosu/
[3]https://github.com/bitwarden
[4]https://bitwarden.com/blog/third-party-security-audit/
Quote
"Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment," LastPass said, adding the engineer "had access to the decryption keys needed to access the cloud storage service."
This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.
Not only is this another breach of their users private information (it doesn't matter if that information is encrypted or not), they had the lack of respect to only notify some users first and ask them to keep quiet about this hack[2]:This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.
Quote
Dear Valued Customer,
We are writing to update you on our recent security incident. We are giving you advance notification because we recognize that, as LastPass Managed Service Providers, you may need additional time to prepare your organization. With that in mind, we are providing you with full visibility in advance of our general announcement.
Our announcement will include the following:
An important update on our investigation into the security incident disclosed on December 22 on our blog. The new blog post will share that we have now completed an exhaustive investigation and have not seen any threat actor activity since October 26. It will also provide additional detail as to what happened and the actions we have taken in response, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward. You can preview the blog post here.
A detailed Security Bulletin designed to help you assess what actions you should take to protect your business. This Security Bulletin outlines several areas of recently discovered potential risks related to the incident, including risks related to enterprise account configurations, user settings, third-party integrations, and multifactor authentication data. You should review this document and take the appropriate actions given your specific security posture and environment. You can preview the Security Bulletin here.
Given the sensitive nature of this information and to give you time to implement the Security Bulletin changes, we ask that you please treat this information as confidential until it becomes available to the public later this week. Thank you for your attention to this matter and for your on-going partnership.
Thank you,
The Team at LastPass
If after all this mess anyone reading this message is still a customer of this company, I highly advice you to switch to another provider and update all your credentials that you had stored there. If you're unsure where you start, I highly recommend Bitwarden[3] (just now they've released a blog post detailing how commuted they are with annual third-party audits (you can also check their previous security assessments).We are writing to update you on our recent security incident. We are giving you advance notification because we recognize that, as LastPass Managed Service Providers, you may need additional time to prepare your organization. With that in mind, we are providing you with full visibility in advance of our general announcement.
Our announcement will include the following:
An important update on our investigation into the security incident disclosed on December 22 on our blog. The new blog post will share that we have now completed an exhaustive investigation and have not seen any threat actor activity since October 26. It will also provide additional detail as to what happened and the actions we have taken in response, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward. You can preview the blog post here.
A detailed Security Bulletin designed to help you assess what actions you should take to protect your business. This Security Bulletin outlines several areas of recently discovered potential risks related to the incident, including risks related to enterprise account configurations, user settings, third-party integrations, and multifactor authentication data. You should review this document and take the appropriate actions given your specific security posture and environment. You can preview the Security Bulletin here.
Given the sensitive nature of this information and to give you time to implement the Security Bulletin changes, we ask that you please treat this information as confidential until it becomes available to the public later this week. Thank you for your attention to this matter and for your on-going partnership.
Thank you,
The Team at LastPass
[1]https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html
[2]https://libreddit.spike.codes/r/Lastpass/comments/11dijpn/comment/ja9wosu/
[3]https://github.com/bitwarden
[4]https://bitwarden.com/blog/third-party-security-audit/
December 27, 2022, 01:33:30 PM
Hackers got Employees keys , customers passwords, name, billing information, email..
What the fuck! This is a password manager. How does this kind of shit happens?
And why do people share so much sensitive information (such as billing information) with a password manager?
I stopped using LastPass ages ago, and I am glad I did it, even if I never saved really important information there.What the fuck! This is a password manager. How does this kind of shit happens?
And why do people share so much sensitive information (such as billing information) with a password manager?
Most people use password managers as one-in-all solution for saving everything, and they trust ''the cloud'' aka other people computers
Keypass and bitwarden are probably the best.
Is it Keypass or KeePass? 
My vote goes for KeypassXC for desktop and KeePassDX for mobile devices.
Both of them are free open source and easy to use, without the need to trust same ''safu'' servers and websites.
One more plus for this apps is they all accept Bitcoin donations!
December 27, 2022, 12:43:14 PM
I saw this news few days ago and thought to myself "this is exactly the reason why I don't trust any of those pass managers and still prefer old school way of writing down passwords on a piece of paper". Yeah I understand that there are pretty good open-source solutions and that my way of storing passwords has its set of problems too, but I simply don't trust any program to do it for me.
December 27, 2022, 11:32:49 AM
. Besides the dreadful fact that the hacker may be able to, at some point, at least break weak passwords on the vault’s backup, they seemingly have access in cleartext to all the urls being stored.
Url should be encrypted with the passwords. Obviously
Are they storing navigation data as well?
December 27, 2022, 11:05:03 AM
This is the risk when we use these third party softwares and it's security can be compromised any time resulting in these types of scenarios.I remember at the time of mailchimp hack the employee ID was compromised and hacker have the access of database which further resulted in Ledger account holder getting phissy mails and scam happened.
Password manager helps you in lot way to manage and generate password without the need of memorizing them but it also possess these risk in which we believe the traditional methods are more safe.
If we speak about how they get your sensative information then I think when they ask for permission or have long box of terms we simply agree to it giving them access to our device and some of them might be using it themselves for hacking purposes.The hackers will always target these software gaining access to users data so it's not advisable to have any of unknown password managers on your device and use security measures to extend possible.
Password manager helps you in lot way to manage and generate password without the need of memorizing them but it also possess these risk in which we believe the traditional methods are more safe.
If we speak about how they get your sensative information then I think when they ask for permission or have long box of terms we simply agree to it giving them access to our device and some of them might be using it themselves for hacking purposes.The hackers will always target these software gaining access to users data so it's not advisable to have any of unknown password managers on your device and use security measures to extend possible.
December 27, 2022, 10:55:55 AM
As long as the password manager is open source, has been used by many people and can be accessed in offline, it's safe. But no matter what, I always skepticism to store my password in digital form, I always feel it's not 100% safe.
But since I have many password and it will not be comfortable to always open my physical paper, I split my password on different password manager.
So let's say the password is: Bitcointalkorg
I will save "Bitcoin" in Keepass, "talk" in Bitwarden, and "org" in Password safe.
But since I have many password and it will not be comfortable to always open my physical paper, I split my password on different password manager.
So let's say the password is: Bitcointalkorg
I will save "Bitcoin" in Keepass, "talk" in Bitwarden, and "org" in Password safe.
December 27, 2022, 08:10:55 AM
as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.
Yeah, and it is closed source, we can't know for sure if our master password isn't in their servers and if they leaked or not.
But theoretically, passwords are safe and encrypted behind this master password. If it is a strong one , they are still relatively safe.
December 27, 2022, 07:25:49 AM
this seems a bit comical. they exist with only one purpose and have one task, which is to save the keys. Now they failed to do it.
I have never had confidence in such services, mostly for such reasons.
as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.
I have never had confidence in such services, mostly for such reasons.
Quote
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.
December 27, 2022, 06:58:00 AM
No one is safe entrusting third parties for sensitive data. I have never used any password manager so far and probably never will. Even if someone says some tools are quite safe, I tend to believe in simpler ways without involving other people and parties.
Recently twitter customer data was hacked and will be sold on black market, I also heard that CMC customer data is also hacked and sold, meaning that there is no online platform which is totally safe for our personal data. Even our KYC data on several online platforms such as exchange and casino can also be misused, so we must really take care of our own security by avoiding it as much as possible.
Recently twitter customer data was hacked and will be sold on black market, I also heard that CMC customer data is also hacked and sold, meaning that there is no online platform which is totally safe for our personal data. Even our KYC data on several online platforms such as exchange and casino can also be misused, so we must really take care of our own security by avoiding it as much as possible.
December 27, 2022, 06:49:50 AM
I have never used password managers and no matter how normal and desirable some people think it is, good old paper and quality ink have always served me well. To some, it may seem old-fashioned and less effective, considering that most of you have a lot of passwords these days, but for me it is better to spend a little more time on finding the password and typing it, than to trust companies that are more than obviously vulnerable.
As always, the man proves to be the weakest link in everything, because the hackers obviously had their target in one of the company's employees, and he is the one to blame for the fact that they managed to get all that data. One such weak link exists in most companies, it's only a matter of time when someone will take advantage of it.
As always, the man proves to be the weakest link in everything, because the hackers obviously had their target in one of the company's employees, and he is the one to blame for the fact that they managed to get all that data. One such weak link exists in most companies, it's only a matter of time when someone will take advantage of it.
December 27, 2022, 05:44:12 AM
In a recent notice from LastPass on the matter that I read a few days ago, there’s a detail that caught my attention, that is also summarized in the OP’s quote. Besides the dreadful fact that the hacker may be able to, at some point, at least break weak passwords on the vault’s backup, they seemingly have access in cleartext to all the urls being stored.
Now if this url data can be associated to the customer identification data that they mention in the last paragraph (unencrypted presumably), then they can create a pretty targeted database for phishing/smishing, whereby they’d be able to tailor the phishing message to a particular site that the user has an account on, with a wide variery of choices derived from the complete dataset.
Now if this url data can be associated to the customer identification data that they mention in the last paragraph (unencrypted presumably), then they can create a pretty targeted database for phishing/smishing, whereby they’d be able to tailor the phishing message to a particular site that the user has an account on, with a wide variery of choices derived from the complete dataset.
December 27, 2022, 05:40:18 AM
There's no doubt that hackers can come in through any means to operate including routes from centralized exchanges, cloud storage, and any other know security means we adopt for storing our keys to the wallet on blockchain, that's why you see many people loosing their assets and falling hands of hacker because they were not been careful enough when trying to secure their key the makes it more vulnerable for an attack.
December 27, 2022, 04:21:47 AM
I like writing down my passwords in a book and still use 2FA code to log into any platform or website, I believe this is the safest way to stay secured online when it comes to passwords and log in, as for my email account I use for receiving log in verification I still use 2Fa google Auth and limited login device under security settings.
December 27, 2022, 02:02:20 AM
Many transactions are done online nowadays and a lot of companies relied on their service. I even read in a group that an outsourced virtual worker lost a long-time client because of the breach. There are probably millions of dollars lost by private companies who used Last Pass.
I just thought that paid service like LastPass have better security than free service password manager.
It remains true in most cases. They usually have more resources to invest in data security compared to those offering it for free. 
December 26, 2022, 11:29:23 PM
I just thought that paid service like LastPass have better security than free service password manager. Currently I'm using bitwarden and all good and I'm also using chrome password manager but i don't recommended this.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
Qoute from : https://cointelegraph.com/news/lastpass-attacker-stole-password-vault-data-showing-web2-s-limitations
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
Qoute from : https://cointelegraph.com/news/lastpass-attacker-stole-password-vault-data-showing-web2-s-limitations
December 26, 2022, 11:22:14 PM
It is sensitive to store passwords at servers of any company.
I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.
Basic backups are enough.
Let us not forget that password managers are not exclusively about "storing" your logins, passwords, and other sensitive information. They also help you organize your passwords and generate them in a secure manner using strong random number generators. They protect you from reusing passwords: they will warn you if some of your passwords aren't unique, and they incentivize you to change your credentials more frequently. They offer auto-filling functionality that is very handy and also may theoretically protect you from keyloggers since you no longer need to enter information manually with the keyboard. This is not to say that I am in support of LastPass (I stopped using this password manager a long time ago), but DIY solutions like pieces of paper with passwords written on them don't guarantee that your passwords are unhackable and random because the human brain can't do real randomness. I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.
Basic backups are enough.
December 26, 2022, 10:50:25 PM
It is sensitive to store passwords at servers of any company.
I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.
Basic backups are enough.
I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.
Basic backups are enough.
December 26, 2022, 10:21:36 PM
I heard this last week one of our manager posted on our telegram group, i myself would not trust any third party software to keep my data, just like my saying a secret is not a secret once shared with a person, i would leak eventually, sooner or later, you're pc could be infected with a virus and stole your precious data, no one is safe forever, they could have been breaching that for a long time and finally the last defense falls and that goes your data to the black market.
December 26, 2022, 06:21:27 PM
We should never trust our data to those big corporations.
It is not a matter of trust; rather, it is a matter of verifying the type of password manager we use; is it open source? Is it AES-256 encrypted end-to-end? These are questions that anyone should consider before storing or using a password manager for sensitive information. Is it necessary to have one for those of us who have multiple social accounts, as well as for those of us who use different passwords for each of our online accounts? You need a password manager if you are the type who uses "forgot password" after a short period of time. Last time I checked, Last Pass was not open source, which is a red flag.
Bitwarden; is one of the best and this is what i use ( open source )
If these companies are not held accountable for selling and leaking private data to hackers, these "oh we got hacked" BS excuses will continue, and people will continue to lose money and private documents to criminals.
Jump to: