Author

Topic: Hackers stolen Last Pass users passwords and sensitivw information (Read 347 times)

donator
Activity: 4760
Merit: 4323
Leading Crypto Sports Betting & Casino Platform
It was pretty clear to anyone (I would think anyway) that it was an absolutely horrible idea to put a ton of user passwords for different sites all in one place.  I always wondered what sort of person would think that this was a good idea.  The cynic in me might even believe the entire company was created just to amass passwords which would later be sold and a "hack" would be blamed.  I have no idea where their revenue came from because it was a horrible idea from the start so I never looked into it, but I'd imagine that selling the info they had was much more profitable than keeping it safe.  Sometimes you have to use your brain a little and think about people's motivations.  I can't think of any good motivation for wanting everyone's passwords for every site...
legendary
Activity: 1148
Merit: 3117
To surprise of almost no one, LastPass was once again hacked[1]. Regarding the data that was accessed:
Quote
"Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment," LastPass said, adding the engineer "had access to the decryption keys needed to access the cloud storage service."

This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.
Not only is this another breach of their users private information (it doesn't matter if that information is encrypted or not), they had the lack of respect to only notify some users first and ask them to keep quiet about this hack[2]:
Quote
Dear Valued Customer,

We are writing to update you on our recent security incident. We are giving you advance notification because we recognize that, as LastPass Managed Service Providers, you may need additional time to prepare your organization. With that in mind, we are providing you with full visibility in advance of our general announcement.

Our announcement will include the following:

    An important update on our investigation into the security incident disclosed on December 22 on our blog. The new blog post will share that we have now completed an exhaustive investigation and have not seen any threat actor activity since October 26. It will also provide additional detail as to what happened and the actions we have taken in response, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward. You can preview the blog post here.

    A detailed Security Bulletin designed to help you assess what actions you should take to protect your business. This Security Bulletin outlines several areas of recently discovered potential risks related to the incident, including risks related to enterprise account configurations, user settings, third-party integrations, and multifactor authentication data. You should review this document and take the appropriate actions given your specific security posture and environment. You can preview the Security Bulletin here.

Given the sensitive nature of this information and to give you time to implement the Security Bulletin changes, we ask that you please treat this information as confidential until it becomes available to the public later this week. Thank you for your attention to this matter and for your on-going partnership.

Thank you,

The Team at LastPass
If after all this mess anyone reading this message is still a customer of this company, I highly advice you to switch to another provider and update all your credentials that you had stored there. If you're unsure where you start, I highly recommend Bitwarden[3] (just now they've released a blog post detailing how commuted they are with annual third-party audits (you can also check their previous security assessments).

[1]https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html
[2]https://libreddit.spike.codes/r/Lastpass/comments/11dijpn/comment/ja9wosu/
[3]https://github.com/bitwarden
[4]https://bitwarden.com/blog/third-party-security-audit/
legendary
Activity: 2212
Merit: 7064
Hackers got Employees keys  , customers passwords, name, billing information,  email..
What the fuck! This is a password manager. How does this kind of shit happens?
And why do people share so much sensitive information (such as billing information) with a password manager?
I stopped using LastPass ages ago, and I am glad I did it, even if I never saved really important information there.
Most people use password managers as one-in-all solution for saving everything, and they trust ''the cloud'' aka other people computers  Tongue

Keypass and bitwarden are probably the best.
Is it Keypass or KeePass?  Cheesy
My vote goes for KeypassXC for desktop and KeePassDX for mobile devices.
Both of them are free open source and easy to use, without the need to trust same ''safu'' servers and websites.
One more plus for this apps is they all accept Bitcoin donations!
legendary
Activity: 1722
Merit: 5937
I saw this news few days ago and thought to myself "this is exactly the reason why I don't trust any of those pass managers and still prefer old school way of writing down passwords on a piece of paper". Yeah I understand that there are pretty good open-source solutions and that my way of storing passwords has its set of problems too, but I simply don't trust any program to do it for me.

legendary
Activity: 2352
Merit: 6089
bitcoindata.science
. Besides the dreadful fact that the hacker may be able to, at some point, at least break weak passwords on the vault’s backup, they seemingly have access in cleartext to all the urls being stored.

 Url should be encrypted with the passwords. Obviously

Are they storing navigation data as well?

legendary
Activity: 1974
Merit: 2124
This is the risk when we use these third party softwares and it's security can be compromised any time resulting in these types of scenarios.I remember at the time of mailchimp hack the employee ID was compromised and hacker have the access of database which further resulted in Ledger account holder getting phissy mails and scam happened.

Password manager helps you in lot way to manage and generate password without the need of memorizing them but it also possess these risk in which we believe the traditional methods are more safe.

If we speak about how they get your sensative information then I think when they ask for permission or have long box of terms we simply agree to it giving them access to our device and some of them might be using it themselves for hacking purposes.The hackers will always target these software gaining access to users data so it's not advisable to have any  of unknown password managers on your device and use security measures to extend possible.
hero member
Activity: 952
Merit: 662
As long as the password manager is open source, has been used by many people and can be accessed in offline, it's safe. But no matter what, I always skepticism to store my password in digital form, I always feel it's not 100% safe.

But since I have many password and it will not be comfortable to always open my physical paper, I split my password on different password manager.

So let's say the password is: Bitcointalkorg

I will save "Bitcoin" in Keepass, "talk" in Bitwarden, and "org" in Password safe.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science

as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.

Yeah, and it is closed source, we can't know for sure if our master password isn't in their servers and if they leaked or not.

But theoretically,  passwords are safe and encrypted behind this master password.  If it is a strong one , they are still relatively safe.
legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
this seems a bit comical. they exist with only one purpose and have one task, which is to save the keys. Now they failed to do it.
I have never had confidence in such services, mostly for such reasons.

Quote
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”


as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.
legendary
Activity: 1064
Merit: 1228
Playgram - The Telegram Casino
No one is safe entrusting third parties for sensitive data. I have never used any password manager so far and probably never will. Even if someone says some tools are quite safe, I tend to believe in simpler ways without involving other people and parties.

Recently twitter customer data was hacked and will be sold on black market, I also heard that CMC customer data is also hacked and sold, meaning that there is no online platform which is totally safe for our personal data. Even our KYC data on several online platforms such as exchange and casino can also be misused, so we must really take care of our own security by avoiding it as much as possible.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I have never used password managers and no matter how normal and desirable some people think it is, good old paper and quality ink have always served me well. To some, it may seem old-fashioned and less effective, considering that most of you have a lot of passwords these days, but for me it is better to spend a little more time on finding the password and typing it, than to trust companies that are more than obviously vulnerable.

As always, the man proves to be the weakest link in everything, because the hackers obviously had their target in one of the company's employees, and he is the one to blame for the fact that they managed to get all that data. One such weak link exists in most companies, it's only a matter of time when someone will take advantage of it.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
In a recent notice from LastPass on the matter that I read a few days ago, there’s a detail that caught my attention, that is also summarized in the OP’s quote. Besides the dreadful fact that the hacker may be able to, at some point, at least break weak passwords on the vault’s backup, they seemingly have access in cleartext to all the urls being stored.

Now if this url data can be associated to the customer identification data that they mention in the last paragraph (unencrypted presumably), then they can create a pretty targeted database for phishing/smishing, whereby they’d be able to tailor the phishing message to a particular site that the user has an account on, with a wide variery of choices derived from the complete dataset.
hero member
Activity: 714
Merit: 521
There's no doubt that hackers can come in through any means to operate including routes from centralized exchanges, cloud storage, and any other know security means we adopt for storing our keys to the wallet on blockchain, that's why you see many people loosing their assets and falling hands of hacker because they were not been careful enough when trying to secure their key the makes it more vulnerable for an attack.
hero member
Activity: 686
Merit: 403
DGbet.fun - Crypto Sportsbook
I like writing down my passwords in a book and still use 2FA code to log into any platform or website, I believe this is the safest way to stay secured online when it comes to passwords and log in, as for my email account I use for receiving log in verification I still use 2Fa google Auth and limited login device under security settings.
sr. member
Activity: 1554
Merit: 413
Many transactions are done online nowadays and a lot of companies relied on their service. I even read in a group that an outsourced virtual worker lost a long-time client because of the breach. There are probably millions of dollars lost by private companies who used Last Pass.

I just thought that paid service like LastPass have better security than free service password manager.
It remains true in most cases. They usually have more resources to invest in data security compared to those offering it for free.
copper member
Activity: 2156
Merit: 983
Part of AOBT - English Translator to Indonesia
I just thought that paid service like LastPass have better security than free service password manager. Currently I'm using bitwarden and all good and I'm also using chrome password manager but i don't recommended this.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Qoute from : https://cointelegraph.com/news/lastpass-attacker-stole-password-vault-data-showing-web2-s-limitations
legendary
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
It is sensitive to store passwords at servers of any company.

I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.

Basic backups are enough.
Let us not forget that password managers are not exclusively about "storing" your logins, passwords, and other sensitive information. They also help you organize your passwords and generate them in a secure manner using strong random number generators. They protect you from reusing passwords: they will warn you if some of your passwords aren't unique, and they incentivize you to change your credentials more frequently. They offer auto-filling functionality that is very handy and also may theoretically protect you from keyloggers since you no longer need to enter information manually with the keyboard. This is not to say that I am in support of LastPass (I stopped using this password manager a long time ago), but DIY solutions like pieces of paper with passwords written on them don't guarantee that your passwords are unhackable and random because the human brain can't do real randomness.
full member
Activity: 496
Merit: 142
Hire Bitcointalk Camp. Manager @ r7promotions.com
It is sensitive to store passwords at servers of any company.

I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.

Basic backups are enough.
full member
Activity: 728
Merit: 151
Defend Bitcoin and its PoW: bitcoincleanup.com
I heard this last week one of our manager posted on our telegram group, i myself would not trust any third party software to keep my data, just like my saying a secret is not a secret once shared with a person, i would leak eventually, sooner or later, you're pc could be infected with a virus and stole your precious data, no one is safe forever, they could have been breaching that for a long time and finally the last defense falls and that goes your data to the black market.
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛

We should never trust our data to those big corporations.
Protecting our passwords is similar to protecting our bitcoin and our exchange accounts.


It is not a matter of trust; rather, it is a matter of verifying the type of password manager we use; is it open source? Is it AES-256 encrypted end-to-end? These are questions that anyone should consider before storing or using a password manager for sensitive information. Is it necessary to have one for those of us who have multiple social accounts, as well as for those of us who use different passwords for each of our online accounts? You need a password manager if you are the type who uses "forgot password" after a short period of time. Last time I checked, Last Pass was not open source, which is a red flag.

Bitwarden; is one of the best and this is what i use ( open source )



If these companies are not held accountable for selling and leaking private data to hackers, these "oh we got hacked" BS excuses will continue, and people will continue to lose money and private documents to criminals.
hero member
Activity: 1834
Merit: 879
Rollbit.com ⚔️Crypto Futures
I remember seeing this story make headlines 2-3 months back and lastpass themselves weren't sure of how much data was stolen  Roll Eyes but am certain the effects of such a hack will be felt after 6months or so when the black market makes use of this data.
 I guess changing passwords on a regular basis would be a good counter measure to such or better yet go for open-source alternatives.
hero member
Activity: 1456
Merit: 940
🇺🇦 Glory to Ukraine!
As for the password manager, I would suggest an open source solution and one that does not store data on a centralized server. When choosing an open-source password manager, it's important to do your own research and compare the features and reviews of different options to find the one that's right for you. Here are a few options you may want to consider:

KeePass
Bitwarden
Password Safe
KeepassXC
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Quote
Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.

In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses. It’s not clear how recent the stolen backups are.

LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

Toubba said that the cybercriminals also took vast reams of customer data, including names, email addresses, phone numbers and some billing information.
https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/

We should never trust our data to those big corporations.


Hackers got Employees keys  , customers passwords, name, billing information,  email..
What the fuck! This is a password manager. How does this kind of shit happens?
And why do people share so much sensitive information (such as billing information) with a password manager?

Password managers are a must today. You should always use a different password , and a strong one  and we can't remind all of them
But the problem is which pass manager to choose.

Keypass and bitwarden are probably the best.

Protecting our passwords is similar to protecting our bitcoin and our exchange accounts.
Jump to: