Topic: LastPass - Notice of Recent Security Incident (Read 290 times)

LastPass premium user here. There's no way to export your passwords, so the only way to migrate to another platform is to copy and paste all the users and passwords - a tedious and error-prone process, and burns you out quickly if you have hundreds of passwords.

As a regular person I can't be able to remember 100s of passwords even 10s which is completely random combinations of characters so that is the reason why password managers exist. I do agree that storing password in an online server is not safe but what is the alternative? We need to learn encryption and decryption along with our own server to save all the data of us, and I am wondering is that thing is really possible?

Well, I am guessing the email was not sent to every user of last pass as I personally did not receive any email from them , or maybe because my account have been dormant for quite some time now, I can't even remember the last time I logged in on the platform.

That depends. What you just described is not as secure as it would be if you started with KeePass from scratch without using passwords that originate from other software. If LastPass stores passwords or vault information on a centralized server somewhere (encrypted or unencrypted), exporting and importing that data elsewhere would be like exporting your seed from a hot wallet and importing it into a cold wallet and considering it to be cold storage from now on. It isn't.

KeePassXC and KeePassDX aren't the only fork/modification of Keepass though. Keepass website also mention several fork at https://keepass.info/download.html.

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

A good password manager is not the one store your password on their servers.
...
However, if data stored on server, it can be breached.

I keep my password in the safest place on earth(My mind).

KeePass allows importing of CSV files import (export it from LastPass); than you can keep KeePass database locally on all your devices, use your own server for hosting, or  some cloud for that (less secure).
Simple, secure and easy to use.

It's not the same for all but a few have a similar password and I can remember all of them because I made them in such a pattern that only I can figure out what that password could be.

If your mind is your safest place than you are just a time ticking bomb waiting to explode, and it's impossible to remember hundreds of passwords, but maybe you are using one more revolutionary (bad) thing - one password for all websites  

Meanwhile I received a "Failed login attempts detected" email warning from Bitwarden 2 days ago, maybe related to this?

Honestly, I have been thinking about alternatives to LastPass for some time. KeePass is a logical choice, but the only thing that's holding me back so far is the fact that I want to use LastPass on multiple platforms. I still have to explore reliable options to do this with a KeePass password manager.

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

Compromised developer is the problem, but nothing was breached allegedly... sorry but I don't trust them
Switch from LastPass to KeePass and you wont' receive any email ever, but you will be only responsible person if you lose your backup and login details.
KeePass is open source and it's available on all operating systems and for AndroidOS (keepassDX), they even accept Bitcoin and other crypto donations.

It is also interesting that the hack was about two weeks ago, but only today this information was launched in the news.

The most popular password manager has been subjected to technical data theft, but this will surely lead to an outflow of users due to a loss of trust. It is also interesting that the hack was about two weeks ago, but only today this information was launched in the news. Although there are no dangers to disclosing user data, this is unfortunately not the first story when the work of this manager has been called into question.

This morning, I received a notification to my email address about a security incident involving the LastPass password manager. Here is the notice in full

Dear valued customer,

We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.

In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.

Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.

We have set up a blog post dedicated to providing more information on this incident: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you.

Sincerely,
The Team at LastPass