LastPass hacked

Discussion in 'other security issues & news' started by Nanobot, Jun 15, 2015.

  1. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Right.

    And when you are asked for your Smartphone as the 2nd factor in two-factor verification for your Desktop/Laptop login, if that's also got Lastpass or similar then this needs to be carefully considered.....I know if your Smartphone is stolen, the chances are it has timed out, and you will need to enter your 4 number PIN, but, but, my Android has a lousy choice of timeout settigs: 30 seconds 1 minute, 2 minutes, 10 minutes or NEVER TIMEOUT.
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I've run the security check a number of times and it looked for duplicate and weak passwords. I don't know how the security check could determine that a specific account credential was compromised. Can you say more about that? Were the accounts altered in some way? The fact that you could still log into them suggests they weren't attacked, because typically the first thing the bad guys do is change the password to lock out the legitimate user.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    It can also check if your emails have been listed in any known compromised site (e.g. Adobe hack sometime ago).

    It does not mean your lastpass account was hacked but those listed sites have been hacked. Lol
     
  4. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Hi Vicktek, on the results page, under "Challenge Results, underneath a logo of a spanner and screwdriver I see 6 small boxes, reading from left to right, titled:

    All - Duplicate - Compromised - Weak - Old - Blank

    Depending on which of the boxes I click on the results page it will show me all my accounts, my accounts with duplicate passwords (same password for 2 or more sites) compromised sites (was showing 5, now showing 0) my weak passwords (stuff like 8 character non-dictionary all lowercase passwords with no numbers or symbols), old passwords (my passwords which haven't been changed in at least a year) and blank sites (I'm not quite sure what that means, because I have none of them , maybe sites with usernames but no passwords, or something).

    On my results page, just above these boxes, it says:

    Click each below to see a full report of allthe logins and passwords stored in your LastPass vault.

    On supported websites you can change the password in one click, and you can check more than one to change multiple passwords at once. For other website, use the 'launch' option to go to the website, login, and use the LastPass Password Generator to replace the account's password.


    OK, I was surprised about this at first, too. What seems to have happened is that Lastpass servers & software know which accounts had partial encrypted data (blobs of gobbledegook) stolen from them (not the actual passwords).

    It seems that because of all the hashing and rehashing, these tens of thousands of "iterations" of my data carried out by both my computer and by Lastpass servers my blobs of gobblededook which were stolen from Lastpass isn't going to be easy to decrypt, except for powerful dedicated supercomputers, using GPUs etc. But, remember, hundreds of thousands of other users blobs of gobbledegook were stolen as well. The hackers aren't likely to make me their first priority for decryption.

    As a second line of defence, it appears that Lastpass have only been allowing users to sign in from their usual computers, unless they can provide other authentication, thus effectively implementing 2-factor authorisation, more or less.a
    For these reasons, I don't think that any undercover NSA spook working in Nigeria, Ukraine, or Gaza would have been able to hijack my accounts anyway.

    Which leaves the question: Why was this hack even attempted?

    A poster above has pointed out that hacking attempts these days are not exactly underfunded.
     
  5. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Dead right. :)

    In this case, each time after running the Security check after I had changed a password on the "compromised accounts" list that were listed, the site involved was removed from the "compromised sites" list.

    Lastpass servers knew that when I changed my email password for a particular email account, it was no longer in any danger.
     
  6. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Not in the slightest way.


    All evidence points to the fact that they were attacked, but the attack didn't succeed, and had no realistic chance of succeeding.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Well, no crystal ball. The sequence is, lastpass collect information about compromised websites and data been leaked, check this info against yours. It it finds matches it warns you about it and assume you are exposed up to when you change the password to that site. Again, there is no link whatsoever with a vulnerability with lastpass.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I don't know what your Security Check said exactly. In my case under "Change Compromised Passwords" only yahoo.com is mentioned and it says:

    This is something completely different than what you're insinuating.
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Well, I ran another Security Challenge and it is much more extensive than I remember. I had a few items needing attention too.

    When LastPass lists an account as "compromised" does it actually mean that specific account or is it referring to an attack on the site? For instance it showed my Target account as compromised, but I'm thinking it's a reference to the big Target data breach.
     
  10. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    My apologies to those who don't have Lastpass for this sub-discussion because it's not very relevant to you.

    You must be referring to the section at the bottom of the Security Check page where it says:

    "Want to know if your email addresses were leaked in known security breaches? Check now."
    (This is on a very different position on the Security Check page to where it showed which of my emails had been compromised).


    I checked this prior to changing any of my passwords, including my Master password, and it said:

    "Great news! The usernames in your vault selected were tested and have not been involved in any known security breaches since this test was last run.

    Next we'll show you your score and ways to improve your security."

    Given that Lastpass Security Check said at the bottom of the page that none of my emails were involved in known breaches, can you explain why at the top of the page it listed my five email accounts as compromised?

    (For anyone reading this, I should state again that all 5 email accounts were not actually hacked, due no doubt to the other excellent security measures implemented by Lastpass).

     
  11. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    I don't see what you are seeing, summerheat, this is a copy-and-paste job below of the headings I see.
    (I'm not goin to copy-and-paste my account details also ;) )


    https://lastpass.com/images/critical_icon.pngAll (9:cool:https://lastpass.com/images/critical_icon.pngDuplicate (46)https://lastpass.com/images/complete_green.pngCompromised (0)https://lastpass.com/images/critical_icon.pngWeak (10)https://lastpass.com/images/critical_icon.pngOld (74)https://lastpass.com/images/complete_green.pngBlank (0)


    (Clearly, I need to pay more attention to my passwords).


    [Edit: Oops, that copy-and-paste job didn't come out too well, but I don't want to do a screenshot]
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Then I am afraid I don't know what are you talking about. As the "compromised" tab I see in the assessment is about websites, not emails. Screenshot (you can edit your screenshot and blank out your details)?
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, as already mentioned in my previous post Lastpass says about those "compromised" passwords:

    This doesn't contradict the first annotation above: That one simply means that your specific username/account is not known to be involved in a known security breach. However, the second annotation indicates that the related website/server was affected by a data breach so that your password is at risk and should be changed as a precautionary measure.
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Exactly, some confusion by the user... :argh:
     
  15. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Current  Compromised Sites.jpg

    OK, since no sensitive user data is on display, this is the current situation AFTER I have changed all my email passwords.
     
  16. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    These passwords are at risk because of data breaches around the web

    I received no such message.
     
  17. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    I don't think so.

    I have seen no such message as ""Change Compromised Passwords"".
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    So what exactly did you see? You said in a previous post:
     
  19. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Hullo summerheat, please see the Lastpass Challenge Results screenshot I posted about 30 minutes ago.

    That's what I saw, except that the area which is now filled by a green tick mark, and where it says "you have no compromised accounts" was filled with 5 of my email addresses. These were all Web-to-mail sites like Gmail, Outlook, Yahoo (rocketmail).

    At the heading line, where there is now a very small green tick, there was a red triangle with an exclamation mark inside.
     
  20. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    I should add that only email sites (web to email sites) were listed. No other sites were listed where I would have to login (such as discussion boards, Disqus, or newspaper accounts.

    NONE of the other 98 sites were listed as being compromised, ONLY the web-to-mail.
     
  21. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Victek, I agree. It's been maybe a couple of years since I ran the Security Challenge myself (too busy doing other stuff :oops:):oops:, and it has indeed become more extensive.

    With regards to the burning question of what Lastpass says is a "compromised" account, based on my interpretation of my experience, I'd *strongly imagine* that your Target account was assaulted by Lastpass hackers rather than the big Target data breach hackers - if it was listed as a compromised site on the Security Check.

    Just a final note, your Target account should be secure, even if compromised, because Lastpass are going to block all attempts to access your Target account other than from your usual computers/smartphones/tablets unless you can confirm your email address.

    My logic is this: when I checked the link at the bottom of the Security Check page where it says: Want to know if your email addresses were leaked in known security breaches? Check now." The results came back that my email addresses hadn't been involved in known security breaches. Yet these email accounts were listed as compromised, so I'm suspecting that "compromised" means these accounts were attacked at the Lastpass end of things, rather than at the "Target / Gmail / Outlook" end of things.

    But, to be sure, to get "Gospel" on this you, and I, would need to end in a support ticket to Lastpass...but they have been so overloaded that I've been reluctant to put in a ticket even though I'm a Premium user.
     
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Then, I am afraid its a sort of false positive as services like outlook.com and gmail.com are used by million/billion of users and if there was an hack on them we would have seen big news out. Also not possible that your lastpass was hacked as at this point it would have been on the press considering the huge noise that just e-mails, hashes and reminders caused.

    So, I would stop claiming a compromise of your lastpass vault up to when you clarify with support what those messages means exactly. ;)
     
    Last edited: Jun 21, 2015
  23. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Except, of course, I never said there had been a hack on such services at all, did I? This is a fiction which you have introduced.

    Again, here, you are putting words in my mouth. Perhaps you are a bit confused, :argh: or just didn't pay much attention to what I wrote.

    I never said that my Lastpass Vault was compromised. What I said was that Lastpass Security Check listed my 5 email accounts as compromised, until I changed the passwords on these email accounts.
     
  24. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    You keep hinting to a lastpass hack... I am just trying to make clear that what you describe has nothing to do with a lastpass hack... ;)
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Why? I have the password database stored on my own computer, plus of course on my external drives.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.