Discussion in 'other security issues & news' started by mood, Aug 25, 2022.
By Ryan Naraine @ryanaraine - August 25, 2022
Email from LastPass:
What a joke, so LastPass can't even secure its own systems, and it's supposed to keep our passwords safe?
The change of ownership caused me to dump it. They tripled the price and I was greatly concerned they would not maintain an acceptable level of security.
7th in a row now
"7" means no luck in china
I agree, this stuff is unacceptable, same with Twilio. And I would also like to have more information about how this breach was able to happen and what security tools and procedures were in place, it's time for full disclosure. EDIT: I've just read that LastPass was compromised via the Twilio hack, but that's still no excuse to me.
Absolutely. There is no excuse.
To be fair, this time it wasn't completely their fault, because it all started with Twilio systems being hacked. But still, you would hope there was some kind of back up security system, that was able to stop this attack in an earlier stage, without LastPass's source code being stolen.
I think I give LastPass some credit for stepping forward though. It is bolstering to the backbone to do that if user data wasn't swiped, know what I'm saying? Sometimes, companies aren't forthcoming about more serious hacks as they stand to lose customers.
Not to cringe away from my post about this over at MalwareTips but in general, a company involved with some kind of security should have taken extra precautions. Hopefully, they learned their lesson. Looking at you, Entrust.
I totally agree.
Sorry, but it is unexcusable for your source code to be someplace that it can be stolen from. There is no reason for it to be on an internet accessible device. Or not locked down by source control. With encryption. Maybe despite all of that if you are a big enough target and targeted by the right (or wrong) group they may get you anyway but I bet they did not meet any of the standards I just listed.
They probably had to disclose it in any case. That said I suspect what will be done here is that the source code will be used to make counterfeit versions of the product that will be distributed to steal the user's passwords.
3 years in a row is kind of hard to swallow from my perspective. My life would be a disaster if my password manager was broken and all my access credentials (well over 100 +) were discovered. Never had any issues, but while LastPass has come across my thought process over the years these kinds of threads leave me saying No Thanks. My .02
It was great (in my opinion) before it was sold. They also bought GoToMeeting and GoToAssist from Citrix and significantly raised the prices of those as well. We used to use all of this stuff. I wouldn't use any of them now. They seem to like to buy established products and profit from them by jacking up the prices while not maintaining the quality (also in my opinion, though that was our experience).
Yes, I completely agree with this.
Unless you do remote work.
And many companies did so during the pandemic.
That is a thing but proper source control should still make it near impossible. In this case when you're making a password manager you sell to the general public, you should be taking every possible precaution. These companies are absolutely a major target.
LastPass source code breach - do we still recommend password managers?
I wouldn't stop using password managers. One with autofill will verify the domain before doing so, making it less likely than most of the end users to possibly enter their credentials into a fake site. If for any reason someone would get your passwords start resetting them immediately, starting with your email as you will likely need it to verify the change on the other sites. Before the bad guys start doing the same.
A very good explanation as to why there's no need to change password managers. While I don't use Last Pass, if I did, I would keep using it.
I'm still using LastPass and not changing. I've been using it for many years, the Free Version. Thanks for the video @roger_m
Latest news is that LastPass now believes that the attack started from a LastPass developer's PC, see first link. So I wouldn't be surprised if this was some cookie stealer malware that the hacker managed to install on this machine perhaps via spear phishing, who knows. So seems like they are now beefing up endpoint security control. I actually opened a topic about cookie stealing malware, go check it out on link 2.
LastPass source code breach - incident response report released
19 Sep 2022
"LastPass has now published an official follow-up report on the
incident, based on what it has been able to figure out about the
attack and the attackers in the aftermath of the intrusion.
We think that the LastPass article is worth reading even if you
aren't a LastPass user, because we think it's a reminder that a
good incident response report is as useful for what it admits
you were unable to figure out as for what you were.
What we now know
The boldface sentences below provide an outline of what LastPass
is saying: ..."
Yes, exactly what I already said. Endpoints should be secured way better against these type of threats, behavior blockers should be able to help against credential and cookie stealing malware, AV's are simply not good enough, that's the bottomline.
Separate names with a comma.