LastPass Says Source Code Stolen in Data Breach

Rasheed187 · Sep 20, 2022

Also make sure to read this article, most MFA methods that companies are currently using are a pretty much a joke.

Stolen Credentials can Lead to Serious Data Breaches

Single sign-on (SSO) credentials are considered “the keys to the kingdom” by cybersecurity professionals. Employees access many applications by logging in once with these credentials, and they’re the last thing an organization wants stolen or for sale on the dark web. If malicious actors obtain your organization’s SSO credentials, they could access your systems and data like a trusted insider, including payroll, contracts, intellectual property, and more. In short, a malicious actor can inflict significant damage upon an organization by obtaining its SSO credentials.
Click to expand...

Recent reports have revealed a close relationship between stolen credentials and successful cyber attacks. According to the 2022 Verizon Data Breach Investigations Report, stolen credentials are:

Responsible for nearly 50% of all cyber attacks.

The most common attack vector.

Up nearly 30% from 2017.

Click to expand...

https://www.bitsight.com/blog/analyzing-exposed-sso-credentials-of-public-companies

stapp · Dec 1, 2022

LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.
Click to expand...

https://www.bleepingcomputer.com/ne...hackers-accessed-customer-data-in-new-breach/

Krusty · Dec 1, 2022

Email from LastPass:

Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass's Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.

We thank you for your patience while we work through our investigation.

Sincerely,
The Team at LastPass
Click to expand...

1PW · Dec 1, 2022

FWIW

Perhaps a coincidence, but LastPass released a v4.05.0,1289 update for at least the macOS app yesterday that does not yet seem to be documented. LastPass major browser extension versions appear to be unchanged so far.

HTH

Krusty · Dec 23, 2022

Another email from LastPass:

Dear LastPass Customer, 

We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.

We thank you for your patience and continued support of LastPass.

The Team at LastPass
Click to expand...

stapp · Dec 23, 2022

Krusty said: ↑

Another email from LastPass:
Click to expand...

Just been reading about that now.

https://thehackernews.com/2022/12/lastpass-admits-to-severe-data-breach.html

Hadron · Dec 23, 2022

Hackers have been very persistent with LastPass.
It's architecture, design and structure of LastPass make it a target for hackers.

LastPass: Hackers Stole Customer Vault Data in Cloud Storage Breach

The LastPass Blog | Notice of Recent Security Incident

Victek · Dec 23, 2022

Hadron said: ↑

The architecture, design and structure of LastPass make it a target for hackers.
Click to expand...

It seems to me that Lastpass is a target simply because it has people's passwords. What do architecture, design and structure have to do with it?

plat · Dec 23, 2022

Came across something interesting on my Twit feed--what one can expect following the theft of LastPass data. In short: phishing attempts!

https://twitter.com/snipeyhead/status/1606116796477513728

xxJackxx · Dec 23, 2022

plat said: ↑

Came across something interesting on my Twit feed--what one can expect following the theft of LastPass data. In short: phishing attempts!

https://twitter.com/snipeyhead/status/1606116796477513728
Click to expand...

I figured that from the beginning. It's the most productive thing they can do at this point. I know I've said it before but I'm glad I dumped them and had them delete my data. If only they would stop spamming me to try to get me to come back.

summerheat · Dec 23, 2022

A very informative article is this one by Wladimir Palant:https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/

Victek · Dec 23, 2022

xxJackxx said: ↑

I know I've said it before but I'm glad I dumped them and had them delete my data.
Click to expand...

Do you use a different cloud service now or do you manage it locally?

Rasheed187 · Dec 24, 2022

stapp said: ↑

Just been reading about that now.

https://thehackernews.com/2022/12/lastpass-admits-to-severe-data-breach.html
Click to expand...

These guys can't even protect their own systems from getting hacked, what a joke. This would make me stop using cloud based password managers. BTW, the same happened with Okta which is supposed to protect other companies like Lastpass.

https://www.wilderssecurity.com/thr...digital-breach-by-lapsus.444787/#post-3122555

reasonablePrivacy · Dec 24, 2022

summerheat said: ↑

A very informative article is this one by Wladimir Palant:https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/
Click to expand...

The first part is too alarmist for me. Baseline requirements for passwords are meant for general audience. Evidence shows that being too strict on password requirements for regular people backfired in many cases.
I don't think it is good idea to force all people accounts to paranoid, VIP level requirements. VIPs should follow advisories prepared for them. VIP, dissidents etc should have known better about their own password choices.

xxJackxx · Dec 24, 2022

Victek said: ↑

Do you use a different cloud service now or do you manage it locally?
Click to expand...

I use Sticky Password. You can do internet sync, LAN sync, or none at all.

roger_m · Dec 27, 2022

What to Do About the LastPass Breach
https://www.youtube.com/watch?v=8uZ3QcrPCWk

ProTruckDriver · Dec 27, 2022

roger_m said: ↑

What to Do About the LastPass Breach
https://www.youtube.com/watch?v=8uZ3QcrPCWk
Click to expand...

Thanks for the video. My routine includes:

Change the Master Password every 6 months with 20+ characters, A-Z, a-z, 0-9, Symbols.

Change ALL my financial website passwords every 3 months.

My other 100+ password websites: Put them in 4 groups. Every 3 months change the website passwords on one group. By the end of the year all passwords would be change.

I only use a password manager for passwords. I do not store credit card numbers or any other sensitive information on a password manager.

Use Two-Factor Authentication when possible.

I would do the above routine no matter what password manager I would use. It looks like a lot of work changing password all the time, but what else do I have to do. I'm retired, old and every day is a weekend for me.
So I believe I'm safe so far, I hope. Do I trust anything in the cyber world? Hell No!
Btw: ALL Password were changed when I learned of this LastPass breach.

roger_m · Dec 28, 2022

ProTruckDriver said: ↑

Thanks for the video. My routine includes:

Change the Master Password every 6 months with 20+ characters, A-Z, a-z, 0-9, Symbols.

Change ALL my financial website passwords every 3 months.

My other 100+ password websites: Put them in 4 groups. Every 3 months change the website passwords on one group. By the end of the year all passwords would be change.

Click to expand...

You don't really need to regularly change passwords.
https://www.youtube.com/watch?v=asDNQEqAGLY

1PW · Dec 29, 2022

Though frequent password changes may not be the necessity, once recommended, the existing LastPass master password might benefit from a strength test:

The Password Meter

Password Strength Test

Technically, both appear to use the same algorithm, but even though the UI is more colorful, the “Password Strength Test” seems to have the tested password transit the Internet.

HTH

summerheat · Dec 28, 2022

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.

Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.
Click to expand...

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/#c000010r000001

In https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/ I wrote: “If you are a regular “nobody”: access to your accounts is probably not worth the effort.”

I already have to correct this slightly however: check your iterations count. If it’s set to 5000, the effort of decrypting your data is much lower and you might get targeted after all. Note that a long password isn’t always a safe password, particularly if it is made up of dictionary words or something similarly predictable.

Also, the more time passes, the more likely it is even for those “unattractive” vaults to be decrypted. You should keep that in mind and at some point change the password at least for the valuable accounts (online banking, shopping websites). For most people there is no urgency, it’s just better to be safe than sorry.

The only other precaution I can think of is: expect phishing emails. They now know where you have your accounts. They might attempt to trick you into giving away your LastPass password, and they might do the same with the other services you use.
Click to expand...

XIII · Dec 29, 2022

https://blog.1password.com/not-in-a-million-years/

Rasheed187 · Dec 31, 2022

XIII said: ↑

https://blog.1password.com/not-in-a-million-years/
Click to expand...

Haven't read everything yet, but it sounds a bit like what is being used by Passkeys?

guest · Dec 30, 2022

Security experts blast LastPass for misleading users about stolen password vaults and data
By Ashwin - December 30, 2022

LastPass suffered two data breaches in a span of 3 months. The first hack occurred in August, while the 2nd one happened sometime later.

Martin's write-up explains what LastPass' statement had to say about the recent security incident. The situation could actually be a lot worse. Many security researchers have blasted the company for misleading its users about the stolen password vaults.
Click to expand...

Wladimir Palant, the creator of AdBlock Plus was among those who slammed the statement. He says in an article on his blog, that by releasing the update right before the holiday season, LastPass wanted to make sure the news flew under the radar. That's a sneaky move.

Palant called the statement as "full of omissions, half-truths and outright lies", and that the company had tried to draw focus to the 2 hacks as two separate incidents, to cover up the fact that they are related to each other. As a matter of fact, LastPass has not revealed when the 2nd attack took place, and Palant says that this could have happened in September itself. He also points out that the hackers could have collected all IPs associated with a user, website URLs which were unencrypted, to profile their activity.
Click to expand...

This claim has been criticized by Palant, and Jeffrey Goldberg at 1Password. They say that it may take a long time for hackers to guess the master password, only if LastPass had forced its 12-character minimum password requirement.

Jeremi Gosney, a Senior Engineer at Yahoo, called "LastPass's claim of "zero knowledge" is a bald-faced lie." He also says that users assume that their vault is stored in an encrypted database which is protected, but this is not the case, and that LastPass stores your vault as a plaintext file, and that only some of the fields are encrypted.
Click to expand...

If anything, these shenanigans have only made it worse, and it will lose the trust of your users. I don't think that LastPass can recover from this mishap, and it's time to ditch it for your sanity, and the security of your accounts.
Click to expand...

Asterixpl · Dec 30, 2022

I do not trust password managers who use the cloud to store files. Mine has always been KeePass where I always have the master password database file on a flash drive.

plat · Dec 30, 2022

I posted this elsewhere last nite cuz it just seemed, I dunno, flaky maybe? Not believable? Outrageous? Et Cetera?

It's the search result using Duck Duck Go in Firefox (uBO takes out the sponsored junk).

Guess their work is cut out for them to catch up with this hyperbole. Neat word...hyperbole.

Log in or Sign up

LastPass Says Source Code Stolen in Data Breach

Rasheed187 Registered Member

stapp Global Moderator

Krusty Registered Member

1PW Registered Member

Krusty Registered Member

stapp Global Moderator

Hadron Registered Member

Victek Registered Member

plat Registered Member

xxJackxx Registered Member

summerheat Registered Member

Victek Registered Member

Rasheed187 Registered Member

reasonablePrivacy Registered Member

xxJackxx Registered Member

roger_m Registered Member

ProTruckDriver Registered Member

roger_m Registered Member

1PW Registered Member

summerheat Registered Member

XIII Registered Member

Rasheed187 Registered Member

guest Guest

Asterixpl Registered Member

plat Registered Member

Log in or Sign up

LastPass Says Source Code Stolen in Data Breach

Rasheed187 Registered Member

stapp Global Moderator

Krusty Registered Member

1PW Registered Member

Krusty Registered Member

stapp Global Moderator

Hadron Registered Member

Victek Registered Member

plat Registered Member

xxJackxx Registered Member

summerheat Registered Member

Victek Registered Member

Rasheed187 Registered Member

reasonablePrivacy Registered Member

xxJackxx Registered Member

roger_m Registered Member

ProTruckDriver Registered Member

roger_m Registered Member

1PW Registered Member

summerheat Registered Member

XIII Registered Member

Rasheed187 Registered Member

guest Guest

Asterixpl Registered Member

plat Registered Member

Useful Searches