LastPass Says Source Code Stolen in Data Breach

Rasheed187 · Jan 5, 2023

Now LastPass is being sued by someone who claims his crypto account got hacked because of this breach. Which would mean that hackers cracked the master password.

LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges

It alleges that the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin. The plaintiff claimed he began accruing BTC in July 2022 and updated his master password to more than 12 characters using a password generator, as recommended by the LastPass “best practices.” This was done to enable the storage of private keys in the seemingly secure LastPass customer vault.
Click to expand...

https://cointelegraph.com/news/lastpass-data-breach-led-to-53k-in-bitcoin-stolen-lawsuit-alleges

xxJackxx · Jan 5, 2023

Rasheed187 said: ↑

Now LastPass is being sued by someone who claims his crypto account got hacked because of this breach. Which would mean that hackers cracked the master password.

https://cointelegraph.com/news/lastpass-data-breach-led-to-53k-in-bitcoin-stolen-lawsuit-alleges
Click to expand...

I think I posted this in another thread but worth a read in my opinion.
LastPass accused of lying in security breach announcements (betanews.com)

Rasheed187 · Jan 7, 2023

xxJackxx said: ↑

I think I posted this in another thread but worth a read in my opinion.
LastPass accused of lying in security breach announcements (betanews.com)
Click to expand...

BTW, about the lawsuit against Lastpass involving the stolen bitcoins, I assume it's always the user who needs to make sure he/she is using 2FA. I mean, I assume 2FA can't be bypassed just because someone cracked your password database.

pegas · Jan 7, 2023

Rasheed187 said: ↑

I assume 2FA can't be bypassed just because someone cracked your password database.
Click to expand...

JFI, 2FA sum up including how it can be bypassed https://us.norton.com/blog/privacy/what-is-2fa

Rasheed187 · Jan 7, 2023

pegas said: ↑

JFI, 2FA sum up including how it can be bypassed https://us.norton.com/blog/privacy/what-is-2fa
Click to expand...

Yes, I know that it can be bypassed by for example phishing, but this is still the users mistake. So it will be an interesting lawsuit.

pegas · Jan 7, 2023

Rasheed187 said: ↑

Yes, I know that it can be bypassed by for example phishing, but this is still the users mistake. So it will be an interesting lawsuit.
Click to expand...

Right. I don't understand campaigns for strong passwords when 2FA is more important.

xxJackxx · Jan 7, 2023

pegas said: ↑

Right. I don't understand campaigns for strong passwords when 2FA is more important.
Click to expand...

I don't feel one is any more important than the other. And they both come up short. Everything does.

guest · Jan 12, 2023

LastPass breach exposes how US breach notification laws can leave consumers in the lurch
By lias Groll @EliasGroll | Cyberscoop - November 11, 2023

On Thursday, Dec. 22., as Americans prepared for the holidays and braced for massive winter storms, the password manager LastPass announced to its 33 million customers that it suffered a major security breach.
Click to expand...

But even those paying attention to emails or tech news may not have grasped the full scope of the breach, which exposed encrypted password vaults and put millions of individuals and organizations at risk of having their most sensitive data exposed to criminal hackers.

Based on the public notification from LastPass, the potential implications of the incident were anything but clear. Security experts immediately criticized LastPass’s announcement as misleading and difficult to understand.
The company’s announcement seemed to imply that it would be difficult for the attacker to decrypt stolen passwords, but that would very much depend on a given user’s master password.
Click to expand...

When major data breaches occur, companies in the U.S. are typically required under state law to report it and notify users (though this depends on the details of the breach), but that breach notification regime, experts say, has become so convoluted that consumers are often left in the lurch.
Click to expand...

guest · Jan 24, 2023

LastPass owner GoTo says hackers stole customers’ backups
By Carly Page @carlypage_ - January 24, 2023

LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems.
Click to expand...

The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident.

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including: business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.
Click to expand...

GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” said GoTo CEO Paddy Srinivasan. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
Despite the delay, GoTo provided no remediation guidance or advice for affected customers.
Click to expand...

Rasheed187 · Jan 25, 2023

mood said: ↑

LastPass owner GoTo says hackers stole customers’ backups
By Carly Page @carlypage_ - January 24, 2023
Click to expand...

I'm surprised that nobody responded to this. This is another major blow to LastPass and GoTo's credibility. I do wonder how hackers got access to the third party cloud storage. I suppose this stuff is secured via 2FA, so it was either a phishing attack where employees were tricked to going to a fake website, or hackers planted a cookie stealer on employee PC's.

ProTruckDriver · Jan 25, 2023

Rasheed187 said: ↑

I'm surprised that nobody responded to this. This is another major blow to LastPass and GoTo's credibility.
Click to expand...

Hey, another day, another adventure in the cyber world. I believe everything in the cyber world is hackable to some point.

xxJackxx · Jan 25, 2023

Rasheed187 said: ↑

I'm surprised that nobody responded to this.
Click to expand...

I didn't bother because I already assumed that was the case. I'm glad a cancelled them and deleted my data a long time ago. I hope they weren't storing an undisclosed copy of it somewhere.

waking · Jan 25, 2023

GoTo admits: Customer cloud backups stolen together with decryption key

25 Jan 2023

https://nakedsecurity.sophos.com/2023/01/25/goto-admits-customer-cloud-backups-stolen-together-with-decryption-key/

"What to do?

...

So, we suggest:

Change all passwords in your company that relate to the services listed above.

...

Reset any app-based 2FA code sequences that you are using on your accounts.

...

Re-generate new backup codes,

...

Consider switching to app-based 2FA codes if you can,

..."

Hadron · Jan 26, 2023

They reckon some people are still using LastPass.

xxJackxx · Jan 26, 2023

Hadron said: ↑

They reckon some people are still using LastPass.
Click to expand...

People will still need to change all of that stuff anyway. But if anyone is intending to continue with them after this...

Hadron · Jan 26, 2023

LastPass Scandal Goes Nuclear, Parent Company Services Breached by Danny Chadwick | January 25, 2023
If you've been following the LastPass data breach scandal over the past few months, you could be forgiven for thinking it couldn't get any worse. Every few weeks, the company comes out with grim news about the extent of the hack. Now, its parent company, GoTo, has revealed that it too was a victim.
Click to expand...

GoTo Says Hackers Stole Encrypted LastPass Backups And Keys by Michael Crider | January 27, 2023
The latest breach in November was already pretty bad - turns out it was much worse.
Click to expand...

ProTruckDriver · Jan 31, 2023

Membership for LastPass must be dropping. I keep getting the nag screen every few days now to upgrade to the paid version. I've got them only a few times in 4 or 5 years. This last data breach must of done them in.

guest · Feb 10, 2023

If You Use LastPass, You Need to Change All of Your Passwords ASAP
By Shaun - February 10, 2023

Are you a LastPass user? This popular password manager was the target of a major data breach last December, which means many people’s passwords and personal data were exposed to nefarious entities.

According to LastPass CEO, Karim Toubba, there was a security incident in August that led to unauthorized parties stealing customer data in December. However, this is not a unique event for LastPass since it’s been having security incidents since 2011.
What kind of data was exposed? According to Toubba, hackers got their hands on unencrypted data such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.
Click to expand...

There was also vault data stolen, containing both unencrypted and encrypted information such as usernames and passwords for all visited sites.

Let’s pause for a second here. This is a password manager. They’re holding the keys to your kingdom, so to speak. Anyone sensible would think that they’d do well what they’re supposed to do, that is, storing your passwords securely.
Click to expand...

What to do about it
If you’re a LastPass user, the first thing that comes to mind is switching to another service. However, the most pressing issue is to immediately change your passwords on any site you have visited. You have to assume there’s somebody out there with all your data, and possibly a lot of ideas on how to use it.

A “fun” fact about this security breach and LastPass is that, even though you may think your encrypted info is safe, it indirectly isn’t. This is because LastPass doesn’t encrypt your visited URLs, so hackers can see where you logged in, and whether you have login information saved. This paves the way for many social engineering tactics.
Click to expand...

xxJackxx · Feb 10, 2023

mood said: ↑

If You Use LastPass, You Need to Change All of Your Passwords ASAP
Click to expand...

That is what I would do. Immediately after closing my account and deleting my data from their servers. Except I already did that 2 years ago.

Malcontent · Feb 27, 2023

In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
Click to expand...

LastPass says employee’s home computer was hacked and corporate vault taken

XIII · Feb 28, 2023

https://www.bleepingcomputer.com/ne...-to-steal-password-vault-data-in-2022-breach/

Rasheed187 · Feb 28, 2023

Malcontent said: ↑

LastPass says employee’s home computer was hacked and corporate vault taken
Click to expand...

And that's why I keep saying that it doesn't hurt to use extra protection tools in addition to your AV. An anti-logger would have stopped this attack, and I'm guessing that the AV, which was probably Win Defender, was bypassed. Sure, most of us would probably not be targeted, but there are plenty of people who will be. So that's why I always criticized the ''AV + not being click happy is all you need'' mantra.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
Click to expand...

xxJackxx · Feb 28, 2023

Rasheed187 said: ↑

So that's why I always criticized the ''AV + not being click happy is all you need'' mantra.
Click to expand...

Not good enough for someone that is an employee of a password manager developer and has a home PC with company data. If they are working from home they should have had a company owned PC that was used only for their job. And a personal home PC that was only used for personal use. The company PC should utilize a VPN. Another inexcusable fail by this company. They need to shut it down or sell the product to someone that takes it seriously. Under current ownership they shouldn't have any users left.

Krusty · Mar 1, 2023

Latest email from LastPass:

Dear LastPass Customer, 

We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.

Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.

Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.  

Please review the Security Bulletin and make any necessary changes to your account.

In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.

The Team at LastPass
Click to expand...

hawki · Mar 3, 2023

"LastPass Employee Could've Prevented Hack With a Software Update

The hacker exploited a vulnerability in the Plex Media Server software that was patched in May 2020. 'The version that addressed this exploit was roughly 75 versions ago,' Plex says...

This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.

At the time, LastPass said only that the hacker exploited 'a vulnerable third-party media software package,' without naming the vendor or the exact flaw.

...the hacker targeted the Plex Media Server software to load the malware on the LastPass employee's home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago..."

https://www.pcmag.com/news/lastpass-employee-couldve-prevented-hack-with-a-software-update

Log in or Sign up

LastPass Says Source Code Stolen in Data Breach

Rasheed187 Registered Member

xxJackxx Registered Member

Rasheed187 Registered Member

pegas Registered Member

Rasheed187 Registered Member

pegas Registered Member

xxJackxx Registered Member

guest Guest

guest Guest

Rasheed187 Registered Member

ProTruckDriver Registered Member

xxJackxx Registered Member

waking Registered Member

Hadron Registered Member

xxJackxx Registered Member

Hadron Registered Member

ProTruckDriver Registered Member

guest Guest

xxJackxx Registered Member

Malcontent Registered Member

XIII Registered Member

Rasheed187 Registered Member

xxJackxx Registered Member

Krusty Registered Member

hawki Registered Member

Log in or Sign up

LastPass Says Source Code Stolen in Data Breach

Rasheed187 Registered Member

xxJackxx Registered Member

Rasheed187 Registered Member

pegas Registered Member

Rasheed187 Registered Member

pegas Registered Member

xxJackxx Registered Member

guest Guest

guest Guest

Rasheed187 Registered Member

ProTruckDriver Registered Member

xxJackxx Registered Member

waking Registered Member

Hadron Registered Member

xxJackxx Registered Member

Hadron Registered Member

ProTruckDriver Registered Member

guest Guest

xxJackxx Registered Member

Malcontent Registered Member

XIII Registered Member

Rasheed187 Registered Member

xxJackxx Registered Member

Krusty Registered Member

hawki Registered Member

Useful Searches