LastPass says no passwords were compromised following breach scare

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,770

LastPass says no passwords were compromised following breach scare
https://www.theverge.com/2021/12/28/22857485/lastpass-compromised-breach-scare

LastPass says there’s no evidence of a data breach following users’ reports that they were notified of unauthorized login attempts, as reported by AppleInsider. The password manager maintains that it was never compromised, and users’ accounts haven’t been accessed by bad actors.

Nikolett Bacso-Albaum, the senior director of LogMeIn Global PR initially told The Verge that the alerts users received were related “to fairly common bot-related activity,” involving malicious attempts to log in to LastPass accounts using email addresses and passwords that bad actors sourced from past breaches of third-party services (i.e. not LastPass).

“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party,” Basco-Albaum said. “We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”

However, late Tuesday night LastPass vice president of product management Dan DeMichele released a statement to The Verge with a more detailed explanation, that says at least some of the alerts were “likely triggered in error,” due to an issue that LastPass has now resolved.

As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.

 
Putting your passwords on someone's website doesn't seem like the best idea, and this is 100% why I use an offline manager.
Depends on how well they encrypt it and how the decryption is handled. If done well, you can have it so that they never know what the passwords are, never decrypt them on their servers. In that case even if someone steals the encrypted store, it is probably safe.
 
Putting your passwords on someone's website doesn't seem like the best idea, and this is 100% why I use an offline manager.
most these services only store your encrypted file (roboform does), you access your encrypted passwords locally via a master password. They only provide cloud storage so you can log in on other devices like mobiles etc. Offline managers are meh if you want to sync unless you use your PC as hub/server to handle your updated passwords.
 
Putting your passwords on someone's website doesn't seem like the best idea, and this is 100% why I use an offline manager.
But on the otherside, far less chance of them installing or going to some questionable website that gets your system infected and keylogs all your crap......

But, the other side, they are also likely a bigger target. For the avg. user, online service, when properly configured with 2MFA are more secure than an offline option.
 
Just dumb users. There was no hack. Probably used the same password on every site or got their computer compromised downloading torrents.

LastPass is super secure. They never even store your passwords in plaintext, it is encrypted and decrypted on the fly via your master password. Meaning even if some hackers broke into the data center and stole all the servers, they would get nothing.

And, AFAIK, no users accounts were even compromised. They just got an email that said someone was trying (unsuccessfully) to get into their account. Probably cause they had weak security (crappy reused password, no 2FA, etc.). Nothing to see here.
 
While this is good to see that their security model prevented any major compromise, I would still think this yet another reason to move away from proprietary password managers. Those who are looking for a cloud-based approach similar to LasPass, check out BitWarden ( https://bitwarden.com/ ) - it uses a similar zero knowledge encryption design but offers both open source clients and servers. Users who just need basic features can use the client with the officially hosted server for free, or pay a pittance (like $10/year!) for Premium to support development and hosting of the official server; business contracts are also available. Those who wish to self-host the server can do so as well, if they have the desire and hardware to do so. Alternately, if you don't want a cloud-based password manager at all, then I'd check out the KeePass ( https://keepass.info/ ) ecosystem. Here its up to you to maintain a .kdbx database file where you wish it (sync it, copy it etc...) and you can connect to it with any number of clients depending on your platform (ie the original KeePass dot info client and KeePassXC are popular options for desktop, where KeePassDX is a full featured Android client etc. ), all FOSS of course. There are also other FOSS password managers out there, but I've found that the BitWarden and KeePass ecosystems are some of the most full featured and well vetted to date.
 
1641055156753.png

hack proof, requires location access ;)
 
Recently moved my LastPass account to using a hardware key (yubi). Given the number of devices a user needs to access accounts nowadays, something that can't be easily synced between all devices just isn't that worthwhile. I've used KeePass before and while it worked great when my computer was my primary access point, there's no way I would use it now.
 
Seems they had a security breach in August 2022 and just figured out that user data was compromised. Of course they say if you followed their safety and security measures while making your unique password for their website your data should be safe.

Just some snippets. Read the article as it has the original disclosure at the bottom of the page.

Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.


According to the article, it would take millions of years for a thief to guess your password using generally available technology. Of course a nefarious individual armed with 8 RTX 4090s could crack an 8 character password in just 48 minutes. Luckily they are pretty much unobtainium right now. :)
 
Recently moved my LastPass account to using a hardware key (yubi). Given the number of devices a user needs to access accounts nowadays, something that can't be easily synced between all devices just isn't that worthwhile. I've used KeePass before and while it worked great when my computer was my primary access point, there's no way I would use it now.

Put your kbdx on a Google drive folder and you can access from any device and sync changes. There is a mobile version of keepass i can ise on my phone and also a linux client i use in addition to windows.
 
Just dumb users. There was no hack. Probably used the same password on every site or got their computer compromised downloading torrents.

LastPass is super secure. They never even store your passwords in plaintext, it is encrypted and decrypted on the fly via your master password. Meaning even if some hackers broke into the data center and stole all the servers, they would get nothing.

And, AFAIK, no users accounts were even compromised. They just got an email that said someone was trying (unsuccessfully) to get into their account. Probably cause they had weak security (crappy reused password, no 2FA, etc.). Nothing to see here.
No, they investigated and it was found that encrypted password stores, and unencrypted website and email address data were stolen. "Valts" which were not secured sufficiently may be susceptable to brute-force attacks, so it is a significant breach (for some people). Because email and web addresses were also stolen, spear-phishing may also be a major concern for some.

That said, I would still trust LastPass, but they are not my primary password store, and what I have on there is slowly becoming outdated.
 
Yep, they have had multiple breaches. That is why I pulled my passwords from them. I use Bitwarden currently which so far has not been compromised. But, I may find another place/way to keep them.
 
No, they investigated and it was found that encrypted password stores, and unencrypted website and email address data were stolen. "Valts" which were not secured sufficiently may be susceptable to brute-force attacks, so it is a significant breach (for some people). Because email and web addresses were also stolen, spear-phishing may also be a major concern for some.

That said, I would still trust LastPass, but they are not my primary password store, and what I have on there is slowly becoming outdated.
They still got a copy of the encrypted data that holds all the passwords, cards, etc. If someone has enough time on their hands, that data can eventually be broken into. That is still a major concern for many.
 
They still got a copy of the encrypted data that holds all the passwords, cards, etc. If someone has enough time on their hands, that data can eventually be broken into. That is still a major concern for many.
I mean yes and no. While technically, theoretically, you can brute force anything encrypted with enough time in reality sufficiently strong keys can keep that from happening ever. Remember that every bit you add doubles the amount of time it takes on average to crack something. It quickly adds up to completely unrealistic numbers.

Like suppose you had a computer that could brute force the entirety of 128-bit AES keys in 1ms. That would mean it was totally worthless security, you could crack any message instantaneously. Ok, well how long would it take you to brute for an AES-256 encrypted key? The immediate answer might seem like 2ms but no, actually it would be 2^128ms or about 10,790,283,070,806,014,188,970,529,154 years. As a reference the universe has been around for 13,700,000,000 years. The universe would die a heat death, or implode, or whatever is going to happen septillions of years before you'd brute force even one key.

So, the same shit applies when you are talking brute forcing passwords. When they get long, they are impossible to brute force. If you assume that you can do, say a billion a second which is what you might be able to test on powerful hardware with a weak hash then sure, short passwords are easy work. Something that was 8 characters, even using uppercase, lowercase and number, would be done in an hour or less. But each letter/digit you add ups that big time. Go to 9, now it is a few days, 10 is several months. By the time you are to 16 it is tens of billions of years. Thus a decent length passphrase is not getting brute forced. Even if the person trying keeps drastically increasing their computer power, and keeps at it for a long time, you will be dead and gone in 100 years or less, at which point it doesn't matter if they've cracked your passwords.

Also, it is going to be slower with something like a database like this because it is a strong algorithm, and they run it for thousands of times in a row. So, each test it much slower than something like a simple "run single hash, check it against database". Lastpass does 100,000 rounds with their PBKDF2 which roughly means that you have to do 100,000x as much work per password tested, and thus thing would run at 0.001% of the speed of a raw SHA-256 hash.

If you have a short password as your master password, ya it is a concern still. But if your password is decent then no it just really isn't something that is going to happen in your lifetime.
 
I mean yes and no. While technically, theoretically, you can brute force anything encrypted with enough time in reality sufficiently strong keys can keep that from happening ever. Remember that every bit you add doubles the amount of time it takes on average to crack something. It quickly adds up to completely unrealistic numbers.

Like suppose you had a computer that could brute force the entirety of 128-bit AES keys in 1ms. That would mean it was totally worthless security, you could crack any message instantaneously. Ok, well how long would it take you to brute for an AES-256 encrypted key? The immediate answer might seem like 2ms but no, actually it would be 2^128ms or about 10,790,283,070,806,014,188,970,529,154 years. As a reference the universe has been around for 13,700,000,000 years. The universe would die a heat death, or implode, or whatever is going to happen septillions of years before you'd brute force even one key.

So, the same shit applies when you are talking brute forcing passwords. When they get long, they are impossible to brute force. If you assume that you can do, say a billion a second which is what you might be able to test on powerful hardware with a weak hash then sure, short passwords are easy work. Something that was 8 characters, even using uppercase, lowercase and number, would be done in an hour or less. But each letter/digit you add ups that big time. Go to 9, now it is a few days, 10 is several months. By the time you are to 16 it is tens of billions of years. Thus a decent length passphrase is not getting brute forced. Even if the person trying keeps drastically increasing their computer power, and keeps at it for a long time, you will be dead and gone in 100 years or less, at which point it doesn't matter if they've cracked your passwords.

Also, it is going to be slower with something like a database like this because it is a strong algorithm, and they run it for thousands of times in a row. So, each test it much slower than something like a simple "run single hash, check it against database". Lastpass does 100,000 rounds with their PBKDF2 which roughly means that you have to do 100,000x as much work per password tested, and thus thing would run at 0.001% of the speed of a raw SHA-256 hash.

If you have a short password as your master password, ya it is a concern still. But if your password is decent then no it just really isn't something that is going to happen in your lifetime.
I agree to a point. The other point is, their system got hacked. Would you trust them again after multiple times of this happening? Me, No. Their reputation is now ruined because of this. I don't expect LastPass to be around much longer.
 
I agree to a point. The other point is, their system got hacked. Would you trust them again after multiple times of this happening? Me, No. Their reputation is now ruined because of this. I don't expect LastPass to be around much longer.
True, but that wasn't what we were discussing, it was if someone can crack your vault with enough time and the answer to that is "no they really can't if your password is good".

As for them getting hacked, you always want to do your own risk calculation but keep in mind that if you want to be careful about having the standard of "Only places that haven't been hacked," because really what there are is "only places that haven't been hacked YET". There's no such thing as perfect security. The real question is when someone does get hacked, how well do they deal with it and how well shielded is their stuff to keep the hack from doign any damage.
 
True, but that wasn't what we were discussing, it was if someone can crack your vault with enough time and the answer to that is "no they really can't if your password is good".

As for them getting hacked, you always want to do your own risk calculation but keep in mind that if you want to be careful about having the standard of "Only places that haven't been hacked," because really what there are is "only places that haven't been hacked YET". There's no such thing as perfect security. The real question is when someone does get hacked, how well do they deal with it and how well shielded is their stuff to keep the hack from doign any damage.
Yep. Which is while I'll continue to use lastpass after this.
 
Yep. Which is while I'll continue to use lastpass after this.
As someone whos been in IT for gosh, 25 years, and deals with security for one of the largest government contracted organizations in the world, I can tell you, that isn't smart.
 
Keep in mind, this is information they have which is not encrypted.

The "threat actor" now has copies of:

  • Customer Names
  • Company Names
  • Email Address
  • Billing Address
  • Telephone Numbers
  • IP addresses (from where customers accessed the service)
  • Website URLs saved in LastPass vaults (LastPass doesn't encrypt the website URLs)
  • Encrypted vaults
So, the threat actor (and anyone else the info is shared with on the dark web) now knows, for example:

  • My name
  • Home address
  • E-mail address
  • Phone numbers
  • All the websites for which I have saved passwords
  • My home, work, etc. IP addresses
 
As someone whos been in IT for gosh, 25 years, and deals with security for one of the largest government contracted organizations in the world, I can tell you, that isn't smart.
Nice, me too, and i work in the industry silicon valley side.
 
hack proof, requires location access ;)
One of the big historical mistake, telling people not to write password down on a piece of paper (which can make sense in some enterprise context, but an excellent way to help people to not reuse always the same password, fearing they would forget them)
 
Put your kbdx on a Google drive folder and you can access from any device and sync changes. There is a mobile version of keepass i can ise on my phone and also a linux client i use in addition to windows.
Yeah, this story (or the potential for this to happen) is 100% why I chose KeePass and stored the filed offline when I started using a password manager.
 
I agree to a point. The other point is, their system got hacked. Would you trust them again after multiple times of this happening? Me, No. Their reputation is now ruined because of this. I don't expect LastPass to be around much longer.
They will, they wont go anywhere, just as Solarwinds is still around, just like Okta is still around after massive breaches, cause the reality is most people do not hear about these issues, or simply do not care...

If people cared about companies getting breached, most of the top companies would be out of business. Azure has had some major security issues exposing actual customer data...they are still around..
 
I switched to bitwarden a while ago before the first breach, but this one reminded me to login to lastpass and delete my account.
 
I switched to bitwarden a while ago before the first breach, but this one reminded me to login to lastpass and delete my account.
I did as well and deleted my account after one of the previous updates about this breach. The paranoid person in me still wants to change most of my passwords now despite the fact that I'm pretty sure no one would ever actually brute force my master password to that vault. I might start working on that slowly.
 
I should note, recently I'd been targeted by several spear-phishing emails. They've stopped since I reported them all as phishing.

Don't be dumb, won't get dumb. I haven't had any of my credit cards stolen or bank accounts hijacked, and none of my online accounts have been hacked in 25-odd years. 🤷‍♂️
 
They will, they wont go anywhere, just as Solarwinds is still around, just like Okta is still around after massive breaches, cause the reality is most people do not hear about these issues, or simply do not care...

If people cared about companies getting breached, most of the top companies would be out of business. Azure has had some major security issues exposing actual customer data...they are still around..
Those do not hold peoples passwords, cards, and important data like that. There is a difference.
 
I should note, recently I'd been targeted by several spear-phishing emails. They've stopped since I reported them all as phishing.

Don't be dumb, won't get dumb. I haven't had any of my credit cards stolen or bank accounts hijacked, and none of my online accounts have been hacked in 25-odd years. 🤷‍♂️
I've had credit cards be used before they even arrived in the mail before. It's not just phishing that can get you hit. I've never had an online account taken, though.
 
  • Like
Reactions: Nobu
like this
They say all that and more in the blog post I linked just a few posts up...

This is just an update from the august incident, btw, not a new, separate breach.
 
Those do not hold peoples passwords, cards, and important data like that. There is a difference.
Azure leaks held confidential customer data - just as dangerous. Okta is a 2MFA provider...Solarwinds gave direct access into companies infra, including government agencies.....just as critical and dangerous if in the wrong hands.
 
Azure leaks held confidential customer data - just as dangerous. Okta is a 2MFA provider...Solarwinds gave direct access into companies infra, including government agencies.....just as critical and dangerous if in the wrong hands.
Like all other companies that get hacked. Still not a company that holds the regular users passwords, credit cards, and so on. Companies have things in place to handle all that, the consumer does not. I had to deal with SolarWinds issue, it wasn't a big issue for us as we disconnected the link from them when that happened till we knew for sure we weren't compromised.

What I can't understand that some here act like it's not a big deal, when its a much bigger deal than most breaches.
 
What I can't understand that some here act like it's not a big deal, when its a much bigger deal than most breaches.
Whether consciously or not I think it's a coping mechanism. Wouldn't be a pleasant feeling having vaults obtained by those eager to gain access to accounts, particularly since URLs weren't encrypted, so they'd be likely prioritized according to high value sites.

Someone on another site cited stats that 69-85% of hashed passwords in past (general) leaks have been cracked via brute force/rainbow tables/etc. Not a very encouraging figure for the strength of password the average user might use for the master password.

One could always change every password pre-emptively but should a leaked vault be compromised it'd still likely contain sensitive info that otherwise wouldn't be desirable to out there.
 
Back
Top