LastPass has been hacked, again.

Topic

New Reply

https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/

Notice of Recent Security Incident
Update as of Wednesday, November 30, 2022

To All LastPass Customers,

In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here. ..

LastPass suffers another data breach, says customer data was stolen

10 users thanked author for this post.

Hailstorm, Nibbled To Death By Ducks, wavy, Cybertooth, AlphaCharlie, Mr. Austin, BobbyB, windbg, lmacri, dgc-art

Reply | Quote

Replies

Charming. Not.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

Reply | Quote

time for this again…

Windows - commercial by definition and now function...

3 users thanked author for this post.

Cybertooth, WSbobby-p, Alex5723

Reply | Quote

More discussion on issue:
https://www.pcmag.com/opinions/lastpass-didnt-expose-your-passwords

At least the vendor is being transparent.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

I for one much prefer localised encryption password managers that are also portable. One very strong password reveals a multitude of others locally that wins over ANY browser orientated password manager.
Looking at all the fixes for browsers in recent times is enough to warrant my decision…I’m happy with that YMMV

Windows - commercial by definition and now function...

2 users thanked author for this post.

windbg, AlphaCharlie

Reply | Quote

I agree! I have been using a great app for a few years now – Strongbox.  My db is encrypted and stored locally (there are a few storage choices).  Now of course, if you keep your db in cloud storage, that can be hacked. But the pw db is encrypted, with very strong encryption, and only I have the password.  It’s not written down anywhere except my head. And no, I won’t ever forget it, Lord willing!  Plus I control the file – it’s not being controlled by the pw vendor.  It works very well for me.

Reply | Quote

https://infosec.exchange/@SwiftOnSecurity/109560351680516650

 

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

windbg, Alex5723

Reply | Quote

From LastPass blog :

…To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client…

2 users thanked author for this post.

NaNoNyMouse, Cybertooth

Reply | Quote

For every lock, there’s some sneaky foot-scraping cracker that can make a key for it. Eventually.

I just don’t know, folks…maybe I’m like that old fisherman in Maine who didn’t “believe in all them fancy frills and gimm-ocks…!”, but for me, a unusual word or term, translated into an incredibly obscure language, salted with symbols and squirrel noises, then written down in a small book hidden away in some location known to only one other person you’ve known for 40 years seems to do fine by me.

(If I’m feeling particularly fine that day, I might write that down in Southern Akson Thai or some other Abugida-like tongue/script to drive anyone who DOES find it insane trying to decode it.)

YMMV.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Alex5723

Reply | Quote

[postquote quote=2510934]

is this all about chit-chat?,
or is there some editorial comment,
if you please?

* _ ... _ *

Reply | Quote

Fred wrote:

is this all about chit-chat?, or is there some editorial comment, if you please?

Just my conversational tone of writing while explaining my approach to security in a security forum, when there’s a security issue regarding password security being discussed.

I was an English/Lit major, and I tend to write like it. Some publishers have actually thought well of it. 🙂

Happy Holidays!

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Not in a million years: It can take far less to crack a LastPass password

LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. Their notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading…

If 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe…

Perhaps the “millions of years” claim is based on poor assumptions about guessing speed. As it happens we have estimated through a cracking competition that the cost of cracking passwords hashed with 100,000 rounds of PBKDF2-H256 is around six US dollars for every 232 guesses. (The difference between our 100,000 rounds of PBKDF2 and LastPass’s 100,100 rounds is so small that we can ignore it.) Because of how powers of 2 work, the cost of making 233 guesses is would be 12 dollars, the cost of making 234 guesses would be 24 dollars. Ten billion guesses would cost about 100USD…

Given that the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine generated…

1 user thanked author for this post.

windbg

Reply | Quote

What’s in a PR statement: LastPass breach explained

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.

Their statement is also full of omissions, half-truths and outright lies…

5 users thanked author for this post.

Steve, Hailstorm, WSbobby-p, windbg, NaNoNyMouse

Reply | Quote

LastPass Faces Class Action Lawsuit for Lack of Security
Date published 6th January 2023:

A class action lawsuit has been filed in the U.S. District Court in Massachusetts, accusing LastPass of failure to secure sensitive customer data and seeking monetary relief for losses caused by recent data breaches.
LastPass is a widely used password manager, password generator, and secure vault app, offering over 30 million users and 85,000 firms an easy way to create, store, manage, and use their secrets….

Windows - commercial by definition and now function...

2 users thanked author for this post.

Alex5723, windbg

Reply | Quote

Nothing like shutting the gate after the cows are out.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

I’m a LastPass user and am thinking about changing to alternative password “safes.”  LastPass competitors’ websites (e.g. Bit Warden, Dashline, 1Password) all have featured instructions on how to export LastPass data into their product.  What reason do we have to believe that those products are any more safe than LastPass?

Reply | Quote

Discussion of Lastpass, followed by mentions of 1Password, & Bitwarden:
https://infosec.exchange/@epixoip/109585049354200263

 

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

WSCycler2 wrote:

What reason do we have to believe that those products are any more safe than LastPass?

You don’t have any reason to believe any cloud service is secure.
It isn’t.
Believe only on the data stored on your devices.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Gibson has a good discussion at https://www.grc.com/securitynow.htm

and a PS script by Rob Woodruff that an demonstrate some of the problem. https://www.grc.com/miscfiles/LastPassVault.zip

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

1 user thanked author for this post.

windbg

Reply | Quote

GoTo says hackers stole customers’ backups and encryption key

GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data…

According to a GoTo’s security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility,” reads the notice to customers.

“In addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups.” – GoTo
The information present in the exfiltrated backups includes the following:

Central and Pro account usernames
Central and Pro account passwords (salted and hashed)
Deployment and provisioning information
One-to-Many scripts (Central only)
Multi-factor authentication information
Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers…

1 user thanked author for this post.

mledman

Reply | Quote

From GoTo”s website: https://www.goto.com/blog/our-response-to-a-recent-security-incident#

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere

We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts. Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable.

 

Win 11 home - 24H2
Attitude is a choice...Choose wisely

Reply | Quote

mledman wrote:

Even though all account passwords were salted and hashed

From what I understand this is practically impossible to crack. Am I wrong?

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Alex5723 wrote:

You don’t have any reason to believe any cloud service is secure. It isn’t.

“The Cloud”: Your stuff on someone else’s computer.

(Who said that?)

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Alex5723

Reply | Quote

Nibbled To Death By Ducks wrote:

mledman wrote:

Even though all account passwords were salted and hashed

From what I understand this is practically impossible to crack. Am I wrong?

Nothing is impossible to crack.

https://www.tunnelsup.com/getting-started-cracking-password-hashes/
https://hashcat.net/wiki/doku.php?id=hashcat…
https://medium.com/meco-engineering/a-beginners-guide-on-cracking-password-hashes-c7212e199eb2..

Reply | Quote

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that stole customer vaults, LastPass has more bad news

Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

Another bombshell drops

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”..

1 user thanked author for this post.

windbg

Reply | Quote

Alex5723 wrote:

Another bombshell drops “This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”..

This is really very bad news Alex I hope you can bring more input to this matter.

* _ ... _ *

Reply | Quote

Original announcement on LastPass blog

I assume that the remote control vulnerability in the third-party media software package has been patched and that the DevOps was running insecure/unsupported version.

1 user thanked author for this post.

Fred

Reply | Quote

WHAT ACTIONS SHOULD YOU TAKE TO PROTECT YOURSELF OR YOUR BUSINESS?

To better assist our customers with their own incident-response efforts, we have prepared two Security Bulletins – one for our Free, Premium, and Families consumer users, and one tailored for our Business and Teams users. Each Security Bulletin includes information designed to help our customers secure their LastPass account and respond to these security incidents in a way that we believe meets their own personal needs or their organization’s security profile and environment.

Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families This bulletin guides our Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their accounts by confirming best practices are being followed.

Security Bulletin: Recommended Actions for LastPass Business This bulletin guides administrators for our Business and Teams customers through a risk assessment of LastPass account configurations and third-party integrations. It also includes information that is relevant to both non-federated and federated customers.

If you have any questions regarding the recommended actions, please contact technical support or your customer success team, both of whom are ready to help.

Security Incident Update and Recommended Actions
March 1, 2023 | By Karim Toubba (CEO, LastPass)

5 users thanked author for this post.

Lars220, Alex5723, Fred, windbg, satrow

Reply | Quote