• LastPass has been hacked, again.

    Author
    Topic
    #2502547

    https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/

    Notice of Recent Security Incident
    Update as of Wednesday, November 30, 2022

    To All LastPass Customers,

    In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating.

    We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

    We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

    We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here. ..

    LastPass suffers another data breach, says customer data was stolen

    Viewing 18 reply threads
    Author
    Replies
    • #2502781

      Charming. Not.

    • #2502849

      time for this again…

      LastPass

      WaaS = Windows as a Syphon...suckers!

      Attachments:
      3 users thanked author for this post.
    • #2503162

      More discussion on issue:
      https://www.pcmag.com/opinions/lastpass-didnt-expose-your-passwords

      At least the vendor is being transparent.

    • #2503174

      I for one much prefer localised encryption password managers that are also portable. One very strong password reveals a multitude of others locally that wins over ANY browser orientated password manager.
      Looking at all the fixes for browsers in recent times is enough to warrant my decision…I’m happy with that YMMV

      WaaS = Windows as a Syphon...suckers!

      1 user thanked author for this post.
    • #2510898

      Susan Bradley Patch Lady

      2 users thanked author for this post.
      • #2510909

        From LastPass blog :

        …To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

        The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client…

        2 users thanked author for this post.
    • #2510934

      For every lock, there’s some sneaky foot-scraping cracker that can make a key for it. Eventually.

      I just don’t know, folks…maybe I’m like that old fisherman in Maine who didn’t “believe in all them fancy frills and gimm-ocks…!”, but for me, a unusual word or term, translated into an incredibly obscure language, salted with symbols and squirrel noises, then written down in a small book hidden away in some location known to only one other person you’ve known for 40 years seems to do fine by me.

      (If I’m feeling particularly fine that day, I might write that down in Southern Akson Thai or some other Abugida-like tongue/script to drive anyone who DOES find it insane trying to decode it.)

      YMMV.

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

      1 user thanked author for this post.
    • #2510936

      [postquote quote=2510934]

      is this all about chit-chat?,
      or is there some editorial comment,
      if you please?

      * _ the metaverse is poisonous _ *
      • #2510945

        is this all about chit-chat?, or is there some editorial comment, if you please?

        Just my conversational tone of writing while explaining my approach to security in a security forum, when there’s a security issue regarding password security being discussed.

        I was an English/Lit major, and I tend to write like it. Some publishers have actually thought well of it. 🙂

        Happy Holidays!

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
        --
        "...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

    • #2512697

      Not in a million years: It can take far less to crack a LastPass password

      LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. Their notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading…

      If 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe…

      Perhaps the “millions of years” claim is based on poor assumptions about guessing speed. As it happens we have estimated through a cracking competition that the cost of cracking passwords hashed with 100,000 rounds of PBKDF2-H256 is around six US dollars for every 232 guesses. (The difference between our 100,000 rounds of PBKDF2 and LastPass’s 100,100 rounds is so small that we can ignore it.) Because of how powers of 2 work, the cost of making 233 guesses is would be 12 dollars, the cost of making 234 guesses would be 24 dollars. Ten billion guesses would cost about 100USD…

      Given that the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine generated…

      1 user thanked author for this post.
    • #2512895

      What’s in a PR statement: LastPass breach explained

      Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.

      Their statement is also full of omissions, half-truths and outright lies

      5 users thanked author for this post.
    • #2515290

      LastPass Faces Class Action Lawsuit for Lack of Security
      Date published 6th January 2023:

      A class action lawsuit has been filed in the U.S. District Court in Massachusetts, accusing LastPass of failure to secure sensitive customer data and seeking monetary relief for losses caused by recent data breaches.
      LastPass is a widely used password manager, password generator, and secure vault app, offering over 30 million users and 85,000 firms an easy way to create, store, manage, and use their secrets….

      WaaS = Windows as a Syphon...suckers!

      2 users thanked author for this post.
      • #2515312

        Nothing like shutting the gate after the cows are out.

        Carpe Diem {with backup and coffee}
        offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
        offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.674 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
        online▸ Win11Pro 22H2.22621.1105 x64 i5-9400 RAM16GB HDD Firefox110.0b5 MicrosoftDefender
    • #2519664

      I’m a LastPass user and am thinking about changing to alternative password “safes.”  LastPass competitors’ websites (e.g. Bit Warden, Dashline, 1Password) all have featured instructions on how to export LastPass data into their product.  What reason do we have to believe that those products are any more safe than LastPass?

    • #2519717

      Discussion of Lastpass, followed by mentions of 1Password, & Bitwarden:
      https://infosec.exchange/@epixoip/109585049354200263

       

    • #2520365

      What reason do we have to believe that those products are any more safe than LastPass?

      You don’t have any reason to believe any cloud service is secure.
      It isn’t.
      Believe only on the data stored on your devices.

      1 user thanked author for this post.
    • #2521275

      Gibson has a good discussion at https://www.grc.com/securitynow.htm

      and a PS script by Rob Woodruff that an demonstrate some of the problem. https://www.grc.com/miscfiles/LastPassVault.zip

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
      1 user thanked author for this post.
    • #2527859

      GoTo says hackers stole customers’ backups and encryption key

      GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data…

      According to a GoTo’s security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.

      “Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility,” reads the notice to customers.

      “In addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups.” – GoTo
      The information present in the exfiltrated backups includes the following:

      Central and Pro account usernames
      Central and Pro account passwords (salted and hashed)
      Deployment and provisioning information
      One-to-Many scripts (Central only)
      Multi-factor authentication information
      Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers…

      1 user thanked author for this post.
    • #2527928

      From GoTo”s website: https://www.goto.com/blog/our-response-to-a-recent-security-incident#

      Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere

      We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts. Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable.

       

      Win 10 home - 22H2
      Attitude is a choice...Choose wisely

    • #2528446

      Even though all account passwords were salted and hashed

      From what I understand this is practically impossible to crack. Am I wrong?

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

    • #2528447

      You don’t have any reason to believe any cloud service is secure. It isn’t.

      “The Cloud”: Your stuff on someone else’s computer.

      (Who said that?)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

      1 user thanked author for this post.
    • #2528472

      Even though all account passwords were salted and hashed

      From what I understand this is practically impossible to crack. Am I wrong?

      Nothing is impossible to crack.

      https://www.tunnelsup.com/getting-started-cracking-password-hashes/
      https://hashcat.net/wiki/doku.php?id=hashcat
      https://medium.com/meco-engineering/a-beginners-guide-on-cracking-password-hashes-c7212e199eb2..

    Viewing 18 reply threads
    Reply To: LastPass has been hacked, again.

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: