Lastpass Security Breach

[Jonj1611]

For those that maybe interested, I received this by email. I no longer use Lastpass and deleted it a while ago but for those that still use it :

We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.

In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.

Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.

We have set up a blog post dedicated to providing more information on this incident: https://blog.lastpass.com/2022/08/no...rity-incident/

We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you.

[AGTDenton]

Everyone I've spoken to regarding password managers has been fearful of something like this.

I'm now quite invested in Bitwarden.
I got fed up of my encrypted but manual Excel method as it became less convenient and more chaotic over time.

I wonder whether I should have a rethink

[Jonj1611]

I changed to Bitwarden after another thread we had on here a while ago.

[BobF64]

I wonder whether I should have a rethink

Fairly sure Bitwarden can not have the same issue as Lastpass just had, assuming all their code is open source.

Can't breach and try to steal things you voluntarily publish for all to see.

[Terbinator]

Plex got hit this week too
https://www.theverge.com/2022/8/24/2...ails-passwords

[jimbouk]

It only takes one weak link if you don't have everything tied down to the nth degree. I also moved from Lastpass to Bitwarden based on the discussions. I guess the risk for Bitwarden is someone gets a dump of the cloud stored vaults and can attempt to crack them offline. You'd hope people who investing in a password manager would take reasonable precautions to not re-use their master password elsewhere and have something reasonable long...

[Terbinator]

I don't know too much about CySec but we've had Twitter, Plex and LastPass all get done over or come out and say they were breached recently in the past two weeks.

Has a further shift to remote/hybrid opened things up, do we think? Compromises have always happened of course, and you'd imagine CySec people are 'on it' - the other people on their home networks though...

[AGTDenton]

Fairly sure Bitwarden can not have the same issue as Lastpass just had, assuming all their code is open source.

Yeah that's one of the reasons I chose it. The only way someone's getting in is if I gave the login to somebody or left it logged in somewhere. So it becomes user error.

[ik9000]

isn't the old saying "never put all your eggs in one basket?" and the modern mantra, "a diversified portfolio strengthens resilience"? Granted remembering passwords is a pain but I've always been wary of having a single place dealing with everything

[BobF64]

Yeah that's one of the reasons I chose it. The only way someone's getting in is if I gave the login to somebody or left it logged in somewhere. So it becomes user error.

Open source is a two edged sword.

On one side, people can read how it works and identify problems, on the other side, people can read it and see how it works.

[Saracen999]

Open source is a two edged sword.

On one side, people can read how it works and identify problems, on the other side, people can read it and see how it works.

Add to the open source case ... "people (with the time and skillset) can read it and at least be confident that the company itself or even just a rogue programmer(s) don't have hidden back doors embedded".

I never really got into Lasspass. I used an ancient password manager for some years (probably too long) and was tring Lastpass out when the goalposts moved, so promptly dumped the testing. I did move to an alternative but not one that stores stuff only - it's solely local (which has risks of it's own). And on top of that, my more sensitive data (of which there's not that much these days, post-retirement) is only on air-gapped machines. And the most sensitive (to me at least) isn't in digital form at all. That bit might get stolen (if thieves can, first, physically break in and second, find it). And third, give enough of a .... damn, about it to bother. But it sure won't get hacked.

I do agree with avoiding the "eggs in one basket" principle but, of course, doing so adds to complexity and hassle, which in it's own right adds a degree of risk, just a different risk.

[Giraffe]

I've never liked the idea of passwords etc. being 'somewhere else' - my computer is a small target and the p/w servers are big ones.
For me, a piece of paper would be OK (although onerous and prone to beer errors) so a local manager that's blocked by the firewall seems better.

[Saracen999]

I've never liked the idea of passwords etc. being 'somewhere else' - my computer is a small target and the p/w servers are big ones.
For me, a piece of paper would be OK (although onerous and prone to beer errors) so a local manager that's blocked by the firewall seems better.

Agreed. There's an element of risk either way, pretty much whatever we do. I think the risk of password servers is massively higher than my single little IP and router (etc) getting hacked, which in turn is massively higher than an opportunistic burglar firstly breaking in, then finding my password stash, then breaking the encryption that still uses. Nothing anyone is finding here justify the effort of targetting me physically by professional burglars, because there's nothing here worth that. So doing my own thing is a risk but, in my opinion, a smaller one than risking some online password store being targetted and hacked. That said, the online version does have a convenience element that my home-brew solution doesn't. I'm just not bothered at all by missing out on that, but it could be important to some people and justify the greater risk.

[watercooled]

It's worth stressing that, when a password manager is developed thoughtfully (and this is important, including good database design, password complexity requirements, and password key derivation functions to prevent bruteforcing, etc.), a breach really isn't the end of the world. Even gaining access to a user database (which they apparently didn't on this occasion) does not give an attacker access to credentials in any usable form. In fact any online password manager worth considering will have considered the possibility of a database breach and prepared for it. FWIW when I researched LastPass AGES ago they seemed to be doing things by and large properly, but I've not followed them in a long time, so what I say doesn't specifically relate to them...

Of course it varies by service and configuration, but the 'no-knowledge' services where even the service provider can't help you if you forget/lose your login credentials carry a low risk even in the event of a database breach. It's easy to see news of 'breaches' or 'hacks' and assume this translates into breaking into databases too, but that's not really the case. Access control and actual encryption are two different things. Remember, encryption is intended to prevent an attacker viewing data in plaintext when they have access to the ciphertext. Where such a database is accessed, it would still be good practice to change passwords, but using a password manager in itself helps with this. It's drastically better than having to remember every site you used that same rubbish password on because some breach leaked plaintext passwords and your email address!

You have to weigh up the options. Not using a password manager means, for most people, they will be using or reusing bad passwords and changing infrequently if ever. Or having post-it notes stuck to their office computer or something. These alternatives all carry their own risks. The amount of accounts and credentials people have to juggle nowadays just makes a decent password manager a sensible choice for most IMO. Even if that niggling thought of eggs-one-basket means you keep the more critical credentials separate, and maintain good password hygiene with those independently. Oh, and use 2FA where possible, *and* backups for said 2FA!!!

There are also self-hosted or offline-only alternatives, with their own pros and cons. Lack of convenience and having to ensure syncing across the numerous devices people use nowadays can present a challenge. And if the database is stored locally as a file, you have to weigh the possibility of that leaving your system through various means, whether malicious or inadvertent. But the convenience factor is important - a security measure is only useful if it actually gets used!

Regarding the Plex hack, it seems (through speaking to a friend about it) they were actually storing passwords sensibly, not in plaintext, and with salt/pepper. And they are forcing password changes as a precaution. I'm not sure which hashing function they are using, but if it's a good one, it would be extremely labour-intensive to bruteforce even fairly rubbish passwords, and the salting means rainbow tables and simplistic bulk attacks are no use.

My concern with this sort of incident is rather than encouraging improved security practices, it pushes people to inferior alternatives.