Page 2 of 2 FirstFirst 12
Results 17 to 25 of 25

Thread: LastPass Security Breach... Again.

  1. #17
    Super Moderator Jonj1611's Avatar
    Join Date
    Jun 2008
    Posts
    5,718
    Thanks
    1,754
    Thanked
    994 times in 761 posts

    Re: LastPass Security Breach... Again.

    Glad I deleted my lastpass account now
    Jon

  2. #18
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,698
    Thanks
    984
    Thanked
    826 times in 542 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Saracen999 View Post
    I tend to operate rather the other wsy round. If I sign up somewhere new, it's nearly always a sacrificial goat account. i.e. intended for one-off, or the very short-term, with an email address that, one way or another, is disposable. I don't much bother with password security because there's nothing there at risk, and little or no trail back to me. TBH, it takes a sppecific purpose to get me to bother even doing that, these days.

    Only if I found myself going back repeatedly, over a period of time beyond the minimal, would I bother with a "real" sign up, and anything resembling actual password security. That's happened, I think, once in the last couple of years. Other than here, I don't really either have many fingers in online pies, or the inclination to do so.
    That sounds like a better way to do it.

    Most of mine are on technical sites like Seven/Eight/Ten/ElevenForums, Windows Central etc..
    Sadly I'll use it a few times a year based on a certain projects.
    But I have never provided real names, contact details or DoB, and finally use randomly generated passwords.

    When I absolutely know I won't be back I use 10 minute mail addresses. But that's rare.

    Quote Originally Posted by Output View Post
    And in the latest update, it has been revealed that password vaults were obtained.


    (Emphasis not mine.)

    As the website URLs are said to be unencrypted, I'd imagine that gives more of an idea to the attacker of potential targets to go for.

    https://9to5mac.com/2022/12/22/lastp...ults-obtained/
    Who on earth would sign off on that design for a password manager.
    Sounds to me like it has never been fit for purpose and they don't know how their own software works.


    Something I didn't know was that LogmeIn spun LastPass off into it's own company in 2021. It does appear they aren't even a parent company and they now have nothing to do with it.

  3. #19
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,894
    Thanks
    934
    Thanked
    971 times in 717 posts

    Re: LastPass Security Breach... Again.

    I guess it all eventually comes down to there being no such thing as 100% online security and the only way to keep things totally secure from hacking is t not put them on any computer in the first place, or at least, not one with an online connection. Yes, there are risks with that too, but not online ones. Some of my more sensitive data (prior to retirement) only EVER went onto PCs with no online connection, ie. an airgapped LAN. Yes, there was still a small risk, but only after someone had physically broken in, here. Can't be done from remote and certainly not from abroad. That right there narrows the risk surface hugely. It unfortunately also reduces the conveniene factor and I guess that, right there, is the trade-off: security v convenience.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  4. #20
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: LastPass Security Breach... Again.

    Further bad news for LastPass, as the breach extends to an employee's home computer, gaining access to a vault that only a handful have access to.

    Apparently a Plex vulnerability was used.

    https://arstechnica.com/information-...rporate-vault/

  5. Received thanks from:

    AGTDenton (02-03-2023),ik9000 (02-03-2023),Saracen999 (02-03-2023),Scryder (04-03-2023)

  6. #21
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,698
    Thanks
    984
    Thanked
    826 times in 542 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: LastPass Security Breach... Again.

    Talk about slap dash security procedures.
    Most would be fired for that.

    Even though LastPass have split from GoTo/LogMeIn - The Hamachi setup still has the cheek to advertise LastPass during install...

  7. #22
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,894
    Thanks
    934
    Thanked
    971 times in 717 posts

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Output View Post
    Further bad news for LastPass, as the breach extends to an employee's home computer, gaining access to a vault that only a handful have access to.

    Apparently a Plex vulnerability was used.

    https://arstechnica.com/information-...rporate-vault/
    If I understood what happened correctly, then it's arguably as embarrassing for Plex as it is for Lastpass. Lastpass, however (in my view) don't get off just because the vulnerability was in Plex. Oh, no. For this kind of issue, where OUR security is on the line, why in the name of both Heaven and Hell, and the equivalents in any/all other belief systems, did a senior dev have this stuff at home???

    If it wasn't authorised, fire the dev. It it was, fire the moron that authorised it.


    BUT .... we ALL have a responsibility too.

    We need to know, and IMHO, mostly we do, that there is no such thing as 100% security in ANYTHING you put online. Nor, for that matter, on a computer even if offline, though arguably the threat surface is much smaller. But then, the skills of the person setting up and monitoring security (that would be me, thee and all other users, dear reader) may not (and probably doesn't) have the skills of someone setting up such stuff professionally because, hopefully, they trained for it and do it for a living. I can wire up basic electrics, fix many car problems and/or solder plumbing pipes and get water-tight joints (usually) but am I an electrician, auto-machanic or plumber? Hell, no. Same for computer security.

    PERSONALLY, my view is that by putting anything in a password manager online, it opens up risks you don't have if self-hosted. So I self-host. That said, I'm then relying on my own abilities to keep it secure, hence a decent non-ISP router, good quality firewall and having locked it down as thoroughly as I can. Combine that with the principle of "threat actors" having to find my particular grain of rice in all the paddy fields in Asia, and I think it's pretty secure. I then backup the heck out of everything and hope it's all enough. If it proves not to be, I know who to fire .... me. Maybe I'm relying too much on being a truly unnoticeable rice-grain in the wider scheme of things. All I can say is I've done all I can, including the more sensitive stuff (which is still pretty boring, and of zero interest to state-level actors and minimal interest to financially oriented ones) to ensure it's protected. Anyone that does successfully hack my systems here is probably gonna be a smidge disappointed with access to my digitised music and video backups, and a collection of downloaded PDF files, the vast bulk of which are either Acts of Parliament, various published government reports, enquiry outcomes and computer hardware/software manuals. I'd almost pay to see the expression on a hacker's face at the "payload" they find if they get into my stuff. Anything that, to me, is sensitive, is on that air-gapped network and anyone breaking in to get that, assuming they can crack the file encryption, is going to be similarly disappointed.

    Nothing, at all, is 100% secure, short of not actually doing anything either online, or even on a computer. If you do either (or both) there's a risk. Always has been, always will be. So it comes down to security versus both cost and convenience. My evaluation is I'll refrain from doing a lot of things in the first place (like almost all online banking) or social media accounts, and keeping everything else I can locally not online, with password management emphatically being included in that. However .... it is a personal judgement and YMMV.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  8. #23
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by AGTDenton View Post
    Talk about slap dash security procedures.
    Most would be fired for that.

    Even though LastPass have split from GoTo/LogMeIn - The Hamachi setup still has the cheek to advertise LastPass during install...
    Are they really separate though? Having a shared development environment that means they're also a part of the same breaches suggests otherwise.

    https://www.bleepingcomputer.com/new...ncryption-key/

    Quote Originally Posted by Saracen999 View Post
    If I understood what happened correctly, then it's arguably as embarrassing for Plex as it is for Lastpass. Lastpass, however (in my view) don't get off just because the vulnerability was in Plex. Oh, no. For this kind of issue, where OUR security is on the line, why in the name of both Heaven and Hell, and the equivalents in any/all other belief systems, did a senior dev have this stuff at home???

    If it wasn't authorised, fire the dev. It it was, fire the moron that authorised it.
    True, it does seem very odd that they had it at home. Even if they were doing remote working, you'd expect it to still be VPN'd into work machines with the stuff stored there, rather than any of the storage being actually at home.


    Quote Originally Posted by Saracen999 View Post
    BUT .... we ALL have a responsibility too.

    We need to know, and IMHO, mostly we do, that there is no such thing as 100% security in ANYTHING you put online. Nor, for that matter, on a computer even if offline, though arguably the threat surface is much smaller. But then, the skills of the person setting up and monitoring security (that would be me, thee and all other users, dear reader) may not (and probably doesn't) have the skills of someone setting up such stuff professionally because, hopefully, they trained for it and do it for a living. I can wire up basic electrics, fix many car problems and/or solder plumbing pipes and get water-tight joints (usually) but am I an electrician, auto-machanic or plumber? Hell, no. Same for computer security.

    PERSONALLY, my view is that by putting anything in a password manager online, it opens up risks you don't have if self-hosted. So I self-host. That said, I'm then relying on my own abilities to keep it secure, hence a decent non-ISP router, good quality firewall and having locked it down as thoroughly as I can. Combine that with the principle of "threat actors" having to find my particular grain of rice in all the paddy fields in Asia, and I think it's pretty secure. I then backup the heck out of everything and hope it's all enough. If it proves not to be, I know who to fire .... me. Maybe I'm relying too much on being a truly unnoticeable rice-grain in the wider scheme of things. All I can say is I've done all I can, including the more sensitive stuff (which is still pretty boring, and of zero interest to state-level actors and minimal interest to financially oriented ones) to ensure it's protected. Anyone that does successfully hack my systems here is probably gonna be a smidge disappointed with access to my digitised music and video backups, and a collection of downloaded PDF files, the vast bulk of which are either Acts of Parliament, various published government reports, enquiry outcomes and computer hardware/software manuals. I'd almost pay to see the expression on a hacker's face at the "payload" they find if they get into my stuff. Anything that, to me, is sensitive, is on that air-gapped network and anyone breaking in to get that, assuming they can crack the file encryption, is going to be similarly disappointed.

    Nothing, at all, is 100% secure, short of not actually doing anything either online, or even on a computer. If you do either (or both) there's a risk. Always has been, always will be. So it comes down to security versus both cost and convenience. My evaluation is I'll refrain from doing a lot of things in the first place (like almost all online banking) or social media accounts, and keeping everything else I can locally not online, with password management emphatically being included in that. However .... it is a personal judgement and YMMV.
    I absolutely agree that nothing is 100% secure, especially if you take into account the human factor which can have either a positive or negative effect on security which can vary due to numerous factors all the time, even for the same person.

    All we can do is do what we each feel is the right decision for us personally.

    It doesn't stop the annoyance (or frustration etc. if you're a victim) of hearing about possible mistakes that you would have hoped would have been avoidable factors due to X, Y or Z reasons.

    One thing is for sure though, whoever it was that breached them was certainly thorough in their targetting (even if that targetting is not exactly surprising due to what their service does).
    Last edited by Output; 02-03-2023 at 04:54 PM.

  9. #24
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,698
    Thanks
    984
    Thanked
    826 times in 542 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Output View Post
    Are they really separate though? Having a shared development environment that means they're also a part of the same breaches suggests otherwise.

    https://www.bleepingcomputer.com/new...ncryption-key/
    According to this blog post in Dec 2021 that's what they intended. I'm fairly certain I have read somewhere that they are separating from LogmeIns services/servers at some point as well as moving offices. So I think it's just a slow transition into the new company.

    Quote Originally Posted by LastPass.com
    Today, we’re excited to announce our intent to establish LastPass as an independent company.
    https://blog.lastpass.com/2021/12/la...Project-Entity

  10. #25
    Grumpy and VERY old :( g8ina's Avatar
    Join Date
    Nov 2006
    Location
    Northampton
    Posts
    6,776
    Thanks
    2,613
    Thanked
    1,704 times in 1,108 posts
    • g8ina's system
      • Motherboard:
      • ASRock Z75 Pro3
      • CPU:
      • Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz 3.40 GHz
      • Memory:
      • 16GB Corsair 1600MHz DDR3.
      • Storage:
      • 250GB SSD system, 250GB SSD Data + 2TB data, + 8TB NAS
      • Graphics card(s):
      • XFX Radeon HD 6870
      • Case:
      • Coolermaster Elite 430
      • Operating System:
      • Win10
      • Monitor(s):
      • Iiyama 22"
      • Internet:
      • Virgin 100MB unlimited

    Re: LastPass Security Breach... Again.

    Just deleted my LP account, Ive gone to Bitwarden thanks to Jon for the info
    Cheers, David



  11. Received thanks from:

    Jonj1611 (03-03-2023)

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •