Page 1 of 2 12 LastLast
Results 1 to 16 of 25

Thread: LastPass Security Breach... Again.

  1. #1
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    LastPass Security Breach... Again.

    Apparently this time involves customer information, and was accomplished using data obtained in the August breach.

    Seriously, an online service focused entirely on passwords is a huge target and I just don't understand why anyone would use them or any like them.

    https://www.pcmag.com/news/lastpass-...ta-is-affected

  2. Received thanks from:

    AGTDenton (04-12-2022),DanceswithUnix (05-12-2022)

  3. #2
    Super Moderator Jonj1611's Avatar
    Join Date
    Jun 2008
    Posts
    5,718
    Thanks
    1,754
    Thanked
    994 times in 761 posts

    Re: LastPass Security Breach... Again.

    I gave up with Lastpass at the last security breach, deleted my account with them and now I use Bitwarden
    Jon

  4. Received thanks from:

    DanceswithUnix (05-12-2022),g8ina (03-03-2023),neonplanet40 (04-12-2022)

  5. #3
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Output View Post
    .... an online service focused entirely on passwords is a huge target and I just don't understand why anyone would use them or any like them.

    ...
    I kinda do. To be clear, Personally, I would not use an online service for anything like this. But I think I get why people would, or at least, might.

    First, Lastpass have (or had) a very good name.

    Second, it makes using the passwords among multiple devices somewhat simpler than an entirely locally stored version.

    Third, do it locally, yourself, and it's harder to keep multiple devices sync'd with changes/updates/additions.

    Fourth, some people might not take password security seriously, depending on what they use passwords for.

    Finally, we're a fairly tech-literate bunch here, but a lot of the public really aren't. I'm pretty sure I could find more than a few friends and family that would glaze over pretty quickly if I mentioned "online security breaches", and respond with "Huh?".

    But most of the above are fairly quickly becoming unsustainable, given the way the modern way of life, at least in techy societies, is changing. I mean, who doesn't, to one extent or another, use online banking these days? I didn't want to, and I mean really, really didn't want to. I still don't want to, but for reasons I'm not going into, have no choice. I do, however, take it very cautiously, with baby steps, and do not have it enabled on all bank accounts (or banks). In fact, it is explicitly locked on some, and will require my personal attendance, in a branch, with specific forms of ID including passport, to re-enable even being able to register. That much, I have in writing, from the bank. The limited accounts on which it is enabled are effectively service accounts, with no credit facility (or option to enable one without in-person proof of ID), and very limited access to funds.

    Also, my password manager is local-only and while it is possible to set up remote access, I have not only not enabled that, but have it blocked. And my banking information isn't in it anyway. On those rare occasions I actually use online banking, it's done from a machine that does nothing else, from a browser used for nothing else, that can be formatted/restored from a clean image file very easily (and periodically is), using a SIM for 2FA not kept in any phone by default, and I still don't keep that banking data/password in a password manager.

    So, from that degree of ..... antipathy, that sort of near-paranoia, about online banking I think my reluctance and the level of personal inconvenience I'm willing to put up with to avoid it when at all possible, is pretty clear. But it does mean I have a clear view of the seductiveness of solving what is without a shadow of a doubt a huge 'modern-life' problem - password management.

    I use a password manager as a convenience tool for things that, by and large, don't really much matter and not ever for anything banking related. I've also been using encryption, for example on sensitive emails, back to the days several decades ago where I had to play a bit fast and loose wth US export controls even to get retail licences of PGP out of the USA to the UK.

    But I'm of an age, and at a stage in life, where I can step back, decline to take part in lots of aspects of modern life that, were I younger, busier and with modern needs (like job hunting, employment, needing credit, etc) I probably wouldn't be able to, without huge inconvenience.

    But I sure can see how the seductiveness of ease of use, of sheer convenience of online password services, would appeal and especially to the less technical that don't see reports of so many breaches.

    TL / DR = Busy lives, sheer convenience, lacking in tech/security savvy. Or some blend of those. Or, just don't care.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  6. Received thanks from:

    g8ina (02-03-2023)

  7. #4
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: LastPass Security Breach... Again.

    Some very good points there.

    I guess I can easily forget about all of those being possibilities for other people.

    It's also easy to forget that we were all clueless about things at the start.

  8. #5
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Output View Post
    Some very good points there.

    I guess I can easily forget about all of those being possibilities for other people.

    It's also easy to forget that we were all clueless about things at the start.
    Yup. Look at me, I've been at it since the late '60s and I'm still about 50% clueless.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  9. #6
    The Irish Drunk! neonplanet40's Avatar
    Join Date
    Oct 2003
    Location
    Stirling
    Posts
    5,305
    Thanks
    1,103
    Thanked
    268 times in 187 posts
    • neonplanet40's system
      • Motherboard:
      • Gigabyte X470 Aorus Gaming 7 Wi-Fi
      • CPU:
      • AMD Ryzen 7 5800X3D
      • Memory:
      • Patriot 32 GB DDR4 3200 MHz
      • Storage:
      • 1TB WD_Black SN770, 1TB Koxia nvme
      • Graphics card(s):
      • MSI RTX4070Ti Gaming X TRIO
      • PSU:
      • Enermax Supernova G6 850W
      • Case:
      • Lian LI Lancool 3
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Dell 27" U2715H & Gigabyte M27Q
      • Internet:
      • 1Gbe

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Jonj1611 View Post
    I gave up with Lastpass at the last security breach, deleted my account with them and now I use Bitwarden
    Same, and I'm very reliant on it.....
    Home Entertainment =Epson TW9400, Denon AVRX6300H, Panasonic DPUB450EBK 4K Ultra HD Blu-Ray and Monitor Audio Silver RX 7.0, Monitor Audio CT265IDC(x4) Dolby Atmos and XTZ 12.17 Sub - (Config 7.1.4)
    My System=Gigabyte X470 Aorus Gaming 7 Wi-Fi, AMD Ryzen 7 5800X3D, Patriot 32 GB DDR4 3200MHz, 1TB WD_Black SN770, 1TB Koxia nvme, MSI RTX4070Ti Gaming X TRIO, Enermax Supernova G6 850W, Lian LI Lancool 3, 2x QHD 27in Monitors. Denon AVR1700H & Wharfedale DX-2 5.1 Sound
    Home Server 2/HTPC - Ryzen 5 3600, Asus Strix B450, 16GB Ram, EVGA GT1030 SC, 2x 2TB Cruscial SSD, Corsair TX550, Plex Server & Nvidia Shield Pro 4K
    Diskstation/HTPC - Synology DS1821+ 16GB Ram - 10Gbe NIC with 45TB & Synology DS1821+ 8GB Ram - 10Gbe NIC with 14TB & Synology DS920+ 9TB
    Portable=Microsoft Surface Pro 4, Huawei M5 10" & HP Omen 15 laptop

  10. #7
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: LastPass Security Breach... Again.

    I'd been using my stone-age password manager until shortly before that breach, and having looked around for a while, settled on Lastpass, downloaded, installed and tested resulting in pretty much deciding on it then .... security breach. And the shinnanigans that sent on around that, together with some 'susoicions' about some products/companies in the field which resulting in, yup, complete re-think, open source (which has it's risks and disadvantages too), and a completely locally imolemented and stored choice. So far, zero regrets. Zero costs, too.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  11. #8
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,698
    Thanks
    984
    Thanked
    828 times in 542 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: LastPass Security Breach... Again.

    I hope whatever LastPass is written in is not the same as LogmeIn and whatever the hackers have learnt about Lastpass couldn't translate over.

  12. #9
    Senior Member
    Join Date
    Jul 2009
    Location
    West Sussex
    Posts
    1,721
    Thanks
    197
    Thanked
    243 times in 223 posts
    • kompukare's system
      • Motherboard:
      • Asus P8Z77-V LX
      • CPU:
      • Intel i5-3570K
      • Memory:
      • 4 x 8GB DDR3
      • Storage:
      • Samsung 850 EVo 500GB | Corsair MP510 960GB | 2 x WD 4TB spinners
      • Graphics card(s):
      • Sappihre R7 260X 1GB (sic)
      • PSU:
      • Antec 650 Gold TruePower (Seasonic)
      • Case:
      • Aerocool DS 200 (silenced, 53.6 litres)l)
      • Operating System:
      • Windows 10-64
      • Monitor(s):
      • 2 x ViewSonic 27" 1440p

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Output View Post
    Apparently this time involves customer information, and was accomplished using data obtained in the August breach.

    Seriously, an online service focused entirely on passwords is a huge target and I just don't understand why anyone would use them or any like them.

    https://www.pcmag.com/news/lastpass-...ta-is-affected
    The bolded is the obvious thing, isn't it?

    No matter how amateur someone's own password management might or might not be, most of us are small enough that big criminal organisations or nation states are not going to get involved. Yes, so some of that rightly might be criticized as "security by obscurity" just be most of us are obscure to be worth bothering with, but in this case that is actually not such a bad approach to security.

  13. #10
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by kompukare View Post
    The bolded is the obvious thing, isn't it?

    No matter how amateur someone's own password management might or might not be, most of us are small enough that big criminal organisations or nation states are not going to get involved. Yes, so some of that rightly might be criticized as "security by obscurity" just be most of us are obscure to be worth bothering with, but in this case that is actually not such a bad approach to security.
    Exactly my point.

    Most people a less of a target individually than they are as a part of a group.

    The bigger the group, the bigger the target.

    It certainly doesn't mean that it will necessarily be avoided, particularly as we all know that there is no such thing as 100% secure, but it can still lessen the risk in comparison.

  14. #11
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,978
    Thanks
    778
    Thanked
    1,586 times in 1,341 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Saracen999 View Post
    On those rare occasions I actually use online banking, it's done from a machine that does nothing else, from a browser used for nothing else, that can be formatted/restored from a clean image file very easily (and periodically is), using a SIM for 2FA not kept in any phone by default, and I still don't keep that banking data/password in a password manager.
    I think the smart phone banking apps are actually pretty good for this.

    If I fire up online banking on my PC using the password (something I know) then I have to get my phone out (something I have) as an authenticater and offer my fingerprint to their app (something I am) so for that case it is actually using 3 factor authentication. The weak spot here is if I lose my phone, then the banking app is just 2FA being the phone and the fingerprint. But still, it seems decent security at my end and really fast & easy to use, and I will pretty quickly notice if I am missing my phone (or a finger )

  15. #12
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,978
    Thanks
    778
    Thanked
    1,586 times in 1,341 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by kompukare View Post
    No matter how amateur someone's own password management might or might not be, most of us are small enough that big criminal organisations or nation states are not going to get involved. Yes, so some of that rightly might be criticized as "security by obscurity" just be most of us are obscure to be worth bothering with, but in this case that is actually not such a bad approach to security.
    Isn't really that obscure though.

    The Internet is a flood of constant attacks, so it isn't you they are attacking you are just part of the huge crowd of "everybody". If someone gets into your system, then they can just include a module to go read every file in your PC and see if if looks like a plaintext password file.

  16. #13
    Super Moderator Jonj1611's Avatar
    Join Date
    Jun 2008
    Posts
    5,718
    Thanks
    1,754
    Thanked
    994 times in 761 posts

    Re: LastPass Security Breach... Again.

    Don't know what I would do without a password manager, particular as I use it when out as well as at home. Just looking at the vault shows I have 1530 logins! A lot of them will be throwaway accounts for like when you need something but have to join just to do something or another.

    But still over a thousand passwords, all different, all alphanumeric, all at least 8 characters long. Certainly not something I would like to take up the challenge to remember.
    Jon

  17. #14
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,698
    Thanks
    984
    Thanked
    828 times in 542 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by Jonj1611 View Post
    Don't know what I would do without a password manager, particular as I use it when out as well as at home. Just looking at the vault shows I have 1530 logins! A lot of them will be throwaway accounts for like when you need something but have to join just to do something or another.

    But still over a thousand passwords, all different, all alphanumeric, all at least 8 characters long. Certainly not something I would like to take up the challenge to remember.
    Yes I would crumble now, have slowly transitioned to using Bitwardens password generator for a lot of logins since being notified by "Have i been pwned" a little too often.
    The problem here is like you say, you sign up to loads of sites/services you use once or twice but over time they eventually get hacked or your data sold.

    It's not practical to always delete your account, you never reeally know when your last time using a service will be and half the time it's a catalogue of instructions to remove your account. Some ask you to do it in writing....

  18. #15
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: LastPass Security Breach... Again.

    Quote Originally Posted by AGTDenton View Post
    Yes I would crumble now, have slowly transitioned to using Bitwardens password generator for a lot of logins since being notified by "Have i been pwned" a little too often.
    The problem here is like you say, you sign up to loads of sites/services you use once or twice but over time they eventually get hacked or your data sold.

    It's not practical to always delete your account, you never reeally know when your last time using a service will be and half the time it's a catalogue of instructions to remove your account. Some ask you to do it in writing....
    I tend to operate rather the other wsy round. If I sign up somewhere new, it's nearly always a sacrificial goat account. i.e. intended for one-off, or the very short-term, with an email address that, one way or another, is disposable. I don't much bother with password security because there's nothing there at risk, and little or no trail back to me. TBH, it takes a sppecific purpose to get me to bother even doing that, these days.

    Only if I found myself going back repeatedly, over a period of time beyond the minimal, would I bother with a "real" sign up, and anything resembling actual password security. That's happened, I think, once in the last couple of years. Other than here, I don't really either have many fingers in online pies, or the inclination to do so.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  19. #16
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: LastPass Security Breach... Again.

    And in the latest update, it has been revealed that password vaults were obtained.

    “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.“

    While user password vaults are still protected by their master passwords, the hacker may try brute force, phishing, or social engineering attacks. So be careful out there if you’ve been a LastPass customer.
    (Emphasis not mine.)

    As the website URLs are said to be unencrypted, I'd imagine that gives more of an idea to the attacker of potential targets to go for.

    https://9to5mac.com/2022/12/22/lastp...ults-obtained/

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •