48 votes

Experts link LastPass security breach to a string of crypto heists

27 comments

  1. [19]
    ChthonicSun
    Link
    I'm so glad I jumped ship from this garbage fire years ago, it seems like ever since GoTo acquired them the entire service just completely shat the bed. It really feels like I dodged a bullet.

    I'm so glad I jumped ship from this garbage fire years ago, it seems like ever since GoTo acquired them the entire service just completely shat the bed. It really feels like I dodged a bullet.

    16 votes
    1. [11]
      slothywaffle
      Link Parent
      We use LastPass at work. Is there something better I should suggest on Monday?

      We use LastPass at work. Is there something better I should suggest on Monday?

      4 votes
      1. [7]
        ChthonicSun
        Link Parent
        For a company? I don't know if I'm qualified to answer that, but for personal use I'd recommend either Bitwarden or Keepass. I'd say Keepass should be more secure since it's stored locally, but...

        For a company? I don't know if I'm qualified to answer that, but for personal use I'd recommend either Bitwarden or Keepass. I'd say Keepass should be more secure since it's stored locally, but that means you'd have to setup some form of syncing infrastructure to share passwords between devices.

        6 votes
        1. not_a_whale
          Link Parent
          TLDR: Bitwarden is working just fine for the group of small companies we manage with it. Considerably better the Lastpass did. I did the vetting for my company for password managers early this...

          TLDR: Bitwarden is working just fine for the group of small companies we manage with it. Considerably better the Lastpass did.

          I did the vetting for my company for password managers early this year to move our small business, and that of our clients, away from Lastpass. We did end up settling on Bitwarden for company use with the addition of Duo in order to allow MFA recovery if required. It should be noted we were also looking for a platform that would allow a good reseller relationship and Bitwarden won in that game too. BItwarden is one of the few that does allow for self hosting if you opt for it. Management is simple and effective. The entire team has latched onto it and were all pretty evangelical about it now compared to other products.

          The largest selling points for us was independent 3d party pen testing and yearly security auditing. Also they have provided decent support for us and seem like a good group of human beings.

          Self hosting: https://bitwarden.com/help/self-host-an-organization/
          Duo relationship: https://bitwarden.com/help/saml-duo/
          Company Admin Policy control: https://bitwarden.com/help/policies/

          Runners up that did not make the cut were 1Password and Keeper.

          I want to make a statement that support contracts and security credentials are much more important then self hosting for small businesses like us. Doing a lot of work on our own does not leave us much time for client facing work to improve our business relationships. If we can trust a platform to help us get our monies worth for security were going to take that option. Bitwarden hit the right balance and we are proud to be clients thus far.

          3 votes
        2. [5]
          babypuncher
          Link Parent
          This part is easy if you're already using something like Dropbox or iCloud Drive.

          but that means you'd have to setup some form of syncing infrastructure to share passwords between devices.

          This part is easy if you're already using something like Dropbox or iCloud Drive.

          1. [4]
            ChthonicSun
            Link Parent
            Yeah, but it sort of defeats the purpose of locally storing your password database. Something like Syncthing would be better in that case, but it also has its drawbacks.

            Yeah, but it sort of defeats the purpose of locally storing your password database. Something like Syncthing would be better in that case, but it also has its drawbacks.

            1. [3]
              babypuncher
              Link Parent
              I don't think so. The problem with services like LastPass is that they handle both storage and encryption, meaning only one entity needs to be sufficiently compromised in order to expose your...

              I don't think so. The problem with services like LastPass is that they handle both storage and encryption, meaning only one entity needs to be sufficiently compromised in order to expose your secrets.

              If you put your keepass database on dropbox, dropbox can be compromised and the bad actor will still be stuck with a heavily encrypted database they can't realistically do anything with.

              1. [2]
                ChthonicSun
                Link Parent
                To my knowledge all the encryption and decryption is client side, they only store your data, so it shouldn't really matter.

                To my knowledge all the encryption and decryption is client side, they only store your data, so it shouldn't really matter.

                1. babypuncher
                  Link Parent
                  This was supposedly the case with LastPass as well. The problem is that if the one company you're trusting with all this is sufficiently compromised and an attacker gains access to their source...

                  This was supposedly the case with LastPass as well.

                  The problem is that if the one company you're trusting with all this is sufficiently compromised and an attacker gains access to their source code repository, they might be able to sneak code in unnoticed that subtly breaks the encryption.

      2. babypuncher
        Link Parent
        A good old fashioned keepass database. It's impossible to fully trust any cloud solution that manages both the storage and encryption of your secrets. If this could happen to LastPass, thenI don't...

        A good old fashioned keepass database.

        It's impossible to fully trust any cloud solution that manages both the storage and encryption of your secrets. If this could happen to LastPass, thenI don't see why it can't also happen to Keeper, Bitwarden, etc...

        With keepass, you separate these concerns. Keepass encrypts your database file, and you store it with your cloud storage provider of choice, or stick to local storage if you're extra worried.

        2 votes
      3. FriedGoldfish
        Link Parent
        Passwordstate has worked decently well for us

        Passwordstate has worked decently well for us

      4. triadderall_triangle
        Link Parent
        CHANGE. NOW!! Seriously, you are not safe with this product. Saved you millions of dollars just now, no joke. Bitwarden is perfectly fine to replace this and they are actually trustworthy. Just...

        CHANGE. NOW!! Seriously, you are not safe with this product. Saved you millions of dollars just now, no joke. Bitwarden is perfectly fine to replace this and they are actually trustworthy. Just about anyone is better than these assholes.

    2. [7]
      nothis
      Link Parent
      Aside from specific, individual concerns about LastPass… how is it a good idea to trust a single company with all your passwords? It always seemed weird to me. I have like 3 passwords I type...

      Aside from specific, individual concerns about LastPass… how is it a good idea to trust a single company with all your passwords? It always seemed weird to me. I have like 3 passwords I type regularly and a few more which are cached by my browser/phone. Including work stuff. I could barely imagine a scenario where a password manager saved me significant amounts of time let alone make my stuff more secure.

      Always told people that it makes me nervous to hand all that trust to a single company and the response is usually something about their encryption strength. Which is not the issue, really.

      1 vote
      1. [5]
        Greg
        Link Parent
        For me, a password manager is much more for the dozens to hundreds I don’t type regularly than the two or three I do. The alternative would be widely reusing something that’d still be memorable...

        For me, a password manager is much more for the dozens to hundreds I don’t type regularly than the two or three I do. The alternative would be widely reusing something that’d still be memorable even after months, and that seems far worse from a security perspective.

        If your emphasis was on company being the problem then I understand more - locally stored Keepass is the answer there - but a password manager in general seems invaluable to me. Passkeys might be a reprieve here, but it’s early days both in terms of adoption and battle testing.

        5 votes
        1. [4]
          Sodliddesu
          Link Parent
          Use a cypher. Make your password "I fucking hate having to remember passwords for (x) 13@$" where x is whatever website you're on, then shorten that down to "IfhhtrpfX13@$" Then you've got a...

          Use a cypher. Make your password "I fucking hate having to remember passwords for (x) 13@$" where x is whatever website you're on, then shorten that down to "IfhhtrpfX13@$"

          Then you've got a unique password for every site that doesn't share the same first letter of it's name and you should meet most complexity requirements.

          1. [3]
            flalwess
            Link Parent
            The danger is that as soon as "IfhhtrpfTwitter13@$" is leaked it is a simple task to extrapolate "IfhhtrpfFacebook13@$" and "IfhhtrpfGoogle13@$"

            The danger is that as soon as "IfhhtrpfTwitter13@$" is leaked it is a simple task to extrapolate "IfhhtrpfFacebook13@$" and "IfhhtrpfGoogle13@$"

            2 votes
            1. R3qn65
              Link Parent
              A simple task, but not one likely to actually be undertaken - my guess is that when people exploit password lists, it's typically a bot doing it.

              A simple task, but not one likely to actually be undertaken - my guess is that when people exploit password lists, it's typically a bot doing it.

              1 vote
            2. Sodliddesu
              Link Parent
              I mean just use the first letter of the website so it's IfhhtrpfT13@$. The attacker would have to figure out which letter is the adjustable one.

              I mean just use the first letter of the website so it's IfhhtrpfT13@$. The attacker would have to figure out which letter is the adjustable one.

      2. ChthonicSun
        Link Parent
        It's a matter of convenience over trust, you're never 100% safe even doing it yourself, but ideally if a company's database gets breached the passwords should be encrypted and hashed, which means...

        how is it a good idea to trust a single company with all your passwords?
        ...
        the response is usually something about their encryption strength.

        It's a matter of convenience over trust, you're never 100% safe even doing it yourself, but ideally if a company's database gets breached the passwords should be encrypted and hashed, which means they're useless to the attackers.

        Even so you can self-host your own password manager instead or just use something like Keepass and store it all locally.

        I could barely imagine a scenario where a password manager saved me significant amounts of time let alone make my stuff more secure.

        If you do the correct thing, which is to have a unique password for all your accounts, then it's super handy because you only need to remember the manager's password, plus it autofills and auto generates safe and unique passwords for you.

        2 votes
  2. Amun
    Link
    Jess Weatherbed More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user

    Jess Weatherbed


    More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user

    Security experts are claiming that some of the LastPass password vaults stolen during a security breach near the end of 2022 have now been cracked open following a string of six-figure cryptocurrency heists.

    Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.

    Password management service LastPass suffered two known security breaches in August and November last year, with hackers using information obtained during the first breach to access shared cloud storage containing customer encryption keys for vault backups during the latter incident.

    Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed

    “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

    9 votes
  3. [3]
    triadderall_triangle
    Link
    How transparent was LastPass that any portion of users' vaults were unencrypted? It doesn't seem like they communicated that crucial fact at all, and for the purpose of commercial expediency. Its...

    How transparent was LastPass that any portion of users' vaults were unencrypted? It doesn't seem like they communicated that crucial fact at all, and for the purpose of commercial expediency. Its pretty shocking and abusive to have that going on and not at least make that clear to current and would-be users, like the moment that was the case

    4 votes
    1. [2]
      not_a_whale
      Link Parent
      They did not and they lost a lot of business as a result of it. Those weeks during the initial announcements for the leaks were rough for us as admins because they kept giving incomplete...

      They did not and they lost a lot of business as a result of it. Those weeks during the initial announcements for the leaks were rough for us as admins because they kept giving incomplete information and revising it 3 days later without clarification. My company pulled a few hundred user accounts away from them as a result of their inability to properly communicate on this matter. Well that and after we had flipped those accounts to Bitwarden we realized how much extra work LastPass's garbage software was actually causing us. It does not always pay to go with the industry standard.

      2 votes
      1. triadderall_triangle
        Link Parent
        It literally seems fraudulent. Its not like they call themselves Lastpass + unencrypted notes? Like WTF?

        It literally seems fraudulent. Its not like they call themselves Lastpass + unencrypted notes? Like WTF?

        1 vote
  4. [4]
    arch
    Link
    This is alarming. I did use LastPass a long time ago, but never had crypto. I take it this means I should change all of my sensitive passwords ASAP, from banking to credit cards, retirement...

    This is alarming. I did use LastPass a long time ago, but never had crypto. I take it this means I should change all of my sensitive passwords ASAP, from banking to credit cards, retirement accounts to PayPal. I honestly can't remember if I did change them all after migrating to BitWarden, and I can't remember if I used the same account password, but I do remember that I never stored that password in my vault.

    Am I being overly cautious in all of this, or under-cautious? I can't imagine the stress and ruin that would come from someone draining all of my financial accounts.

    3 votes
    1. triadderall_triangle
      Link Parent
      You basically need to do exactly that: start at the top (or rank by importance and proceed that way). Go to each entry follow the url if you have those for the login page click "forgot password?"...

      You basically need to do exactly that: start at the top (or rank by importance and proceed that way). Go to each entry follow the url if you have those for the login page click "forgot password?" Follow the instructions to change password Make sure you setup 2FA if its available in the settings (if its important, it usually offers it)

      4 votes
    2. CaptainAM
      Link Parent
      I think unless your master password is literally in a leaked pw database you should probably be fine. My take on this is that vaults with weak master passwords have just been guessed by matching...

      I think unless your master password is literally in a leaked pw database you should probably be fine.

      My take on this is that vaults with weak master passwords have just been guessed by matching the email address from those databases.

      Regardless it's still safest to change all important passwords and enable 2FA where possible!

      3 votes
    3. not_a_whale
      Link Parent
      Lastpass leaked a lot more then the vault. By the time the analysis was winding down the unencrypted data fields and number of secret key types leaked is enough to cause concern. See one of their...

      Lastpass leaked a lot more then the vault. By the time the analysis was winding down the unencrypted data fields and number of secret key types leaked is enough to cause concern. See one of their last blog posts here.

      https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/

      The recommendation for all LP users is to change everything. My company opted to migrate all data to Bitwarden, and then change everything.