If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

Source

 

[dragonblood9999]

I'm pretty sure the damage is done. I don't use them, but I'm sure they lost alot of trust.

 

[SylverReZ]

Putting your passwords onto an online password manager is one way to get yourself hacked at any point in time.

 

[Minox]

Passwords should not be stored online, not even in encrypted form.

 

[pokota]

Well I guess I get to change all my work passwords tomorrow

 

[Digital_Cheese]

Lmao why the fuck would people save their passwords online? Like bro you just deserve it at that point

 

[Jayro]

Why is this shit even stored online to begin with? Stupid.

 

[Purple_Shyguy]

I don't know what I would do if people found out my password for everything is 'PeePeePooPoo69'

 

[Professor_Pootis_PhD]

If yall need a good password manager
https://keepassxc.org/
https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/

 

[SylverReZ]

If yall need a good password manager
https://keepassxc.org/
https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/

Or just don't and use an external device to keep all of your passwords on, much more secure than keeping all of it stored on your device.

 

[64bitmodels]

here's a few nice alternative password managers

 

[impeeza]

Our CISO "security" police obligate us to use a cloud "password manager". I did receive an admonishment for to not using it. and instead using a local password manager with 4096 bits encryption, few weeks later all my coworkers had to change all his/her passwords because the "super high secure cloud password manager" get hacked and all secrets was stealed...

First rule of security: if a bad guy have physical acces to your data, isn't your data anymore

 

[Professor_Pootis_PhD]

Or just don't and use an external device to keep all of your passwords on, much more secure than keeping all of it stored on your device.

I put my database on a USB stick so I can use it on my laptop as well, guess it does that too

Tech tip

 

[SylverReZ]

I put my database on a USB stick so I can use it on my laptop as well, guess it does that too

Tech tip

Tech tip: Never store your passwords on your device. Someone could remotely access your PC and steal your passwords.

 

[Marc_LFD]

LastPass is done.

RIP.

 

[Ryab]

View attachment 343979​

If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.



With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

Source

I considered using them a long time ago. Let's just say I'm happy I went with Bitwarden instead.

 

[Marc_LFD]

I considered using them a long time ago. Let's just say I'm happy I went with Bitwarden instead.

I even paid $10, more so as a donation. I really like their service.

Good thing I ditched LP.

 

[tech3475]

here's a few nice alternative password managers

View attachment 343983

Ironically, I expect most of the people using these methods to be using either weak or reusing passwords that you might actually be safer with the Lastpass hack if you used a suitable master password.

 

[pustal]

here's a few nice alternative password managers

View attachment 343983

Method #2 and #3 suffer from basically the same problem as LastPass: single point if failure. Better alternative: use passphrases adapted to the login instead of password. Also make sure you have 2 factor authentication enable as much as possible.

 

[randy_w]

Glad I ditched lastpass several years ago when they decided to limit the amount of devices you can sign into unless you upgrade to a paid plan. Switched to bitwarden and couldn't be happier.