If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

Source

 

[64bitmodels]

single point if failure.

true, but it's very unlikely someone's gonna be able to break into your house and steal all the passwords on a sheet of paper.... it's even more secure with the third method, since USB sticks are very easy to hide (and you can just set a password/code on your PC to prevent anyone from seeing that txt file)

also, there's method #1, yknow. Just remember your damn passwords, they're your livelihood.

 

[x65943]

Use passwords that are not too complex you won't remember them, and enable 2fa

Bam nearly fool proof

 

[Dontuuch17]

Putting your passwords onto an online password manager is one way to get yourself hacked at any point in time.

Right. Every time you put convenience ahead of security you always lose.

 

[Jayro]

Or just don't and use an external device to keep all of your passwords on, much more secure than keeping all of it stored on your device.

I keep mine in my locked Samsung Notes app. Each note is locked and encrypted with my biometrics.

 

[SylverReZ]

I keep mine in my locked Samsung Notes app. Each note is locked and encrypted with my biometrics.

I keep mine on a SanDisk USB stick.

 

[AkiraKurusu]

I don't use LastPass; I've been using Dashlane instead, and I've never heard of it being breached.

 

[SylverReZ]

I don't use LastPass; I've been using Dashlane instead, and I've never heard of it being breached.

Still, I don't trust any online password manager for that purpose, I would recommend using it for burner or unused accounts.

 

[kisamesama]

Or just don't and use an external device to keep all of your passwords on, much more secure than keeping all of it stored on your device.

what happen if the external device gets lost, stolen or damaged? I used to store my passwords locally on my phone but phone got a problem and I had to factory reset.

 

[SylverReZ]

what happen if the external device gets lost, stolen or damaged? I used to store my passwords locally on my phone but phone got a problem and I had to factory reset.

Having many backup devices always comes in handy.

 

[kisamesama]

Having many backup devices always comes in handy.

any suggestion how to store the passwords and easily backup on several devices?

 

[SylverReZ]

any suggestion how to store the passwords and easily backup on several devices?

Note any passwords for what accounts you mostly use on your device, make sure to encrypt them so that nobody sees it. Use something like a note pad, phone, tablet or any device to keep said information in the event of an emergency.

 

[KitChan]

Maybe storing your passwords outside your home or other secure place that you have exclusive physical access to was never a good idea.

Post automatically merged: Dec 23, 2022

Note any passwords for what accounts you mostly use on your device, make sure to encrypt them so that nobody sees it. Use something like a note pad, phone, tablet or any device to keep said information in the event of an emergency.

I would recommend an encrypted USB drive as unlike a smartphone, it can't get hacked while it's disconnected and unlike a notepad, people going through your belongings can't read it.

 

[RAHelllord]

any suggestion how to store the passwords and easily backup on several devices?

KeePass2 that someone previously linked, it's a highly encrypted container that's just a regular file, and you can copy it anywhere. There are also clients to use that container on pretty much any device under the sun so if you want you can use and read it on Android, windows, Linux, iOS, and MacOS.

 

[SylverReZ]

I would recommend an encrypted USB drive

Yes, I would recommend anybody doing the same.

 

[EpikJimmer]

I just write all my passwords on a txt file but I feel like I should be writing them on actual paper instead since THAT can't be possibly hacked.
Like, yeah, I memorized most of them, but for websites I don't use anymore / stay logged in at all times until I get a new device, I wrote them down (or typed them down idk)

 

[tech3475]

I just write all my passwords on a txt file but I feel like I should be writing them on actual paper instead since THAT can't be possibly hacked.
Like, yeah, I memorized most of them, but for websites I don't use anymore / stay logged in at all times until I get a new device, I wrote them down (or typed them down idk)

Houses can be burgled, computers can be hacked, brains can be stupid.

Tl;dr we’re screwed.

 

[swutch]

Encrypted+ 2FA should be a safe bet.

 

[tpax]

Using a password manager like LastPass is far more secure than storing it in your brain, paper, browser or anywhere else, considering you have a solid master password and 2FA. Even if the database has been stolen.

I use Bitwarden, self-hosted, and all my passwords are randomly generated. That wouldn't be possible if I would have been using my brain to remember all passwords.

 

[RAHelllord]

Using a password manager like LastPass is far more secure than storing it in your brain, paper, browser or anywhere else, considering you have a solid master password and 2FA. Even if the database has been stolen.

I use Bitwarden, self-hosted, and all my passwords are randomly generated. That wouldn't be possible if I would have been using my brain to remember all passwords.

The important distinction here is "self-hosted" which LastPass is not.

 

[console]

I never use any password managing since year 2001 from Windows ME, Windows XP, Windows 7 to now.

I stored my passwords in my brain memory cells to save them. Hackers would never steal my passwords.

When people get older like 50s, 60s and later must write on papers then put in safe lock with important documents and money. That's all.