LastPass Breach Is Worse Than They Want You To Believe
HTML-код
- Опубликовано: 29 сен 2024
- In December 2022, LastPass experienced a security breach. The breach compromised the personal data of millions of users, including names, email addresses, and encrypted passwords. Fortunately, the attackers did not gain access to the master passwords of any LastPass customers. Join the Technado team as they explain everything you need to know about the LastPass breach.
Reference Article:
- Notice of Recent Security Incident (The LastPass Blog)
blog.lastpass....
- LastPass users: Your info and password vault data are now in hackers’ hands
arstechnica.co...
- Yikes! Hackers Had Access to LastPass Users' Password Vaults
gizmodo.com/ha...
- What’s in a PR statement: LastPass breach explained
palant.info/20...
Buy Technado swag and submit listener mail at: www.technado.com/
Technado is a weekly tech podcast where Don Pezet, Peter VanRysdam, and Daniel Lowrie cover a whirlwind of tech from interviews with industry experts and up-and-coming companies to commentary on the week's news in the world of security, vendor certifications, networking, and just about anything IT related. New episodes are released every Thursday!
#lastpassbreach #lastpass #lastpassbreachexplained
Lastpass needs to go out of business. They chose to not responsibly handle the data they had been trusted with. I hope they have legal consequences for it. Again, they chose to not be responsible with customers data
They've been suspect since 2018. I honestly can't even trust people who recommend it. It's comes off as out of touch to me.
Not that this would be consistent with how they have behaved so far, but hopefully they act responsibly and give ample notice such that they don't lock people out unexpectedly. I can't imagine everyone has multiple backups or local copies of their vaults or is familiar with how to use the offline login mode.
This should be absolutely prosecuted. How is this not a complete violation and gross negligence? I should have dumped them after they were bought.
I agree this should be prosecuted because it is a major violation of safety. But this event also revealed that bad practices are way older than the buy. Low iteration counts, never informing the users that standard recommendations have increased and they should strengthen their master password. All we discover today is that they provided bad security from day one while pretending they were always at a higher level than they actually were. The PR stunt didn't start just now. That's only its discovery that is recent.
The engineers over there must've had the dream job. I'd love to completely ignore every RFC and widescale update like TLS for the last five years. Like... what did they even do other than buy more storage space and hire more UI/UX folks? It sounds like the CTO should've grown a pair, as even a pair was more hashing iterations per user at launch...
@@christianbarnay2499 iteration counts are a moving target, there were definitely times that they were meeting expectations.
But there is no excuse for them to not keep their minimum count current with best practices and proactivly forcing adoption of those by users over time (at least client side whenever they re-authenticate). They absolutely failed to be good stewards of securing their customers' vault data.
They should.. These Vaults these days are stored in Amazon S3, or other, but are all U.S. Lastpass HQ is in U.S. so the laws could do it.
Bitwarden is no different. I guess being 'offshore' would be 'more secure' as laws permitting. (and raise potentiality other issues....) or technically and physically not possible? I dunno. But its easier to 'just change password managers and forget' :P
Accountability these days mean "absolutely nothing" when it comes to online. In the real world, we would understand that. Its not even like Lastpass would 'run'. They already publicly shown it was a breached and accepted the consequences.
Just a couple of quick points... 1) The username field *is* encrypted. So that's something, but still not great, and your comments about phishing still very much apply.
2) Lastpass have confirmed (to customers who send in a support request) that the data was stolen on Sept 22, 2022. This was all customer vaults.
Hope that helps!
One of the reports I can run as admin is login activity, the report includes url and username to the site a user logs onto. If username info is encrypted, how can this info be in the report? Lastpass has that data stored somewhere that is not encrypted.
But what are the dates on the stolen backups?
The stolen vault data was backups, which could have been from months or years ago depending on how they handle them. It could have been anything from the day before to all their regular backups across all time.
I have been a long time user of Lastpass and this has me worried. Not all my passwords are strong, some are weak for useless sites I don't really care about. But with the stolen vault and unencrypted data, does this mean the hacker could easily figure out my Master Key when they brute force into the sites with weak passwords? And then with the Master Key unlock everything else.
So odd they only encrypt the password and notes fields this also means your credit card and bank of account details are also not encrypted either.
Man Bitwarden must be getting slammed with business right now. Who's guessing hackers are already targeting them next?
I have contacted lastpass and asked them too cancel my subscription, but they are refusing to reply.
You got my subscription after watching this. Bad news is that I have 1,177 passwords in Lastpass! Auch. I am moving back to RoboForm for now and also bought a YubiKey 5 hardware security key and going through my high value logins changing every password and setting up either hardware key or TOTP as 2FA security.
Oh.
So I need to go elsewhere for a password manager.
Changed the passwords for my most important accounts but changed those using lastpass; not sure if I should've now. Hadn't given a thought to the authenticator maybe being a bit iffy.
So after watching this (and reading and watching other stuff before I got here), go with a different password manager and change all passwords. Was hoping to avoid all that but seems like, nope!
3:07 Anyone taking LastPass seriously has absolutely given them a pass since the big issues they had since 2018. BItWarden or Keepass is the absolute way to go.
I bet the entire encryption was for Phase 2 of the project. The infamous never happening Phase 2 because funds ran out.
I deleted my lastpass account and switched to bitwarden a month ago due to this. So I can not go back and check the advanced settings you mentioned. However I did look for reset in the exported data and I found 3 and one was a bank that I use. Thankfully it had expired and no longer works. The other 2 are not important. Also I spent several days trying to change all my passwords that were in the vault. Starting with all the banks that I use. I had over 300 passwords. I found some sites that make it very difficult to change passwords. Also I like that bitwarden has more features and it cheaper. Also I could never get yubico to work with lastpass and it works just fine with bitwarden.
What about the "Master Password Reminder" is that encrypted?
What about 2FA on the LastPass vault? Duo, Yubikey, etc… does this impact the ability to brute force the vault? I haven’t seen anything on this topic.
I don’t think the 2FA gives any extra protection if the hackers have your vault and the LastPass source. The 2FA only applies when you open your vault in the app.
Probably time to find another password manager? Yes, I am moving to Bitwarden!
Partial encryption removes zero knowledge and zero trust.
Wouldn't trust anybody but myself to secure my passwords! This is just another case of convenience and laziness over real security! Plus you don't need to sign up too everything you see!
My iterations was only at 5000
Your audio sucks I have to crank it way up and the guy on the right, I still can't understand...
I am not a last past customer, Have a CCNA i do let third party companies have my personal data like password.
Don`t want to get hacked don`t let companies keep your password's or a third party.
Your just asking to be hacked, same as clouds i do not use clouds as i will never give permission for some one else to hold my personal data.
Suffer to you blokes for being sucked to the lies of lastpass.
If your information is accessible to the internet it is not safe.
I use an un hackable password locker called a pad and pen.
You want my passwords you have enter my property physically , you do that with authorisation ot enter the property , You leave in a body bag.
Their is software use to hack passwords , They have been around longer than windows.
I cannot believe how un educated you lot are on software and security.
It`s almost criminal.
Writing down your passwords on sticky notes doesn't seem so bad now.
Literally my answer when someone tried to convince me using Lastpass lmao 🤣
Bro...I hear you !
It's not me being lazy to clean. It's password entropy.
😆 it could be when you loose it.
I ran my 12-character random LastPass master password which had 100100 iterations on my RTX4090 using one of the better open source password crackers and it cracked my LastPass password at the 63 hour mark. Complex master passwords are useless if the password vault gets stolen.
Which password cracker did you use?
Cool story, bro
I also moved to 1Password after this last fiasco. The great thing about 1Password is that they make you generate a second key that's random on top of your master password. This second key works with your master password so it's strong by default. You don't have to enter in this secondary key every time, you just keep it somewhere safe for when you need to rebuild your local copy.
I still use their old “offline” version and manage distribution of the vault myself. I just can’t get passed how big and juicy a target a password company is. I’ve been programming about 30 years now, and if there’s one thing I’m certain of. People screw up. If it’s got to be somebody, I’d rather it be me. :D
How secure, is secure ? Extra features are good, but i usually find they just "get in the way'
When you quickly want to do something, and your blocked... When you do it again, it becomes more irritating every time, to the extend you turn it "off". My Master Password is enough... as long as i don't loose it..
As a strict "my own" use, the first thing i did with Lastpass when i set it up years ago was to "disable" One-Time Password and Recovery key..
I handle my own security.. and ya,, i limit myself to (1 way in, 1 way out). but i like that better. I may be on the element of disaster.... 😆 but i'll deal with that when and if it comes.
My data has already been compromised, I started getting unauthorized ACH from my bank over the past weekend.
I too used to be a lastpass user but the way they have handled letting the public know about this was very poor.
I agree. When they said customer info was safe, I gave them the benefit of the doubt. Since it has come out otherwise, I exported my vault to Bitwarden, and deleted my lastpass, even though my master password was 21 characters(capitals, lower case, numbers, and symbols)
We are in process of getting pricing for one of our mid-size business clients, glad I got caught up on what all is going on through this video. The PR stunt was very shady on LastPass' part with the holidays.
Not that I want to give them the benefit of the doubt, but the delay from announcement to report was similar to their past breaches (approx 6 weeks I think) and doesn't seem specifically timed.
Their lack of transparency with the user impact details is terrible though.
Since the breach i've been getting phished on my gmail and live accounts pretty damn hard. hundred of emails a day. I'm done with LastPass.
I didn't realise there was an easy way to move data from one password manager to another. I've just spent 3 full days manually transferring accounts (and changing passwords) over from Lastpass to Bitwarden lol
I've been a Lastpass user for near a decade and spent most of that time as a premium user. Really happy with Bitwarden though; they seem to offer more features even with the free version.
Yeah, I've used LastPass for years. Moved on to another. Export was easy as was the Import. Emptied out my LastPass vault, and have almost finished changing the 80 or so passwords I had stored in LastPass. Most important to least. Pain in the butt but I needed to change a bunch of my passwords as they haven't been changed in a while.
I've been happy since moving from Lastpass to Bitwarden a few years ago when Last Pass wanted to charge to access my passwords from a mobile device. Bitwarden's free addition does everything I need it to do, and I can use it on both PC and mobile. The only drawback is that there is an extra step or two to fill in name a PW fields that Lastpass didn't have to do. I think I was able to transfer passwords from LP to BW easily... I have thousands of accounts, I wasn't going to even attempt doing one at a time
A txt file on your desktop and note in your phone is 100x more secure than hosting your passwords on likely several servers across the globe where vulnerabilities arent patched in real time since they cant just take the site down for a day to update after its found out. They just keep it all up vulnerable and hope for a quick fix.
@Brad I'd try encrypting it if it's really important however otherwise if someone has access you've got bigger problems than people accessing your niche game site log-in.
I switched to Bitwarden as well. Easy Pezy. And updated all my passwords. Pain in butt.
Silver lining in all these … I moved to Brave browser too. No more chrome or Edge for me.
"unless you live under a rock" or dgaf and never used password storage apps. never even heard of last pass and gave up on password apps back in the ICQ days...breaches and general security issues such as this one continues to prove that choice correct.
Wait...PEOPLE PUT THEIR PASSWORDS IN SOFTWARE THAT IS NETWORK AWARE?!? AND ACTUALLY INTENTIONALLY PUT THEIR PASSWORDS ON OTHER PEOPLES' COMPUTERS?!?!? What did you _think_ was going to happen??
Awesome video. Thanks for breaking this down. I'm off to move this evening - Pour a glass of wine and start in.
"The real story here is how these guys are living millions of years." I nearly choked on my tea with laughter. Lots of other funny comments by all you guys as well. Thank you guys for being entertaining and funny enough to take the edge off this horrible story. Most entertaining IT show -- hands down. The rest bore me to tears. One of em even thinks loudly slurping coffee while appearing to be on a sugar high is entertaining.
A breach in a "security" program should put them out of business. Why should anyone use LastPass now?
New company name is LostPass.
Hey @ITProTV, I don't know if you guys ever read comments but if you do... REGARDING REGENERATING OTP keys, here's another 'gotcha' you ALSO need to consider. As I've been going through the process of changing all my PW's and OTP secret keys, I've discovered ANOTHER vector for attacking your accts... Emergency Backup Codes, Acct Recovery Codes, and Application Specific Passwords (I save these values in the "Notes" field of my PW manager... so they're potentially compromised too). So in regards to this... when you enable OTP, most sites will give you a list of emergency 1-time use backup codes. Generally if you regenerate your master OTP seed key, this also has the effect of invalidating all previous Emergency Backup Codes. But this isn't always the case with "Acct Recovery Codes"! It depends on the service! ProtonMail is a good example of this.... Gmail is a good example of this... they issue OTP Backup Codes & Acct Recovery Codes separately. Bitwarden is also a good example of this!! When you disable & then re-enable OTP in Bitwarden, IT DOES NOT INVALIDATE the already created "Acct Recovery Code". The ONLY WAY to get a new Recovery Code from Bitwarden is to physically use the code by going though the actual recovery process! Just deactivating & reactivating OTP will not change the existing Recovery Code value. (See: bitwarden.com/help/two-step-recovery-code/ ). And don't forget to re-generate your App Specific PW's if you're using 3rd party clients like Thunderbird or you have an old XBox 360 that doesn't understand modern 2FA.
Was a last pass user for 8 years, but no more. This was a complete mishandle on their part and lack of protecting their customers. I guess free accounts come with costs (probably only why passwords were encrypted and not usernames and URL’s, selling your data). Using Bitwarden now. Currently using their cloud service but potentially going to host my own personal instance.
Lastpass reported that the number of iterations is 100,100. But older accounts show only 5,000 and some report theirs defaulting to 1. The iterations don't change even after changing the master password. That needs to manually be changed.
@ITProTV great discussion. One thing that I have not seen mentioned in the comments or covered in the discussion is the LastPass feature which is enabled by default "Revert Master Password". This allows you to revert changes to your master password that were made in the last 30 days. I wonder if this data was also stolen ?
Considering the price of $51cdn /year lastpass now charges I expected better security and total encryption of my vault.
Have now removed auto renew and will be going to bitwarden and will gladly pay the $10US/year for the extra features even if they offer a free version. In the end I'm still a winner.
SMH, FML and I'm SOL with last pass. And every other abbreviation the kids use. Horrible company ethics being shown by them. I'm out. Appreciate you sharing what to do and the alternate options.
Just for more information on this topic - I just checked my email and found the 2018 email from Lastpass regarding the changes they made at that time. Below is the email text they sent me. So they did change the iteration count automatically on my account. Apparently many haven't researched this because it is widely misreported. I still have the emails.
"Recent Upgrade
We are notifying you of a routine security upgrade we recently made to all LastPass accounts. Specifically, we increased the default PBKDF2 iterations to 100,100. PBKDF2 is used to protect your master password in the unlikely event of a brute-force attack. We periodically make security upgrades, such as increasing PBKDF2 iterations, to ensure we're providing the best security for users.
The update happened automatically upon login to your LastPass account. Because the upgrade requires a re-encryption of the vault, LastPass records the event as a password change in your account history, as seen below, though no master password changes have been made. Note that you will be required to log-in again on other devices where you use LastPass.
Time of Change 2018-12-28 12:10:08"
But I agree, it is time to move on, the new owners of Lastpass have mismanaged the company and caused it to be unsuccessful in it's core business.
I recall that message, and took the opportunity to pick an even higher value for myself. But it definitely didn't get applied universally as they claimed. Which is a huge fail on their part, no matter the reason.
I have seen second hand reports (not unlike this person) of people with much lower iteration values, and personally know someone that checked and theirs was only at 500.
Iteration count is something the attackers will certainly have in the clear and can target those master passwords with the least protection.
Famous last words of people that pretend to know, but really don’t:
“I was under the impression…”.
DONT BE! Ensure you truly know it!
Is it safe to move from LastPass to other companies? i mean since LastPass learned their lesson the hardway and made some changes to make their product more secure. I feel if I move to a new password manager company then they might get the same breach and won't be ready for it... idk I would like to get some thoughts on this from others. Thanks
I've been using 1password for some years. You can import p/w from Last Pass but as the chaps say here, you should change them.
I imagine other systems will do the same
Hi, great show and I feel have a much better understanding of the whole situation 👍 One question, I am not really sure about how the number of iterations and length the the master password influence each other. My LastPass password is a total mix of letters, numbers and special characters and 15 characters long. Everywhere you look they‘d say, that my vault should be pretty secure, however as a long time LastPass user of course I have also those 5.000 iterations. Should my vault still be pretty safe (for now) thanks to the 15 characters long master password or is it also weakened too much because of the only 5.000 iterations? Thanks!
@Jo Blow you didn't answer his question
I am a little confused about a couple of your side comments. You mention the source code has been stolen allowing the attackers to use brute force against the vault and it would allow them to spoof the site. All good so far. Then one of you mentioned moving to bitwarden, which is open source. Surely open source gives hackers the same advantage as stolen source code. Do I misunderstand open source?
Does OnePassword encrypt everything on their platform? I switched to them after the LastPass breach but never considered that only certain things can be encrypted.
Synology has a similar solution now; anyone using it and care to share their opinion about it. Thanks.
To correct some misinformation here… while it is true Site URLs for your LastPass entries are stored by LastPass in the clear, other data elements for LastPass entries are encrypted in the vault, such as Usernames, passwords, site/item names, notes, and other fields.
One of the reports I can run as admin is login activity, the report includes url and username to the site a user logs onto. If username info is encrypted, how can this info be in the report? Lastpass has that data stored somewhere that is not encrypted.
They wanted to put out the late December revelation in the holiday news 'noise'. That's sneaky political nonsense for sure. I'm slowly moving to Bitwarden. Not good, LastPass.
People like to reassure themselves by saying it would take millions of years to crack a password. Maybe for one computer. What if you have millions of computers working on it for a year? Hmmmm....
I did enjoy this video, but why in the world would you increase your exposure by using such a service? Then you go to another one, after this one was violated. The only thing good about the other one is that it was like Last Pass, not violated yet.
All my passwords are long, use symbols and numbers, and are encrypted on an two different encrypted drives. My passwords are secured by myself, and not dependent on an outside source that can fail me without them even being at fault. So why would any of your, technology savvy, would outsource one of your first lines of defense to being hacked.
A data breach wasn't the thought in the front of my mind when I initially made the decision to never ever use ANY online password manager service, such as LastPass. My thoughts were along the lines of catastrophic data loss, like what happened with ma.gnolia, or discontinuance of services, as has happened with so many other online services. Because I don't want to end up high & dry without my passwords, because some fool company doesn't know what they are doing, I have stuck with KeePass for all this time, and I feel that I made the right decision, many times over, for many reasons, including security. KeePass really does keep your ass safe. (as long as you make it a habit to keep your data properly and securely backed up)
Yep just switched from using chrome and firefox to store all my passwords for as long as I can remember to keepass xc for added security after all this online hacking stuff offline password manager is the way to go. I setup sync thing and google drive to sync my kbdx file across my pc to phone and tablet no issues what so ever and the advantages keepass xc has over browsers is simply amazing to me.
Wow! I just tried to remove my credit card information from their website, and found it to be not possible. I will cancel their service as soon as I have recovered all my data and set up another password manager.
And I found that the iteration count (I have been a paid subscriber since 2016, and a free user for a few years before that) was set to 5000.
Why trust lastpass....a password manager that paid advertisement to a lot of youtubers......basically they are after ad profit . ....not service quality
If you get phishing first you are unlucky, but if you get the second times, shame on you!
My lastpass master password is 63 characters of all-charset gibberish. How long is that taking to brute force? Oh and I changed it anyways in response to this.
After listening to Security Now. I did the javascript thing to pull my vault down on an old LastPass account I don't use. I put a fake Google entry in it. Then I de-obfuscated anything hex with some python.... Nowhere in there appears to be the username field. All other fields are gibberish that start with "!", presumably from the CBC encryption right? So I'm not sure it is accurate to say the attacker has all our usernames. Am I missing something? I've only found URLs and domains that were plain text. I'd rather have the whole thing encrypted like in Bitwarden, but still...
When i was in a financial company we would install a separate line for their business-only computer. They could not connect any other computer to that router and that router only connected to our site. We knew if that was violated and we fired people for that. That was years ago. WTF, Lastpass.
One of my lastpass accounts was set to 10,000 iterations😔😔😭😭😭😭😭😭
Yeah but there's code in there that was injected about two years ago that requires you to go online and log into your you know your remote cloud, and if you can't do that in other words if they don't have the IP address from what you normally logged into that past master password gets locked out locked out and you have to call in and then you have to give them information that only you would know and a lot of that information especially like a two-factor back to email is not going to be available because hopefully you've changed your email passwords so that now anyone trying to do to reset or to gain knowledge from that to give it to LastPass the very least and whatever you use for a password reset on 2fa, change that and save your last pass account for at least a year so this way if someone tries to break in using the old an IP address that they have no idea where you were, what does IP address of the last device that you log into you have to at least know that and if you don't know that it's going to be it's like 30 questions to answer, and even with all the data that they have they don't have enough information to then social engineer they've also recorded you whenever you called in for any type of support help, and they're going to match the voice do stuff like that I know they do.
ummm about that @4:46 "I have a master password and LastPass never sees it" how come then, than me being super admin in our enterprise account, I can delete a user and have their vault contents transfered over to another account (unencrypted, obviously)
I finally have had enough and completely closed my LastPass account and deleted all data. I had moved on some time ago after the last breech but had left the vault there just in case. I had already changed many of my passwords in the meantime. I knew deep down after LastPass had been purchased that it would likely go downhill.
I have been using LP for years. I cannot log in to my account because every time I log in they stop me and send me a email saying somebody using my password has been stoppedl it's me.
The bottom line...the breach does not directly give the hackers access to your passwords.
did this video have sponsored content from Bitwarden or 1Password as it seemed like it suddenly came in from the side?
All we have to do is Switch to a better competitor and they won't have a business.
LastPass - we don't know who Last has access to your Passwords...
It's scary how misinterpreted some of the presenters of this show is using anything less then 12 characters is ridiculous especially with the low interactions last pass used.
There are a lot of channels trying to get my attention and time. You just got mine!
We use Keeper Security for our password vault. They are pretty hardened and encrypt each record on top of the vault.
they should have been testified before the gov! This is BSSS!
I think I already know the answer - which is ah crap, my vault is still susceptible.
If I use a 2FA h/w key during logon with my master p/w, is my vault still susceptible or is it protected?
They won't be able to access the vault even if they guess your master pass, which if it's unique and strong would be near impossible anyways (I guess those are 2 big iffs though). Seems like what you need to worry about more is them now trying to brute force any important accounts they now know you have. So again if those passwords are each unique and strong, and you're using MFA then you're OK. In the end people should be following the basic recommended security practices. Which is why you have a password manager in the first place. So if you were doing that then I'm not worried.
The guy in the middle could totally play freddy krueger
PBKEDF2 = that's just in pig latin
I know one last pass account set to 500 and another at 10,000 iterations. Shame on them for not bumping up the early users. We have left LP and will never look back.
I know this is dubious logic at best, but you have to assume LP will learn from this mistake. Other services will potentially have their own flaws that are yet to be exploited?
So you're _still_ using LastPass?
Sorry, but the one guy’s comment that everyone who doesn’t have a 24 character password is dumb is just super ignorant himself. When you have to re-enter your password many times per day, and/or enter the password on a mobile device or mobile app, that is a HUGE pain!!! And that is NOT counting typos. Dumb. Yes, longer passwords increase entropy but convenience is a consideration.
Just came across you guys....ahhh..breath of fresh air. When I go to my Bro's house it's ESPN on 24/7 at his house. Ya'll the nerd equivalent of ESPN.
Just switched to Bitwarden quick import. Now to change all passwords and I'm good hopefully. But you still are affected. I think I already have some phishing emails on my inbox lol, didn't know that lastpass was the cause of that lol.. Anyone knows how to remedy this other than creating new mail?
Last year I lost my Master Password for my LastPass account. I could not retrieve it! Tried many times! Then on Jan 3rd 2023 I was dinged on my credit card for this year! They provide NO WAY to unsubscribe or reverse the charge of $36! The only way for me to get out of this situation was to ask my credit card company for a refund. I am DONE with LastPass!
The most insane fact to me is that they held end user data in essentially plaintext. I've worked as an engineer for monopoly-level enterprise software companies, and even our monthly transactional log access for a dying B2B product with *no* end-user data was more protected and hashed than this.
Like, this could be a super softball interview question for any SWE I've interviewed (and there were tons of bad ones)... "Should you hash end-user data in your SoR for a B2C service?" It's not even a fucking question... JFC.
Guys, did you realize, that despite the fact that the current key derivation happens 100100 times, you can set whatever number there? Even going back to 1?
I dumped these guys for BitWarden a couple of years ago. I was annoyed. I had to frequently uninstall/reinstall the program because I couldn't access my vault. To me, that says poor coding and poor coding allows breaches. BitWarden is absolutely awesome and no more near heart attacks. I am not at all surprised that this happened. I'm only surprised that it took this long.
My iterations was set to 5000!!! I've been a LastPass Premium user since it was $12 per year. I've already stopped using them but that's too late now. LastPass should really tell us more information.
I’ve always felt incredibly uncomfortable with any password service saving my passwords to their servers.
I bought a lifetime license from 1Password ages ago and I haven’t upgraded to their newer (online) client. I manage distribution of my fully encrypted vault myself to at least try to avoid the problem that comes with creating a stockpile of millions of users passwords together.
I also don’t enable the browser plugins. Yes, it’s kind of a pain, but I don’t end up with urls being associated with my credentials.
I also have two vaults. One that I’m willing to use other online storage services to share my passwords across my numerous devices. But then there is the serious stuff. That vault never gets backed up online. I have it on external storage which I only access directly from there. I don’t copy it to my local drive. 1Password makes it pretty easy to point to different locations for your vaults so I don’t find it too onerous.
When it comes to password security, a bit of paranoia seems warranted.
I also have a hard and fast rule to never click links in emails. If there is an offer, for example, I always go out to that company’s website directly.
I’ve seen too many people have major issues over the years and it’s left me more than a little paranoid. Hehe …
I get that the Notes field is encrypted, but what about other fields in the records? For example, if you "Add Payment Card", you get prompted to enter "Name on Card", "Type", "Number", "Security Code", etc, etc. Are they all considered Notes? Lastpass had lots of different types of items and it's really unclear which fields in these other records were encrypted
I use Lasspass and never knew this 😢
They want to blame customers and 2 of their employees were duped.
What kind of security company is this?
@Itprotv... What about last pass customers who has strong 12. Character passwords and two factor authentication for a master password? Are those customers with this type of setup need to reset everything and leave last pass as well????
with this type of setup
Do we have insights if Lastpass Authenticator is affected too? How is it protected and should we update all 2FA enrolments
The got breached twice through the same social engineering channel, I know people say there's no point shutting the barn door after the horse has bolted but not getting management to have a serious talk with their employees is just stupid.
Great video to inform me of what actually happened, thank you. So pissed it's a paid service and have screwed us with this breach. Question is what is even stopping this happening on BitWarden or any other one if I move there?
Lastpass claims over 33 million users. Some of those passwords are definitely on freely available word lists.
Got bought by a VC and went bad right after that. Seems to be a pattern when these companies sell out.
Their is a GIT script that someone made available long before this happened that you can use to try to write a program to bruit decrypt a vault. I used the GIT script without a password on my vault to see that the password cards Notes column was encrypted. They were not very good about telling us what was encrypted.
Not sure why ya’ll even use services like lastpass. Thats just as bad.
So do they have access to user's hashed passwords? This makes them subject to a birthday hack.
According to lastpass's press release, usernames are encrypted. Is that not correct?