LastPass Breach Is Worse Than They Want You To Believe

Lastpass needs to go out of business. They chose to not responsibly handle the data they had been trusted with. I hope they have legal consequences for it. Again, they chose to not be responsible with customers data

This should be absolutely prosecuted. How is this not a complete violation and gross negligence? I should have dumped them after they were bought.

Just a couple of quick points... 1) The username field *is* encrypted. So that's something, but still not great, and your comments about phishing still very much apply.
2) Lastpass have confirmed (to customers who send in a support request) that the data was stolen on Sept 22, 2022. This was all customer vaults.
Hope that helps!

I have been a long time user of Lastpass and this has me worried. Not all my passwords are strong, some are weak for useless sites I don't really care about. But with the stolen vault and unencrypted data, does this mean the hacker could easily figure out my Master Key when they brute force into the sites with weak passwords? And then with the Master Key unlock everything else.

So odd they only encrypt the password and notes fields this also means your credit card and bank of account details are also not encrypted either.

Man Bitwarden must be getting slammed with business right now. Who's guessing hackers are already targeting them next?

I have contacted lastpass and asked them too cancel my subscription, but they are refusing to reply.

You got my subscription after watching this. Bad news is that I have 1,177 passwords in Lastpass! Auch. I am moving back to RoboForm for now and also bought a YubiKey 5 hardware security key and going through my high value logins changing every password and setting up either hardware key or TOTP as 2FA security.

Oh.
So I need to go elsewhere for a password manager.
Changed the passwords for my most important accounts but changed those using lastpass; not sure if I should've now. Hadn't given a thought to the authenticator maybe being a bit iffy.
So after watching this (and reading and watching other stuff before I got here), go with a different password manager and change all passwords. Was hoping to avoid all that but seems like, nope!

3:07 Anyone taking LastPass seriously has absolutely given them a pass since the big issues they had since 2018. BItWarden or Keepass is the absolute way to go.

I bet the entire encryption was for Phase 2 of the project. The infamous never happening Phase 2 because funds ran out.

I deleted my lastpass account and switched to bitwarden a month ago due to this. So I can not go back and check the advanced settings you mentioned. However I did look for reset in the exported data and I found 3 and one was a bank that I use. Thankfully it had expired and no longer works. The other 2 are not important. Also I spent several days trying to change all my passwords that were in the vault. Starting with all the banks that I use. I had over 300 passwords. I found some sites that make it very difficult to change passwords. Also I like that bitwarden has more features and it cheaper. Also I could never get yubico to work with lastpass and it works just fine with bitwarden.

What about the "Master Password Reminder" is that encrypted?

What about 2FA on the LastPass vault? Duo, Yubikey, etc… does this impact the ability to brute force the vault? I haven’t seen anything on this topic.

Probably time to find another password manager? Yes, I am moving to Bitwarden!

Partial encryption removes zero knowledge and zero trust.

Wouldn't trust anybody but myself to secure my passwords! This is just another case of convenience and laziness over real security! Plus you don't need to sign up too everything you see!

My iterations was only at 5000

Your audio sucks I have to crank it way up and the guy on the right, I still can't understand...

I am not a last past customer, Have a CCNA i do let third party companies have my personal data like password.
Don`t want to get hacked don`t let companies keep your password's or a third party.
Your just asking to be hacked, same as clouds i do not use clouds as i will never give permission for some one else to hold my personal data.
Suffer to you blokes for being sucked to the lies of lastpass.
If your information is accessible to the internet it is not safe.
I use an un hackable password locker called a pad and pen.
You want my passwords you have enter my property physically , you do that with authorisation ot enter the property , You leave in a body bag.
Their is software use to hack passwords , They have been around longer than windows.
I cannot believe how un educated you lot are on software and security.
It`s almost criminal.

Writing down your passwords on sticky notes doesn't seem so bad now.

I ran my 12-character random LastPass master password which had 100100 iterations on my RTX4090 using one of the better open source password crackers and it cracked my LastPass password at the 63 hour mark. Complex master passwords are useless if the password vault gets stolen.

I also moved to 1Password after this last fiasco. The great thing about 1Password is that they make you generate a second key that's random on top of your master password. This second key works with your master password so it's strong by default. You don't have to enter in this secondary key every time, you just keep it somewhere safe for when you need to rebuild your local copy.

My data has already been compromised, I started getting unauthorized ACH from my bank over the past weekend.

I too used to be a lastpass user but the way they have handled letting the public know about this was very poor.

We are in process of getting pricing for one of our mid-size business clients, glad I got caught up on what all is going on through this video. The PR stunt was very shady on LastPass' part with the holidays.

Since the breach i've been getting phished on my gmail and live accounts pretty damn hard. hundred of emails a day. I'm done with LastPass.

I didn't realise there was an easy way to move data from one password manager to another. I've just spent 3 full days manually transferring accounts (and changing passwords) over from Lastpass to Bitwarden lol
I've been a Lastpass user for near a decade and spent most of that time as a premium user. Really happy with Bitwarden though; they seem to offer more features even with the free version.

I switched to Bitwarden as well. Easy Pezy. And updated all my passwords. Pain in butt.
Silver lining in all these … I moved to Brave browser too. No more chrome or Edge for me.

"unless you live under a rock" or dgaf and never used password storage apps. never even heard of last pass and gave up on password apps back in the ICQ days...breaches and general security issues such as this one continues to prove that choice correct.

Wait...PEOPLE PUT THEIR PASSWORDS IN SOFTWARE THAT IS NETWORK AWARE?!? AND ACTUALLY INTENTIONALLY PUT THEIR PASSWORDS ON OTHER PEOPLES' COMPUTERS?!?!? What did you _think_ was going to happen??

Awesome video. Thanks for breaking this down. I'm off to move this evening - Pour a glass of wine and start in.

"The real story here is how these guys are living millions of years." I nearly choked on my tea with laughter. Lots of other funny comments by all you guys as well. Thank you guys for being entertaining and funny enough to take the edge off this horrible story. Most entertaining IT show -- hands down. The rest bore me to tears. One of em even thinks loudly slurping coffee while appearing to be on a sugar high is entertaining.

A breach in a "security" program should put them out of business. Why should anyone use LastPass now?

New company name is LostPass.

Hey @ITProTV, I don't know if you guys ever read comments but if you do... REGARDING REGENERATING OTP keys, here's another 'gotcha' you ALSO need to consider. As I've been going through the process of changing all my PW's and OTP secret keys, I've discovered ANOTHER vector for attacking your accts... Emergency Backup Codes, Acct Recovery Codes, and Application Specific Passwords (I save these values in the "Notes" field of my PW manager... so they're potentially compromised too). So in regards to this... when you enable OTP, most sites will give you a list of emergency 1-time use backup codes. Generally if you regenerate your master OTP seed key, this also has the effect of invalidating all previous Emergency Backup Codes. But this isn't always the case with "Acct Recovery Codes"! It depends on the service! ProtonMail is a good example of this.... Gmail is a good example of this... they issue OTP Backup Codes & Acct Recovery Codes separately. Bitwarden is also a good example of this!! When you disable & then re-enable OTP in Bitwarden, IT DOES NOT INVALIDATE the already created "Acct Recovery Code". The ONLY WAY to get a new Recovery Code from Bitwarden is to physically use the code by going though the actual recovery process! Just deactivating & reactivating OTP will not change the existing Recovery Code value. (See: bitwarden.com/help/two-step-recovery-code/ ). And don't forget to re-generate your App Specific PW's if you're using 3rd party clients like Thunderbird or you have an old XBox 360 that doesn't understand modern 2FA.

Was a last pass user for 8 years, but no more. This was a complete mishandle on their part and lack of protecting their customers. I guess free accounts come with costs (probably only why passwords were encrypted and not usernames and URL’s, selling your data). Using Bitwarden now. Currently using their cloud service but potentially going to host my own personal instance.

Lastpass reported that the number of iterations is 100,100. But older accounts show only 5,000 and some report theirs defaulting to 1. The iterations don't change even after changing the master password. That needs to manually be changed.

@ITProTV great discussion. One thing that I have not seen mentioned in the comments or covered in the discussion is the LastPass feature which is enabled by default "Revert Master Password". This allows you to revert changes to your master password that were made in the last 30 days. I wonder if this data was also stolen ?

Considering the price of $51cdn /year lastpass now charges I expected better security and total encryption of my vault.
Have now removed auto renew and will be going to bitwarden and will gladly pay the $10US/year for the extra features even if they offer a free version. In the end I'm still a winner.

SMH, FML and I'm SOL with last pass. And every other abbreviation the kids use. Horrible company ethics being shown by them. I'm out. Appreciate you sharing what to do and the alternate options.

Just for more information on this topic - I just checked my email and found the 2018 email from Lastpass regarding the changes they made at that time. Below is the email text they sent me. So they did change the iteration count automatically on my account. Apparently many haven't researched this because it is widely misreported. I still have the emails.
"Recent Upgrade
We are notifying you of a routine security upgrade we recently made to all LastPass accounts. Specifically, we increased the default PBKDF2 iterations to 100,100. PBKDF2 is used to protect your master password in the unlikely event of a brute-force attack. We periodically make security upgrades, such as increasing PBKDF2 iterations, to ensure we're providing the best security for users.
The update happened automatically upon login to your LastPass account. Because the upgrade requires a re-encryption of the vault, LastPass records the event as a password change in your account history, as seen below, though no master password changes have been made. Note that you will be required to log-in again on other devices where you use LastPass.
Time of Change 2018-12-28 12:10:08"
But I agree, it is time to move on, the new owners of Lastpass have mismanaged the company and caused it to be unsuccessful in it's core business.

Famous last words of people that pretend to know, but really don’t:
“I was under the impression…”.
DONT BE! Ensure you truly know it!

Is it safe to move from LastPass to other companies? i mean since LastPass learned their lesson the hardway and made some changes to make their product more secure. I feel if I move to a new password manager company then they might get the same breach and won't be ready for it... idk I would like to get some thoughts on this from others. Thanks

Hi, great show and I feel have a much better understanding of the whole situation 👍 One question, I am not really sure about how the number of iterations and length the the master password influence each other. My LastPass password is a total mix of letters, numbers and special characters and 15 characters long. Everywhere you look they‘d say, that my vault should be pretty secure, however as a long time LastPass user of course I have also those 5.000 iterations. Should my vault still be pretty safe (for now) thanks to the 15 characters long master password or is it also weakened too much because of the only 5.000 iterations? Thanks!

I am a little confused about a couple of your side comments. You mention the source code has been stolen allowing the attackers to use brute force against the vault and it would allow them to spoof the site. All good so far. Then one of you mentioned moving to bitwarden, which is open source. Surely open source gives hackers the same advantage as stolen source code. Do I misunderstand open source?

Does OnePassword encrypt everything on their platform? I switched to them after the LastPass breach but never considered that only certain things can be encrypted.

Synology has a similar solution now; anyone using it and care to share their opinion about it. Thanks.

To correct some misinformation here… while it is true Site URLs for your LastPass entries are stored by LastPass in the clear, other data elements for LastPass entries are encrypted in the vault, such as Usernames, passwords, site/item names, notes, and other fields.

They wanted to put out the late December revelation in the holiday news 'noise'. That's sneaky political nonsense for sure. I'm slowly moving to Bitwarden. Not good, LastPass.

People like to reassure themselves by saying it would take millions of years to crack a password. Maybe for one computer. What if you have millions of computers working on it for a year? Hmmmm....

I did enjoy this video, but why in the world would you increase your exposure by using such a service? Then you go to another one, after this one was violated. The only thing good about the other one is that it was like Last Pass, not violated yet.
All my passwords are long, use symbols and numbers, and are encrypted on an two different encrypted drives. My passwords are secured by myself, and not dependent on an outside source that can fail me without them even being at fault. So why would any of your, technology savvy, would outsource one of your first lines of defense to being hacked.

A data breach wasn't the thought in the front of my mind when I initially made the decision to never ever use ANY online password manager service, such as LastPass. My thoughts were along the lines of catastrophic data loss, like what happened with ma.gnolia, or discontinuance of services, as has happened with so many other online services. Because I don't want to end up high & dry without my passwords, because some fool company doesn't know what they are doing, I have stuck with KeePass for all this time, and I feel that I made the right decision, many times over, for many reasons, including security. KeePass really does keep your ass safe. (as long as you make it a habit to keep your data properly and securely backed up)

Wow! I just tried to remove my credit card information from their website, and found it to be not possible. I will cancel their service as soon as I have recovered all my data and set up another password manager.
And I found that the iteration count (I have been a paid subscriber since 2016, and a free user for a few years before that) was set to 5000.

Why trust lastpass....a password manager that paid advertisement to a lot of youtubers......basically they are after ad profit . ....not service quality

If you get phishing first you are unlucky, but if you get the second times, shame on you!

My lastpass master password is 63 characters of all-charset gibberish. How long is that taking to brute force? Oh and I changed it anyways in response to this.

After listening to Security Now. I did the javascript thing to pull my vault down on an old LastPass account I don't use. I put a fake Google entry in it. Then I de-obfuscated anything hex with some python.... Nowhere in there appears to be the username field. All other fields are gibberish that start with "!", presumably from the CBC encryption right? So I'm not sure it is accurate to say the attacker has all our usernames. Am I missing something? I've only found URLs and domains that were plain text. I'd rather have the whole thing encrypted like in Bitwarden, but still...

When i was in a financial company we would install a separate line for their business-only computer. They could not connect any other computer to that router and that router only connected to our site. We knew if that was violated and we fired people for that. That was years ago. WTF, Lastpass.

One of my lastpass accounts was set to 10,000 iterations😔😔😭😭😭😭😭😭

Yeah but there's code in there that was injected about two years ago that requires you to go online and log into your you know your remote cloud, and if you can't do that in other words if they don't have the IP address from what you normally logged into that past master password gets locked out locked out and you have to call in and then you have to give them information that only you would know and a lot of that information especially like a two-factor back to email is not going to be available because hopefully you've changed your email passwords so that now anyone trying to do to reset or to gain knowledge from that to give it to LastPass the very least and whatever you use for a password reset on 2fa, change that and save your last pass account for at least a year so this way if someone tries to break in using the old an IP address that they have no idea where you were, what does IP address of the last device that you log into you have to at least know that and if you don't know that it's going to be it's like 30 questions to answer, and even with all the data that they have they don't have enough information to then social engineer they've also recorded you whenever you called in for any type of support help, and they're going to match the voice do stuff like that I know they do.

ummm about that @4:46 "I have a master password and LastPass never sees it" how come then, than me being super admin in our enterprise account, I can delete a user and have their vault contents transfered over to another account (unencrypted, obviously)

I finally have had enough and completely closed my LastPass account and deleted all data. I had moved on some time ago after the last breech but had left the vault there just in case. I had already changed many of my passwords in the meantime. I knew deep down after LastPass had been purchased that it would likely go downhill.

I have been using LP for years. I cannot log in to my account because every time I log in they stop me and send me a email saying somebody using my password has been stoppedl it's me.

The bottom line...the breach does not directly give the hackers access to your passwords.

did this video have sponsored content from Bitwarden or 1Password as it seemed like it suddenly came in from the side?

All we have to do is Switch to a better competitor and they won't have a business.

LastPass - we don't know who Last has access to your Passwords...

It's scary how misinterpreted some of the presenters of this show is using anything less then 12 characters is ridiculous especially with the low interactions last pass used.

There are a lot of channels trying to get my attention and time. You just got mine!

We use Keeper Security for our password vault. They are pretty hardened and encrypt each record on top of the vault.

they should have been testified before the gov! This is BSSS!

I think I already know the answer - which is ah crap, my vault is still susceptible.
If I use a 2FA h/w key during logon with my master p/w, is my vault still susceptible or is it protected?

The guy in the middle could totally play freddy krueger

PBKEDF2 = that's just in pig latin

I know one last pass account set to 500 and another at 10,000 iterations. Shame on them for not bumping up the early users. We have left LP and will never look back.

I know this is dubious logic at best, but you have to assume LP will learn from this mistake. Other services will potentially have their own flaws that are yet to be exploited?

So you're _still_ using LastPass?

Sorry, but the one guy’s comment that everyone who doesn’t have a 24 character password is dumb is just super ignorant himself. When you have to re-enter your password many times per day, and/or enter the password on a mobile device or mobile app, that is a HUGE pain!!! And that is NOT counting typos. Dumb. Yes, longer passwords increase entropy but convenience is a consideration.

Just came across you guys....ahhh..breath of fresh air. When I go to my Bro's house it's ESPN on 24/7 at his house. Ya'll the nerd equivalent of ESPN.

Just switched to Bitwarden quick import. Now to change all passwords and I'm good hopefully. But you still are affected. I think I already have some phishing emails on my inbox lol, didn't know that lastpass was the cause of that lol.. Anyone knows how to remedy this other than creating new mail?

Last year I lost my Master Password for my LastPass account. I could not retrieve it! Tried many times! Then on Jan 3rd 2023 I was dinged on my credit card for this year! They provide NO WAY to unsubscribe or reverse the charge of $36! The only way for me to get out of this situation was to ask my credit card company for a refund. I am DONE with LastPass!

The most insane fact to me is that they held end user data in essentially plaintext. I've worked as an engineer for monopoly-level enterprise software companies, and even our monthly transactional log access for a dying B2B product with *no* end-user data was more protected and hashed than this.
Like, this could be a super softball interview question for any SWE I've interviewed (and there were tons of bad ones)... "Should you hash end-user data in your SoR for a B2C service?" It's not even a fucking question... JFC.

Guys, did you realize, that despite the fact that the current key derivation happens 100100 times, you can set whatever number there? Even going back to 1?

I dumped these guys for BitWarden a couple of years ago. I was annoyed. I had to frequently uninstall/reinstall the program because I couldn't access my vault. To me, that says poor coding and poor coding allows breaches. BitWarden is absolutely awesome and no more near heart attacks. I am not at all surprised that this happened. I'm only surprised that it took this long.

My iterations was set to 5000!!! I've been a LastPass Premium user since it was $12 per year. I've already stopped using them but that's too late now. LastPass should really tell us more information.

I’ve always felt incredibly uncomfortable with any password service saving my passwords to their servers.
I bought a lifetime license from 1Password ages ago and I haven’t upgraded to their newer (online) client. I manage distribution of my fully encrypted vault myself to at least try to avoid the problem that comes with creating a stockpile of millions of users passwords together.
I also don’t enable the browser plugins. Yes, it’s kind of a pain, but I don’t end up with urls being associated with my credentials.
I also have two vaults. One that I’m willing to use other online storage services to share my passwords across my numerous devices. But then there is the serious stuff. That vault never gets backed up online. I have it on external storage which I only access directly from there. I don’t copy it to my local drive. 1Password makes it pretty easy to point to different locations for your vaults so I don’t find it too onerous.
When it comes to password security, a bit of paranoia seems warranted.
I also have a hard and fast rule to never click links in emails. If there is an offer, for example, I always go out to that company’s website directly.
I’ve seen too many people have major issues over the years and it’s left me more than a little paranoid. Hehe …

I get that the Notes field is encrypted, but what about other fields in the records? For example, if you "Add Payment Card", you get prompted to enter "Name on Card", "Type", "Number", "Security Code", etc, etc. Are they all considered Notes? Lastpass had lots of different types of items and it's really unclear which fields in these other records were encrypted

I use Lasspass and never knew this 😢

They want to blame customers and 2 of their employees were duped.
What kind of security company is this?

@Itprotv... What about last pass customers who has strong 12. Character passwords and two factor authentication for a master password? Are those customers with this type of setup need to reset everything and leave last pass as well????
with this type of setup

Do we have insights if Lastpass Authenticator is affected too? How is it protected and should we update all 2FA enrolments

The got breached twice through the same social engineering channel, I know people say there's no point shutting the barn door after the horse has bolted but not getting management to have a serious talk with their employees is just stupid.

Great video to inform me of what actually happened, thank you. So pissed it's a paid service and have screwed us with this breach. Question is what is even stopping this happening on BitWarden or any other one if I move there?

Lastpass claims over 33 million users. Some of those passwords are definitely on freely available word lists.

Got bought by a VC and went bad right after that. Seems to be a pattern when these companies sell out.

Their is a GIT script that someone made available long before this happened that you can use to try to write a program to bruit decrypt a vault. I used the GIT script without a password on my vault to see that the password cards Notes column was encrypted. They were not very good about telling us what was encrypted.

Not sure why ya’ll even use services like lastpass. Thats just as bad.

So do they have access to user's hashed passwords? This makes them subject to a birthday hack.

According to lastpass's press release, usernames are encrypted. Is that not correct?