Lastpass hacked - again

[maflynn]

Past user of Lastpass, but dropped them a while ago for a variety of reasons.
LastPass was hacked -- again
Notice of Recent Security Incident

Personally I use bitwarden and have been pleased by them, but if you're a Lasspass user, I would think long and hard about remaining with them given the numerous times they've been hacked. This time they're saying that user accounts were not compromised - at least you have that going for you

 

[Raz0rEdge]

They had a lax developer environment that was exploited. As the article states, no user data was compromised since most smart companies employ the means of least restrictions. That is, the developer environment doesn't interact directly with the production environment.

So what was accessible is the LastPass code and so on, but not customer data.

I've been a long time LastPass user and will stay.

 

[maflynn]

So what was accessible is the LastPass code and so on, but not customer data.

As I said that's a good thing.

They had a lax developer environment that was exploited.

I'd say the lax attitude extended far beyond a development environment - their track record is rather poor.
2015 Password Manager LastPass Hacked, Exposing Encrypted Master Passwords
2017 LastPass warns users to exercise caution while it fixes 'major' vulnerability
2019 Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak
2021 LastPass users warned their master passwords are compromised
2022 Notice of Recent Security Incident (what I posted above)

 

[Lifeisabeach]

LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August.

Oops?

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

arstechnica.com

 

[Rod]

I have been a long time fan/user of Enpass because my user data is not stored on their servers. The app stores my user data on the device and syncs via iCloud backup (in my case) or OneDrive. The only drawback is that I cant login to Enpass on a different device and access my passwords. To do that I would need to download the app onto that device then sync it via iCloud.
To me that is a strength rather than an inconvenience. It effectively means I would need to pass iCloud 2FA and have the master password for Enpass known only to me.

 

[Lifeisabeach]

I have been a long time fan/user of Enpass because my user data is not stored on their servers. The app stores my user data on the device and syncs via iCloud backup (in my case) or OneDrive. The only drawback is that I cant login to Enpass on a different device and access my passwords. To do that I would need to download the app onto that device then sync it via iCloud.
To me that is a strength rather than an inconvenience. It effectively means I would need to pass iCloud 2FA and have the master password for Enpass known only to me.

Yeah, I still use 1Password 7 with a standalone license and sync over iCloud. I absolutely refuse to use 3rd party cloud hosting and this disaster with LastPass is exactly why. There aren't many cloud services I trust as much as I do iCloud. I believe Enpass is at the top of my list to switch to if/when 1Password 7 stops working for me.

I read a comment that Lastpass was bought out by a private equity firm, so this whole thing comes as no surprise. One thing I've observed over the years is that went private equity/venture capitalists seize companies like these, they nickel and dime everything, with things like security being a complete afterthought. They buy up these companies, not out of the goodness of their hearts, but to make a big return on their investment. That's why soooo many long-time 1P users were outraged when AgileBits took on venture capital. And to date, they've done nothing but validate the concerns.

 

[maflynn]

That is, the developer environment doesn't interact directly with the production environment.

So what was accessible is the LastPass code and so on, but not customer data.

SOOOOOO
it looks like customer data was impacted

LastPass users: Your info and vault data is now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

Notice of Recent Security Incident

LastPass' track record is so poor that it would be incredibly foolish to keep using them They've swept these issues under the rug and downplayed the impact.

 

[Lifeisabeach]

For any LastPass users reading this thread, in light of the new revelations, you will have to assume you are compromised. Change your password for LastPass now, and change AT THE MINIMUM the passwords for banking and anything else critical that you have stored in LastPass. Really, you should change everything. If you have credit cards and other banking information stored, assume they are compromised. All of it. This is legit. It's the real deal. The hackers HAVE your database and just changing the password will have zero effect on what they have in their hands. If they are able to crack the encryption, then they have it all. You need to render the entire contents of your old database worthless by changing EVERYTHING stored in it!

 

[Rod]

What an enormous PITA for users that must be. I have enough trouble keeping up with the suggested password updates from the regular Security Audit in Enpass. There are always some "weak" or compromised updates from Watchtower but thankfully very few duplicates.

 

[Lifeisabeach]

LastPass was hacked again. Again.

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that stole customer vaults, LastPass has more bad news.

arstechnica.com

This... this just blows my mind. This is so incredibly bad.

 

[IWT]

LastPass was hacked again. Again.

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that stole customer vaults, LastPass has more bad news.

arstechnica.com

This... this just blows my mind. This is so incredibly bad.

That's appallingly bad, given that following the last "hack", all users were told to change their master PW AND ALL of their PWs within their Vault. Gosh, I feel so sorry for those who have this app.

Ian

 

[Slydude]

When this thread popped up yesterday I initially thought someone had reacted to the initial thread. Then I read LB's post. This doesn't give users a lot of confidence.