Another LastPass Security Incident

Ice Tea

Ice Tea

Ice Tea

Soldato
Joined
1 Nov 2004
Posts
4,955
blog.lastpass.com

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.
blog.lastpass.com blog.lastpass.com

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
Click to expand...

Not sure if this has already been posted?
 
www.bbc.co.uk

South Staffs Water reveals data hack

Account numbers used for direct debit payments could have been hacked, South Staffordshire PLC says.
www.bbc.co.uk

*recent example*

A water company targeted by hackers says the bank details of customers could have been accessed and potentially leaked on the dark web.
South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, said it had started informing customers involved.
The firm serves more than 1.7 million people, but has not revealed how many of those are affected.
Click to expand...

Our personal information is now on so many computers and being stolen from unusual places that Keepass or Bitwarden self hosting is not going to stop hackers getting personal information, at least lastpass is being honest at the first opportunity ( can the same guarantee be given for others? ) and it's easier to change online passwords than it is your home address, phone and national insurance number from the data leaks.

And considering the vast majority of the internet uses openssl for encrypted links nothing is going to protect us from the ongoing ssl exploits that started with heartbleed even if you manually enter your passwords from memory.
 
Last edited:
kindai said:
Having tried most of them, the answer is usually no, I end up going back to lastpass...
Click to expand...

pCloud Pass - Encrypted Password Manager

pCloud Pass helps you keep your passwords and gives you Instant SECURE access to all of them on all your devices. Log in to sites and fill out forms with a single click.
www.pcloud.com www.pcloud.com

pCloud - About us

pCloud is the most secure encrypted cloud storage, where you can store your personal files or backup your PC or share your business documents with your team!
www.pcloud.com www.pcloud.com

I've not tried it yet but pCloud Pass is new one that just been released and still under development, They are a massive Swiss cloud storage service that has been around for about 10 years.
 
Last edited:
Yaayuh! said:
So all the password data has been accessed but it's still encrypted. So, just a case of brute forcing and catching out the weak ones then?
Click to expand...

I had to read it a couple of times but that's pretty much how i read it and they say if you was using a 12 digit pass then it wouldn't be easy.

SixTwoSix said:
Time to move elsewhere it seems, my master password (random symbols and 15+ words) and other passwords are fairly solid but I feel a need to cycle through and change everything on the back of this 2nd incident.
Click to expand...

Any password manager is going to be a target and wonder if they will be so open if they get hacked?

Semple said:
Just an FYI if you didn't know, Bitwarden premium can generate your 2FA codes.
Click to expand...

It is annoying having to piddle about with a separate authenticator.
 
Sin_Chase said:
Anyone defending LastPass needs to reread the article and extent of the breach.

Personal Data and URLs were taken in an unencrypted form. This makes weaponising the breach so much easier and more potent.

The update also states the source code and other data stolen would have allowed futher exploitation and access to and decryption of cloud data.

Its generally accepted that data gets stolen, and as long as you used a strong master password the encrypted data lost isn't likely to be decrypted. Getting unencrypted data taken which can be used in phising and other attacks to decrypt the encrypted data is shocking.

Data loss aside there is a Privacy Question to ask - LastPass states they had a Zero Knowledge environment. They dont. (They have a readable list of all your services saved in their vault)
Click to expand...


www.bbc.co.uk

South Staffs Water reveals data hack

Account numbers used for direct debit payments could have been hacked, South Staffordshire PLC says.
www.bbc.co.uk

www.bbc.co.uk

Cambridge Water: Chief apologises for customer bank details leak

Customers received letters saying their names, addresses and contacts had appeared on the dark web.
www.bbc.co.uk

Would moving to a different area and a different water company suddenly make the customer data safe (and will the new company be as transparent) and if the company had been open source would that have stopped the hackers when it's been proven beyond doubt via the ongoing exploits of OpenSLL that open source code doesn't do jack **** for security?

All password mangers are a target and all password managers store the data on cloud unless you self host so now as the bitwarden user base grows it will become a higher value target to hackers and open source code exploits.

In my opinion. :)
 
Last edited:
  • Like
Reactions: ajf
Sin_Chase said:
Whats OpenSSL got to do with anything?
Click to expand...

WTF! :eek:

OpenSSL is a widely used cryptographic and secure communication software library. OpenSSL is available on all Operating Systems (OS). Exploitation of this vulnerability could allow a malicious actor to gain remote code execution rights on the host running OpenSSL and perform unauthorised actions.
Click to expand...

Another WTF! moment. :D

Sin_Chase said:
A utility provider supplies you utility and whilst they should be keeping your data safe that isn't their primary business.
Click to expand...

That was just an example of how easy it is for hackers to get personal information that is of high value and hard to change, you have no control of all the computers that hold your personal information (apart from GDPR which doesn't tell you what companies are holding your details) but you do have some control over a password manger by changing your passwords in a timely manner when a company like lastpass informs users at the first legal opportunity.
 
Last edited:
Sin_Chase said:
certainly isnt about OpenSSL which we all know about.
Click to expand...

So you think latpass URL's not being encrypted is worse than the OpenSSL Heartbleed exploit that stole millions of our passwords that we will never know about as there was no logs?

I think data and passwords being stolen has everything to do with data and passwords being stolen, not sure why you're trying to differentiate or why you would even think it was shilling?
 
Sin_Chase said:
What. Are. You. Talking. About!?

Encrypted URL?!??

I'm out. You dont read, nor comprehend.
Click to expand...

We are all annoyed me old mate, this is just general discussion not speakers corner. :)

opethdisciple said:
I use keepassxc
Click to expand...

I admire you ability to use that interface, even my Uncle dislikes it and he's a Man that misses CeeFax. :D

mrk said:
I use Mozilla Sync. Never had an issue. It just works.
Click to expand...

Shhhhhhhhhhh!, don't tempt fate.

lnoton said:
120 odd sites updated. About a third the way through.

Closed some accounts where the option was obvious.
Click to expand...

I'm down to about my last 40 or so, it's a complete pain that some websites make it so long winded.
 
I've just had a look at KeepassXC for the first time in years and i have to say it looks a bit more polished than i remember it ( unless i'm confusing it with older Keepass ) but my god the user interface is still confusing for an idiot like me.

I find it intimidating that i might **** up the data base.
 
GaryTheSnail said:
So how does KeepassXC work on IOS. It’s not that cross platform unlike such as BitWarden.
Click to expand...

Unless i'm missing something blatantly obvious about KeepassXC (because i am an idiot) it seems easier and far less convoluted to me to just use the Firefox function that allows you to import/export passwords to a CSV file, encrypt the file yourself and use a separate Authenticator?

But unless you self host those files on a home server ( then you might as well use Bitwarden self host ) then you're still stuck in the same situation of having to use a cloud server for those encrypted files and keys, so if you're going to use a cloud server then you might as well just either use Firefox sync (as mrk said he been using for years in this thread) or just stick with a fully fledged password manager like lastpass, bitwarden or what ever.

In my opinion if any of that made sense. :)
 
OK!, how do i apologise to all the people i've mocked for years for using KeepassXC, it's growing on me. :D

Since i've been playing with it via the browser interface it's making more sense to me that you can leave most of the settings on default, it also has built in 2FA that you can use via the browser interface which i didn't realise before though i've not tried that part of it yet.

Not sure about syncing, I see people on reddit are using Mega free encrypted cloud service, i'm not sure how i feel about that as the owner of Mega has never had a good reputation and using USB sticks is a faff and you certainly would never email the database to yourself. :p
 
Last edited:
It's certainly more convoluted, fugly and doesn't really seem practical between multiple devices, being fickle i might hate it again in 10 mins and go back to mocking people. :P
 
I see from online comments that apparently no company offering a password manager can truly offer a Zero Knowledge model as apart from account and billing administration they are tied by know your customer laws, not sure if that's a American thing or not?

And apparently Lastpass has always been open about not encrypting certain parts of the field information such as URL's, not that helps any of us if we start being flooded with phishing emails.
 
You must log in or register to reply here.
Back
Top Bottom