"Security Incident" At Lastpass, Lastpass hacked, customer info leaked August 2022

Posted 1st Dec 2022 (Posted 9 h, 42 m ago)

Just had this in an email, not sure if this is widely known or not, however I used to use Lastpass, so thought worth sharing, this is the second time it has happened

Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass's Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: blog.lastpass.com/202…nt/.

We thank you for your patience while we work through our investigation.

Misc

New Comment

Groups

Services & Contracts

40 Comments

sorted by

9 h, 26 m ago
For the last few years, I have gone through all the online accounts I have ever made (all tracked in a text file) and deleted every one that I am not using. Took a lot of effort, and still a work in progress.

Hacking / data leaks are a part of life now and the only way to reduce the impact is to minimise our online footprint. So if a retailer forces me to create an online account, I abandon the shopping cart (unless it is a phone + pens + bidet deal ). I just don't see any alternative given how dependent we all are on technology now.
8 h, 56 m ago
Use throwaway addresses and single use payment cards if available
9 h, 26 m ago
Jesus.... I've been using this and I've absolutely loved it but now I'm really worried...
5 h, 18 m ago
Move to bitwardan, export out off lastpass
9 h, 21 m ago
This is the fundamental reason I don't use these services - just seems to me that keeping all your passwords in one place makes them a huge hacker target. IT progresses so quickly, that what is considered AAA secure today probably won't be in 18 months time, and I've never been convinced that a lot of these companies have the resources to keep up.
8 h, 48 m ago
What a lot recommend is to use a password manager with a "salt" (if I remember the word correctly). So generate the first part of the password for site A - example: R2&$YU4W and site B - example: 7*#pVw2!

Then add on something that you commit to memory but have not saved anywhere - example: Archer

So password for site A = R2&$YU4WArcher
Password for site B = 7*#pVw2!Archer

If password manager is breached, the generated part may be compromised, but the salt you use would not be.

The majority of attackers would use credentials to brute force. But attempting to brute force with only the generated portion of the password would not work.

There is always a balancing act between security and convenience. Of course in an ideal world you'd use a unique password on every site and commit to memory without storing it anywhere. However, a password manager is markedly better than reusing the same passwords which most do. It's just important to find a reliable, trustworthy, secure solution - not Lastpass.
9 h, 28 m ago
I'd recommend Bitwarden. I moved when last pass started to propose the increased fees for premium users a few years ago, been really pleased with it tbh.
8 h, 57 m ago
Same here. Lastpass is awful and that pushed me to switch. Bitwarden is far better in terms of features, UX, and cost. No reason to use Lastpass over it
9 h, 25 m ago
I immediately switched to bitwarden when they got taken over by LogMeIn Inc. Lucky i did.
9 h, 36 m ago
I use this but not got an email, not yet anyway.
9 h, 22 m ago
I use Google password. Free and they know all my stuff anyhow. (edited)
8 h, 28 m ago
With Google there's another troubling concern, should you get banned or blocked for any reason across any of the vast services they offer, you are absolutely in the mud. That's more worrying than if they have your data IMO

Can't have all your eggs in one place n that (edited)
7 h, 23 m ago
I take the Micky out of my 75 year old dad having passwords written down on scraps of paper scattered all over the house. Maybe this is an improvement over LastPass.
9 h, 10 m ago
Explains the reason why it's called LastPass.
9 h, 14 m ago
Not good, even considering encryption supposedly keeping passwords safe, a concern that this has happened, and I'd still be worried if I used LastPass.

I've used safeincloud for years, and although I sync my passwords via Google drive as an encrypted file, the passwords don't sync with their own servers, just stored within the app on the device, and works well for me. But how safe is that......? So far so good, until it isn't I guess?

I do worry about how safe all these managers are, even when I save my passwords through Google I think about what 'could happen' and ask myself is this really safe?
9 h, 13 m ago
Never keep your passes in stupid cloud. Easy as that.

If you need, use only local app if you need to.
Author
9 h, 8 m ago
The only reason I used it was when I had a huawei phone without access to Google. Used it to ore fill passwords, worked well tbf
7 h, 33 m ago
LastPass has been hacked once before, only a fool would have still continued with them. You've only yourself to blame. Writing your passwords in a paper notepad would have been safer than LastPass! (edited)
9 h, 37 m ago
Not again!! That’s twice in about 3 months is t it!!!
Author
9 h, 35 m ago
Think so yeah. Not great
9 h, 14 m ago
This is happening way too often now. These companies need to start paying compensation to the affected users
8 h, 42 m ago
Might be a stupid question but what’s the difference between using Apple/Google to automatically remember passwords and sites like this?
8 h, 25 m ago
Not much. You're just placing trust in Google over Apple. And their security implementation of the services. I'd trust Google security over LastPass and Apple but I'd place even higher trust in something open and transparent like Bitwarden
4 h, 25 m ago
I was cringing when seeing ppl putting their password into last pass, my concern is more about the trust on that company itself, but assuming they can secure it from hacker. Now the hacker itself managed to break in,... really no point in paying the premium.
3 h, 23 m ago
Nevermind. I need to make a trip to sillicon valley and start developing password implants. It can only be breached by two things, death and a coroner. (edited)
3 h, 9 m ago
Why use a cloud password service. Its ticking time bomb. Use keepapss, its stored on your own system !
2 h, 36 m ago
Yeah, I have been using it for years. I have it backed up 4 times (I lost a load of passwords once by not backing the USB drive up) but all the devices I own at home, if house was ever burgled and they took all 4 hard drives/USB's I'd be stuffed, I doubt they would be able to crack it but I wouldn't have my passwords. Still don't trust cloud stuff though.
2 h, 7 m ago
I too refuse to use cloud based password management services (I have a Dashlane account, but I never use it). It is hard work keeping all the passwords in my head - as I have to remember the entire families worth of account details too! However when I forget I simply run the password recovery tool found on most sites I need to access. The only time this has let me down is with my FingBox. I forgot the password and it has rendered the physical box useless. I did try to reach out to Fing and explain the problem and they did make me jump through lots of hoops (sending photos of the invoice, the serial number, the box it came in!). Still they refused to reset it So it sits collecting dust as a reminder not to forget passwords!