Lastpass compromised

cyberguyprcyberguypr Senior MemberMod Posts: 6,886 Mod
Sad that I had to hear about this from Reddit. Not even on Lastpass.com's main page.

https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.
We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.

Joe Siegrist
& the LastPass Team

Comments

  • philz1982philz1982 Member Posts: 978
    It seems like it's one a day lately and the new trend, although a bit early to call it a trend, is the attacking of the "security" companies.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    Kind of ironic but they are the biggest targets. Wonder if I should switch to Keepass or try lastpasss multifactor authentication. Does anyone have experience with any of their options? Toopher and Transakt seem the most reasonable.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Used to be an unspoken rule that security companies are off limits. But after Kaspersky was targeted it became clear that the gentlemen's code is a thing of the past.
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    And btw if your password keeper doesn't use multifactor you're just putting all your gold in one big pot.

    I use Password Safe with a yubikey for 2-factor fyi.
  • stryder144stryder144 Senior Member Member Posts: 1,663 ■■■■■■■■□□
    I actually found out about it when they emailed me today. Fast security breach email I've ever encountered. Interesting.
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
  • dave0212dave0212 Member Posts: 287
    I received an email this morning as well.

    I use 2 factor and a ridiculously long password, the added control of email verification is nice but could be inconvenient.

    Will be checking if my clients who use the enterprise edition have been notified as well
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Member Posts: 337 ■■■□□□□□□□
    What kills me is that for some time Reddit and others were singing the praises of KP and LP as well as this or that VPN or encryption system. They forget the basic rule, everything can be hacked. I have no expectation that my data, that my information is ever safe. I do what I can reasonably to protect myself, But you will never hear me say that product "a" is what everyone should use.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • echo_time_catecho_time_cat Member Posts: 74 ■■□□□□□□□□
    ...I was kinda wondering when this would happen. Everyone eventually gets hacked, it's the response that separates the wheat from chaff so to speak.
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    I still don't even understand the appeal of lastpass and the other stuff like it.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    @Priston: The ability to EXTREMELY long passwords that you don't have to regularly type in. Also, if you have many accounts and passwords it's hard to manage which keeps you from using long and random passwords.

    LastPass is saying they have had a breach, but that doesn't necessarily equate to intruders getting keys or credentials. That being said, it's still good to go through and change any sensitive accounts as well as your master password.
    Currently working on: Linux and Python
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    If you want multiple things to be secure, you don't put it all in one place. Also if security isn't that big of a deal do you really need a different password for everything?

    Personally If something is really important to me I don't mind typing 20-40 characters.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    I'm not sure where you read that security is not a big deal for me. Sigh...
    Currently working on: Linux and Python
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    ...I was kinda wondering when this would happen. Everyone eventually gets hacked, it's the response that separates the wheat from chaff so to speak.

    Yup. It's foolish to tear a company apart. Breaches are everywhere and it's only a matter of time for everyone. Like you said, it's about how you respond and treat your customers.
    Currently working on: Linux and Python
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    I just don't understand how software like lastpass is any different than using the same password for everything.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    As a hacker I'd rather have to crack a 20 char strong password than try to defeat modern 2-FA any day of the week.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    renacido wrote: »
    Used to be an unspoken rule that security companies are off limits. But after Kaspersky was targeted it became clear that the gentlemen's code is a thing of the past.

    ...what about RSA in 2011? Bit9 in 2013? I'm sure there have been others. I never got the feeling anybody was off limits. IMO, the only thing to be careful of from an attacker's point-of-view is ticking off one's own government.
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    YFZblu wrote: »
    ...what about RSA in 2011? Bit9 in 2013? I'm sure there have been others. I never got the feeling anybody was off limits. IMO, the only thing to be careful of from an attacker's point-of-view is ticking off one's own government.

    Yup, you gotta know...
    You've got to know when to hold 'em
    Know when to fold 'em
    Know when to walk away
    And know when to run

    http://www.azlyrics.com/lyrics/kennyrogers/thegambler.html
    Currently working on: Linux and Python
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Priston wrote: »
    I just don't understand how software like lastpass is any different than using the same password for everything.

    If your security policy requires 20-character passwords and doesn't allow the use of password vaults like LP, you'll have at least 50% of your accounts using passwords such as:

    companyname2015
    companyname(last 4 of SSN)

    or they'll be in any dictionary list even the lamest script kiddie has easy access to.

    On the other hand, a user putting all of their passwords in a vault protected by one strong password protected with PBKDF2-SHA256 requires significant time, effort, processing power, and skill to crack. Now add 2-FA and it pretty much requires insider collusion.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    The integration into your browser is why I liked it, I am good at creating and storing passwords in a password manager but LP's browser plug in was pretty good.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    Browser integration sold me. Time to enable multifactor, transakt or toopher?
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • discount81discount81 Member Posts: 213
    I don't want to say it's impossible, but Lastpass wasn't really hacked, not properly.

    For starters your data is always encrypted on your side, if you lose your master pass, lastpass can't help you.

    It would be like someone getting my SSH public key, big deal they stole it but it helps them do absolutely nothing as I still have the private key.
    Also having 2FA on your account with an obscure password, it basically is impossible to hack.

    As for why I use it, because I have 500+ different accounts, before last pass I used the same 3 or 4 passwords for each site, whenever I went to the site I had to try and remember which one it was, sometimes get locked out or email the forgotten password link.

    Now I have a unique 30 character password for any site that allows it and I only need to remember 1 complex password.
    http://www.darvilleit.com - a blog I write about IT and technology.
  • Chivalry1Chivalry1 Member Posts: 569
    For this very reason you should change your password for your most sensitive sites. At least once a year if not twice a year. Random different password for each site. Personally I am in favor of password managers such as LastPass. I actually recommend this product to many customers and friends. Much better than storing the password in your browser cache like many are doing these days.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • SephStormSephStorm Member Posts: 1,732
    Question, why is any data stored on LP servers?

    Why do they have hashes? Shouldn't they be stored locally and maybe exportable in case the user wants to back up to local media? The risk associated with this compromise could be much less if they had employed a local policy.
  • beadsbeads Senior Member Member Posts: 1,506 ■■■■■■■■■□
    The question at hand is how useful is the breach? Did the attacker get all the salts in a useful manner suitable for reverse hashing (cracking)? Can someone show evidence of this compromise being used in the wild against a real target or is this good bad guy PR?

    @Priston Frankly I have no idea how to explain it in a way that would be simple enough to understand for your satisfaction. Its long, next to impossible to defeat and thus far no evidence to the contrary has been presented. Or at least none that I personally know of at this time.

    Security companies being breached? I believe F-Secure was breached and reported such years ago but to less chest pounding than Kaspersky is concerned. Eugene is a bit paranoid but even better at PR then his A/V solution. Yes, I can poke holes in all anti-virus solutions. Their all seriously flawed in one place or another.

    Its not as easy as the media makes it sound.

    -b/eads
Sign In or Register to comment.