ESET Insiders NewbyUser 74 Posted December 28, 2021 ESET Insiders Share Posted December 28, 2021 (edited) Anyone using Lastpass may want to change their master password or change password management services. https://appleinsider.com/articles/21/12/28/lastpass-master-passwords-may-have-been-compromised Edited December 28, 2021 by NewbyUser Spelling Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 28, 2021 Share Posted December 28, 2021 (edited) Saw that. Another article here: https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/ LastPass response: Quote LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that "LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services." "It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure," Bacso-Albaum added. Edited December 28, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted December 28, 2021 Author ESET Insiders Share Posted December 28, 2021 Along the same lines, don't use browsers for passwords; https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/ Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 28, 2021 Share Posted December 28, 2021 Probably the best advice to LastPass users is the last paragraph of the bleepingcomputer.com article: Quote LastPass users are advised to enable multifactor authentication to protect their accounts even if their master password was compromised. NewbyUser 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 28, 2021 Share Posted December 28, 2021 24 minutes ago, NewbyUser said: Along the same lines, don't use browsers for passwords; https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/ Of note: Quote The malware targets the 'Login Data' file found on all Chromium-based web browsers and is an SQLite database where usernames and passwords are saved. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted December 29, 2021 Author ESET Insiders Share Posted December 29, 2021 3 hours ago, itman said: Of note: Firefox isn't immune either; – Browsers targeted for attack – All Chromium-based browsers – All Gecko-based browsers – Cryptocurrency wallet information – Seed file saved to the system https://asec.ahnlab.com/en/29885/ Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted December 29, 2021 Author ESET Insiders Share Posted December 29, 2021 Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 29, 2021 Share Posted December 29, 2021 Latest situation update statement from LastPass per previously posted bleepingcomputer.com link: As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts. We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s). We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure. Link to comment Share on other sites More sharing options...
j_mo 2 Posted December 30, 2021 Share Posted December 30, 2021 Just my humble two cents here, but I don't understand why anyone would use this service. Some quick research will show they've been plagued by security incidents for years. They are owned by LogMeIn, a company that tolerates widespread scamming and data ransoming activity with their applications and does little to nothing about it. It is counterproductive to say the least to think the solution to keeping your passwords safe is to hand them over to a corporation. Especially one that has shown it has difficulty keeping its servers secure. The whole model is wrong. People's sensitive data should not be concentrated in one location, ever. That's just asking for trouble, both from outside attacks and unscrupulous parties within. Personally, I use SafeinCloud. I'm not trying to advertise for anyone (there are many other options, it's the setup not the software maker that's important) and I'm not some super network security or cryptography guru, but as I understand it, it encrypts your password database and uploads it to whatever cloud service you choose, including your own if you wish via WebDAV. Neither they nor the cloud provider can access your passwords. An attacker, even if they somehow acquired your master password, would have to hunt down your file in the sea of the internet or run across it by chance; there is no convenient company data center to attack. The one small convenience disadvantage is that you can't quickly install an extension on a browser you're using on a public or guest computer and get your passwords. This has never really been a big issue for me, and is also a tradeoff for better security. The browser extensions are just pulling from the local database on the device, and letting you autofill as opposed to having to copy and paste from the main program. My app costs a little money for premium features like Windows Hello support, that's it. No one should have to pay a monthly fee to someone just to secure their passwords. Do not let anyone convince you that is something that should be. You can even use completely free and open source programs like KeePass, where not only are you keeping your own passwords in a location you actually know, you or someone you trust can examine the source code yourself and know exactly what is being done with them. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted December 30, 2021 Most Valued Members Share Posted December 30, 2021 2 hours ago, j_mo said: Just my humble two cents here, but I don't understand why anyone would use this service. Some quick research will show they've been plagued by security incidents for years. They are owned by LogMeIn, a company that tolerates widespread scamming and data ransoming activity with their applications and does little to nothing about it. It is counterproductive to say the least to think the solution to keeping your passwords safe is to hand them over to a corporation. Especially one that has shown it has difficulty keeping its servers secure. The whole model is wrong. People's sensitive data should not be concentrated in one location, ever. That's just asking for trouble, both from outside attacks and unscrupulous parties within. Personally, I use SafeinCloud. I'm not trying to advertise for anyone (there are many other options, it's the setup not the software maker that's important) and I'm not some super network security or cryptography guru, but as I understand it, it encrypts your password database and uploads it to whatever cloud service you choose, including your own if you wish via WebDAV. Neither they nor the cloud provider can access your passwords. An attacker, even if they somehow acquired your master password, would have to hunt down your file in the sea of the internet or run across it by chance; there is no convenient company data center to attack. The one small convenience disadvantage is that you can't quickly install an extension on a browser you're using on a public or guest computer and get your passwords. This has never really been a big issue for me, and is also a tradeoff for better security. The browser extensions are just pulling from the local database on the device, and letting you autofill as opposed to having to copy and paste from the main program. My app costs a little money for premium features like Windows Hello support, that's it. No one should have to pay a monthly fee to someone just to secure their passwords. Do not let anyone convince you that is something that should be. You can even use completely free and open source programs like KeePass, where not only are you keeping your own passwords in a location you actually know, you or someone you trust can examine the source code yourself and know exactly what is being done with them. I knew LastPass has had a few security issues but wasn't aware of LogMeIn. I do find remote access programs often get a bad name as they are also used by scammers. When he was around, my grandad fell for one of these. They used the event viewer scam to show him errors and claim it was multiple viruses Link to comment Share on other sites More sharing options...
N-One 1 Posted January 11, 2022 Share Posted January 11, 2022 Would Bitwarden be any better? Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted January 11, 2022 Author ESET Insiders Share Posted January 11, 2022 Short answer, yes. By a wide margin in my opinion, others would likely disagree. Link to comment Share on other sites More sharing options...
Recommended Posts