Jump to content

LastPass may have been Hacked


NewbyUser

Recommended Posts

  • ESET Insiders

Anyone using Lastpass may want to change their master password or change password management services.

 

https://appleinsider.com/articles/21/12/28/lastpass-master-passwords-may-have-been-compromised

Edited by NewbyUser
Spelling
Link to comment
Share on other sites

Saw that. Another article here: https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/

LastPass response:

Quote

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that "LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."

"It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure," Bacso-Albaum added.

Edited by itman
Link to comment
Share on other sites

24 minutes ago, NewbyUser said:

Of note:

Quote

The malware targets the 'Login Data' file found on all Chromium-based web browsers and is an SQLite database where usernames and passwords are saved.

Link to comment
Share on other sites

  • ESET Insiders
3 hours ago, itman said:

Of note:

Firefox isn't immune either;

– Browsers targeted for attack
– All Chromium-based browsers
– All Gecko-based browsers
– Cryptocurrency wallet information
– Seed file saved to the system

https://asec.ahnlab.com/en/29885/

Link to comment
Share on other sites

Latest situation update statement from LastPass per previously posted bleepingcomputer.com link:

As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.

We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.

However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.

Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).

We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.

Link to comment
Share on other sites

Just my humble two cents here, but I don't understand why anyone would use this service. Some quick research will show they've been plagued by security incidents for years. They are owned by LogMeIn, a company that tolerates widespread scamming and data ransoming activity with their applications and does little to nothing about it. It is counterproductive to say the least to think the solution to keeping your passwords safe is to hand them over to a corporation. Especially one that has shown it has difficulty keeping its servers secure. The whole model is wrong. People's sensitive data should not be concentrated in one location, ever. That's just asking for trouble, both from outside attacks and unscrupulous parties within.

Personally, I use SafeinCloud. I'm not trying to advertise for anyone (there are many other options, it's the setup not the software maker that's important) and I'm not some super network security or cryptography guru, but as I understand it, it encrypts your password database and uploads it to whatever cloud service you choose, including your own if you wish via WebDAV. Neither they nor the cloud provider can access your passwords. An attacker, even if they somehow acquired your master password, would have to hunt down your file in the sea of the internet or run across it by chance; there is no convenient company data center to attack. The one small convenience disadvantage is that you can't quickly install an extension on a browser you're using on a public or guest computer and get your passwords. This has never really been a big issue for me, and is also a tradeoff for better security. The browser extensions are just pulling from the local database on the device, and letting you autofill as opposed to having to copy and paste from the main program.

My app costs a little money for premium features like Windows Hello support, that's it. No one should have to pay a monthly fee to someone just to secure their passwords. Do not let anyone convince you that is something that should be. You can even use completely free and open source programs like KeePass, where not only are you keeping your own passwords in a location you actually know, you or someone you trust can examine the source code yourself and know exactly what is being done with them.

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, j_mo said:

Just my humble two cents here, but I don't understand why anyone would use this service. Some quick research will show they've been plagued by security incidents for years. They are owned by LogMeIn, a company that tolerates widespread scamming and data ransoming activity with their applications and does little to nothing about it. It is counterproductive to say the least to think the solution to keeping your passwords safe is to hand them over to a corporation. Especially one that has shown it has difficulty keeping its servers secure. The whole model is wrong. People's sensitive data should not be concentrated in one location, ever. That's just asking for trouble, both from outside attacks and unscrupulous parties within.

Personally, I use SafeinCloud. I'm not trying to advertise for anyone (there are many other options, it's the setup not the software maker that's important) and I'm not some super network security or cryptography guru, but as I understand it, it encrypts your password database and uploads it to whatever cloud service you choose, including your own if you wish via WebDAV. Neither they nor the cloud provider can access your passwords. An attacker, even if they somehow acquired your master password, would have to hunt down your file in the sea of the internet or run across it by chance; there is no convenient company data center to attack. The one small convenience disadvantage is that you can't quickly install an extension on a browser you're using on a public or guest computer and get your passwords. This has never really been a big issue for me, and is also a tradeoff for better security. The browser extensions are just pulling from the local database on the device, and letting you autofill as opposed to having to copy and paste from the main program.

My app costs a little money for premium features like Windows Hello support, that's it. No one should have to pay a monthly fee to someone just to secure their passwords. Do not let anyone convince you that is something that should be. You can even use completely free and open source programs like KeePass, where not only are you keeping your own passwords in a location you actually know, you or someone you trust can examine the source code yourself and know exactly what is being done with them.

I knew LastPass has had a few security issues but wasn't aware of LogMeIn. I do find remote access programs often get a bad name as they are also used by scammers. When he was around, my grandad fell for one of these. They used the event viewer scam to show him errors and claim it was multiple viruses

Link to comment
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...