Lastpass Says Hackers Accessed Customer Data In New Breach

AmiMoJo writes: LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said. "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information." Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack. It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."

Re:

[Ksevio]

More likely an encrypted volume. LastPass doesn't store password hashes.

They might be storing payment/billing data

Re:

[Ol Olsoc]

More likely an encrypted volume. LastPass doesn't store password hashes.

They might be storing payment/billing data

So nothing important then. Just names and credit cards.

Re:

[Hylandr]

Nothing google doens't already have. :P

Re:

[Ol Olsoc]

Nothing google doens't already have. :P

At least we can pretty well know Google won't use our CC's.

Re: Data harvesting

[ArmoredDragon]

Quantum computers aren't some panacea to crypto cracking. It really depends on the particular cryptography. And even when the tech matures, you're not going to carry around quantum computers in your pocket any time soon, if ever. It's going to be relegated to the cloud for some time to come, meaning somebody else is likely to be aware of what you're doing with those quantum computers. By the time the scenario you're dreaming up could even matter, the owners of these passwords will probably be dead. I think

Re:

[AmiMoJo]

You don't need a quantum computer in many cases. If the user choose a poor password for their master key, a simple dictionary attack with off the shelf GPUs will suffice.

LastPass are not really telling the truth here.

Re:Data harvesting

[TheRealMindChild]

Not with a sufficiently large salt/iterations of PBKDF2, which has been default encrypting behavior for ~20 years

Re:

[Pascoea]

Their password requirements are stronger than most places I've dealt with: Min 12 chars and the usual mix of Upper/Lower/Numeric/Special chars. (Personal experience, 8 chars seems to be the "norm" for length) But I see your point, if a person is dumb enough to use a weak password to secure their password vault I guess they deserve whatever is coming to them.

Re:

[Ostracus]

That's where the Yubikey comes in handy. Shame that's only for the paid version.

Re:

[ctilsie242]

1Password tries to mitigate this by having the user set aside a secondary key. This is used in addition to the user's passphrase to get access. It sounds cumbersome, but saving the key aside isn't difficult, and it acts like a client side keyfile, ensuring that if someone snarfed 1Password's database, brute forcing it is pretty much impossible, because every generated secondary key is 256 bits.

Re:

[ctilsie242]

Hashes are one way. For a PW manager to be able to save passwords, it needs to be able to save the actual password, and not just a hash.

I wish LastPass and Keeper did what Codebook and 1Password do. Both, when one creates an account or sync repository generate a random key. Once generated, it is up to the user to keep that key safe, and neither Codebook or 1Password have that key stored. It is used in addition to the user's password to decrypt stored passwords.

Why is this such a good thing? If someone

They are toast

[Tablizer]

...this is their last pass.

Again?

[Murdoch5]

How many times does Last Pass have to drop the ball? At this point, they've crashed into the ball factory! Anyone who is still using Last Pass should get off the service ASAP!

Re:Again?

[Thantik]

Sounds like FUD to me. No service, when provided enough attack area and malicious actors will ever be able to get security 100% right, but their core offering is to keep passwords safe, which despite this - they have done. Maybe sound the bull horns when someone has their passwords compromised. Until then, another day, another vulnerability. Yawn.

Re:

[Murdoch5]

Okay, but you can get products like BitWarden and host yourself, which prevent these massive attack vectors, or at least brings everything in house, which is important.

Re:

[ctilsie242]

VaultWarden is nice, but you can do pretty well with just KeePass compatible apps. If you use keyfiles, this ensures that what cloud repository the .kdbx file is on, it will remain secure, as if an attacker grabs the database, they not just have to guess your password, but also what was in the keyfile.

Alternatively, Codebook is nice, as it offers a sync key.

Re:

[Murdoch5]

Absolutely, there are many ways to do this safely in house, or at least with enough oversight that you manage it yourself. With all attacks, hacks, etc... LastPass has faced, it's really set itself out to not be trusted, even if no passwords have ever been lifted.

Re:

[MachineShedFred]

So they had a security breach a while back, but no customer data was exposed.

Now, months later, they're saying that customer data was exposed.

What are they going to say next? You can call it FUD, but if your entire business is keeping customer data secure and you didn't do that, you're a total failure who isn't deserving of my money. And then when you initially lie about that failure only to fess up later, you've done actual harm to customers that could have taken measures to protect themselves MONTHS AGO

Re:Again?

[suutar]

They're not saying customer data was exposed in August. They're saying that data gathered in August (like system configurations or employee info) was used to enable a new breach that did expose customer data. Unless you have evidence they're lying, it seems like they're being very forthcoming and upfront.

Re:

[MachineShedFred]

Oh so they didn't bother investigating what could be done with the data that was exposed, and said "this is fine" while the house burned around them.

That's so much better.

Re:

[Ksevio]

That's a pretty dumb statement. If there was a vulnerability they knew about, I'd guess they'd try to fix it. Sounds like they did an investigation.

Re:

[dirk]

It's FUD. They had a security breach and no customer data was exposed. What was exposed was then used to enable this breach, in which some customer data was exposed. You seem to think the 2 are one in the same when they are not. And more importantly, password data was not exposed in either breach, which is actually their entire business.

Re:

[MachineShedFred]

Oh so they didn't bother investigating what could be done with the data that was exposed, and said "this is fine" while the house burned around them.

That's so much better.

What's to say they won't use data from this breach to go even further in a third, because clearly LastPass isn't in the business of learning from past mistakes, and you seem fine with that.

Re:

[AmiMoJo]

Because they are a paid service they have your name, address, and billing info. And now so do the hackers.

Zero Knowledge architecture?

[altp]

> remain safely encrypted due to LastPass's Zero Knowledge architecture

It just occurred to me, maybe i'm late to the party ... but, If Lastpass has a zero knowledge architecture, could it be used as an encrypted chat system if e2e encrypted chats, like signal, are forced (due to regulation) to have a back door?

Will password managers like Lastpass or or self hosted ones like Bit Warden or Vault be the next place for criminals to communicate (since that's the whole rational for wanting a back-door e2e encr

So could Slashdot posts. And no.

[raymorris]

> could it be used as an encrypted chat

Yes, any communication tool and any cloud service CAN be used to pass encrypted messages. After all:

The cat ate the grapes. What does that mean? Nobody knows without the key.

And besides, 8911 54dd 25d25 eb7a 0fae e16.

It's trivially easy to send encrypted messages using any platform or protocol that posts / sends whatever you type / paste.

> Will password managers like Lastpass or or self hosted ones like Bit Warden or Vault be the next place for criminals to communicate

No. They are particularly ill-suited for that purpose.
They would be a poor choice both in terms of practical use and also security. They are a poor choice simply because it's not a messaging platform. There's no contact list or anything. There's no notification that you received a new "message", etc.

They are also particularly poor for security, because to either read or update the password (message), you need to have THE master key/password. You'd have to share the master password with whomever you're communicating with! That makes the entire idea mostly useless. That's like sending an email with a password protected zip file and saying "unzip this file using the password "Kaboom". Well that's pointless, because anyone who sees the message has the password.

Encrypted messaging apps such as Whatsapp and Signal don't have *A* key for the conversation, used to encrypt and decrypt it. They have a total of FOUR keys. When I send you a Whatsapp message, I use your public key. The essential thing to understand here is that the public key, which I use to encrypt the message, can NOT be used to decrypt it! That means I can send you an encrypted message, without including the decryption key in the message.

You send me your public encryption key, and keep your decryption key private. That's how Whatsapp provides secure messaging, while LastPass doesn't. Lastpass and other password managers are secure only for sending messages to yourself, where you don't have to communicate the master password to someone else.

Dumb idea in the first place.

[devslash0]

Using cloud-based passwords managers, while convenient, is an absolutely dumb idea in the first place. You hand over all your passwords to a single entity, creating a single point of failure. At the same time, there is no way for you to verify that there is no backdoor built into their zero-knowledge encryption scheme. Zero-knowledge only means that the encryption key is secured with a unique user key not known to the provider. It doesn't preclude the existence of another provider-specific encryption key to the same data set. It's the provider who builds the service and they can do absolutely everything they want without your knowledge.

Re:

[blahbooboo2]

Cloud managers have their place and there are open source alternatives such as Bitwarden if you want to audit the code for backdoors. It's better to have people use a cloud password manager then use the same password on all their sites. It's is a balance always between usability and security. Nothing is perfect and if someone truly wants to get into your stuff they will find a way, the best you can do is slow them down (multiple security professionals have stated this to me).

Re:

[ewibble]

Something like Yubi where its a challenge response and the password is not stored on any server or any device where the private key can be directly read is the best.

Having the same password on 2 servers is not good, unless you don't care that they get your password, but having a central point of failure where if compromised a hacker now knows the sites you log into and all the passwords you and for millions of other uses is not good either. Its really a case of pick your poison.

Re:

[Ostracus]

As demonstrated many times even with open source security is hard. So who are these knowledgeable people rushing to audit everything? Certainly not their advocates.

Re:

[mysidia]

No.. It's not a dumb idea At all. It is just imperfect. It is still a huge improvement over the alternative people use otherwise - which is making memorable but weaker passwords and reusing the same password on multiple websites.

And the real solution is to not have passwords at all. Use Passkeys [apple.com] Or rather Security Keys [google.com]

Also, Have the authentication undertaken through dedicated OAuth providers such as Apple or Google. There's no reason every website in the world need to implement their own (bad)

Re:

[devslash0]

1. What if I don't use Apple or Google? (I don't)
2. What if I don't want Google or any other big company to know what other services around the Internet I use? (they would if they did auth)
3. Passkeys are terrible if you're forced into scanning your face or unlocking your phone, like many authorities around the globe ask you to.
4. Again, single point of failure.
5. Most passkey schemes refuse to work on rooted phones due to security implications. (I use rooted devices myself).

Re:

[devslash0]

I use a gmail account made specifically for my mobile phone. All other services go through a certain Switzerand-based, privacy-friendly email provider. The mobile email account is basically there just so that the system works and not used for anything else, ever.

Re:

[BardBollocks]

No - it's dumb right from the beginning.

Using cloud you are losing control of your data. Zero knowledge just makes it more difficult to crack.

With encryption standards historically backdoored, side channel attacks on shared cloud hardware, and brute force cracking capabilities becoming stronger your handing over your data to not only 'authorities' who simply cannot be trusted to act legally, but to OTHER parties who may gain access to that data.

Only smart storage for sensitive information is offline storage

Re:

[bws111]

If you're that paranoid you shouldn't have any passwords anyway because you shouldn't be using any online stuff. After all, the same 'authorities' could just break the encryption of whatever connections you have and steal your passwords that way.

Re:

[JustAnotherOldGuy]

Bingo.

As for me, if some government took the time to check out my browsing history and whatnot, they'd be bored to tears.

"Oh my god, this fuckin' dick is looking at goddamn belt sanders again? Jesus Christ just kill me now..."

Re:

[mysidia]

With encryption standards historically backdoored,
Good thing they used modern crypto that isn't backdoored.

side channel attacks on shared cloud hardware,

Side channel attacks on cloud hardware aren't a concern, seeing as all the Crypto is client-side, and the server doesn't get the keys to decrypt the data - that's what zero knowledge means. If there's a concern, then it would have to be about malicious code running on the client.

and brute force cracking capabilities becoming stronger your handing over y

Re:

[ctilsie242]

Depends on what I am wanting to secure. If someone is going to do a side channel attack on my PC at home which has a decent tier of LUKS, BitLocker + TPM, or FileVault, then I'm screwed from the get-go.

The perfect is the enemy of the good in this case. There are many ways to keep passwords secure:

1: Use a cloud provider like Dropbox, use something like KeePass, KeePassxc, Strongbox, or some app that works with the .kdbx format, have all the endpoints (phones, PCs), all use a keyfile which isn't stored on

Re:

[Big Hairy Gorilla]

Double Dumb:
1. Trusting Apple with every last ducking detail of your life. (wallet, health, geolocation,etc)
2. Trusting anyone with your biometric data.

Single point of failure. No oversight.
Apple (all companies) will keep your data private, except they will share it with any of their trusted partners or authorized law enforcement. Please note the contradiction. Resulting in practice, that anything that moves over the internet is de-facto public domain information because it's so widely shared with "trusted

Re:

[ctilsie242]

I don't want my entire existence tied to Apple, Google, Amazon, Meta, or whatnot. I've seen people in a world of hurt because they lost access to their Facebook account, and had all their stuff authenticate using it. Stories abound about people getting locked out from Apple, Google, etc... and with thousands of dollars spent on apps and other items, having that is expensive.

Best thing are MFA mechanisms. Ask for the username, ask for a password, ask for what 2FA token to use... and this option should at

Re:

[AmiMoJo]

I think it's fine as long as you control the software. For example, Keepass allows you to keep a copy of the database (fully encrypted) in cloud storage.

You can be sure the key isn't shared or backdoored. You have a local copy. You don't have to give the cloud provider your real details, or you can run your own "cloud".

Single Point of Failure Unavoidable

[Roger W Moore]

You hand over all your passwords to a single entity, creating a single point of failure.

It's inevitable that your password storage will have a single point of failure. Even if you have enough technical know-how to setup your own secure, encrypted repository that's still a single point of failure and if you never tell anyone your passwords your own brain becomes that single point of failure.

So really the question is whether you trust a provider like LastPass more than yourself to securely manage your password data. There I would compare it to banks. There is a good reason why most of us trust banks to look after our money and we don't keep it all stuffed under our mattresses or even in a home safe.

Re:

[stabiesoft]

Not sure that is a good analog for two reasons. Banks are FDIC insured, if they get hacked, your money is still there. Your mattress is not, and if you read your insurance policy, cash is not insured or if it is, only a tiny amount. Second banks interface with the real world. You need to pay and get paid. Banks facilitate this. Passwords on the other hand can easily be handled locally. You don't send someone your password.

Re:

[bws111]

FDIC does not protect against being hacked, it protects against the bank becoming insolvent. The bank probably has other, independent, insurance against being hacked or robbed, but it isn't the FDIC.

Re:

[stabiesoft]

If the hack causes the bank to go insolvent, yes fdic would backstop. But that would be a major hack. In most small cases, like I had where they cashed a check they should not have, the bank will use insurance as you suggest. But still it demonstrates yet again the analogy is not good. There is no insurance on a password manager. If they get hacked, where say your bank account password is stolen, the password manager company is not going to make you whole. And likely neither is the bank since it was an auth

Re:

[Roger W Moore]

Banks are FDIC insured

Faire enough but there is a limit on government insurance. I don't know what it is for the US but here in Canada it is $100k. So let's consider very rich people. Do you think they keep huge amounts of money stuffed in their mattress instead of in the bank even if only a fraction of it is insured by the government? I doubt it so you can't really argue that government insurance is the primary reason why people keep money in banks.

Second banks interface with the real world. You need to pay and get paid.

That is an additional function of banks but, if you fundamentally did not trus

Re:

[stabiesoft]

This is easy. You spread it around. It is per account type if I remember right and per account holder. So husband has one, wife has one, husband and wife have one. So in the US, 250K per account x 3 in above gets you 750, per bank. Then you spread it out among say 10 banks and now you are talking 7.5M insured and making decent interest now. And funny story, a woman I know knew a very very very rich man in the 1940's in her childhood. He was a cattle ranch owner that did not trust banks. He would bury his mo

Re: Single Point of Failure Unavoidable

[Big Hairy Gorilla]

Yoohoo. Backups.

Re:

[bws111]

Backups of what? Your brain? Did you even read the post you responded to?

Re:

[Ksevio]

You can backup from cloud providers too.

More that one way to fail

[Roger W Moore]

How does a backup prevent someone from accessing your passwords?

A single point of failure means that only one thing has to fail before there is a problem. It does not mean that there is only one way for that one thing to fail.

Re:

[Big Hairy Gorilla]

I'll clarify what I meant by that. I was addressing the idea that you could lose access to your passwords by using software/cloud storage.. so what I was proposing is that if you keep a local backup of your password file, then you mitigate the risk of losing all your passwords. I'm not suggesting that backups prevent someone from compromising your passwords in the cloud.

Re:

[geekmux]

Cloud st-whore-age has never really been all that "safe", no matter who is providing what.

Always wrap (encrypt) your shit before sticking it in some online hole run by an internet byte pimp.

Re:

[JustAnotherOldGuy]

sticking it in some online hole run by an internet byte pimp.

I just found my new online persona...Internet Byte Pimp!

Re:

[TexasDex]

This is literally what LastPass does. The client software hashes your password a bunch of times to generate the encryption key, then it hashes it again to derive the login token that it sends to LastPass. So LastPass can't view your passwords; all they see is the hash of your key.

Re:

[devslash0]

You're right - there's none. The sync requirement forces you into the cloud.

However, a thing to consider, is that you should never have one online password manager account for your entire family. If needs be, every single user should have their own, private account with cross-account shared passwords in very few, limited cases.

Re:

[Chris Mattern]

"It doesn't preclude the existence of another provider-specific encryption key to the same data set."

More simply, they can see every page output they send you and every input you send them, if they want. So it would be trivial to simply skim off all that data while it's in transit.

Re:

[Big Hairy Gorilla]

^^^ mod up.
You're now 100% dependent on them.

Re:

[ljw1004]

Using cloud-based passwords managers, while convenient, is an absolutely dumb idea in the first place. You hand over all your passwords to a single entity, creating a single point of failure.

I simply don't see any alternative for sharing passwords between (1) laptop, (2) phone, (3) wife's laptop, (4) wife's phone. I view this kind of sharing as table-stakes.

Re:Dumb idea in the first place.

[AmiMoJo]

Keepass. Open source, encrypted in your end. Use a free or home made cloud server for storage, so that if it gets hacked they don't get your billing details.

Re:

[Ksevio]

Eh that's the same thing just requires you to maintain a server. No one has yet to get a password from Lastpass despite all the doomsayers

Re:

[AmiMoJo]

The people who hacked Lastpass probably have your billing details though. Name, address, maybe CC number and other data needed to authorize recurring payments. Your email address too.

You can create an anonymous MEGA account and use that to store your encrypted Keepass file. Use a throwaway @mailinator.com email address.

Re:

[Ksevio]

Possibly, though if they were storing it correctly they wouldn't have most payment data on the same systems, not to mention most customers don't even have payment data with them. That vast majority of people are still probably better off using an established cloud service than rolling their own with the exception of a few people that are already maintaining servers.

Re:

[JustAnotherOldGuy]

"You hand over all your passwords to a single entity, creating a single point of failure."

Exactly, and that's why I won't use a web-based password manager.

Services like LastPass are super-juicy targets for bad actors. If you know anything about the internet then you know it's inevitable that they'd be compromised sooner or later.

This is old news

[wakeboarder]

Don't know why it's even showing up now, the incident was covert widely in Aug and Sept. I had a friend who worked for the company and they said that customer data could have been accessed and the hole has been fixed. They all had to take a security training again.

Re:

[MachineShedFred]

Oh, then everything must be fine then.

A company who's sole business offering is protecting customer data, leaked customer data. And then they didn't bother telling their customers that their data was leaked, instead offering weak shit platitudes instead of being honest. But hey, they all took security training after they completely failed in their mission, so I'm supposed to trust them now?

Fuck that.

Re:

[Pascoea]

Unless I'm reading this incorrectly (100% possible) this is/was a NEW breach using intel they gathered in the Aug/Sept breach.

Private Equity Buys -- Quality goes down

[blahbooboo2]

Sad story of the decline of once great and market leading password management system after private equity bought it.

Between horrible interface changes, buggy plugin and apps, then creating high subscription charges on the assumption they could milk the client base too lazy to move. All they did was motivated a ton of customers to finally migrate to better platforms and piss over the very users who likely got them enterprise contracts.

Not at all surprised this happened again to LastPass, the new owners have to figure out a way to make money after leveraging it.

Local Beats Cloud Password Management

[imperious_rex]

KeePass [keepass.info] for the win!!

Re:

[CWCheese]

I started using KeePass last year, it was challenging to configure and still have some stuff to do, but I feel much safer knowing the local db is truly local to me. I can sync it to my various devices at my will, and not fear the cloud.

I would...

[Cokolada]

I would comment on how silly you must be to use a password manager like last pass, but I can't remember my slashdot password.

Did URL's get stolen?

[bill_mcgonigle]

At least when I left LastPass the account URL's were being sent in the clear, not TNO encrypted. Metadata leaks are a huge problem.

https://hackernoon.com/psa-las... [hackernoon.com]

ZK has a specific meaning in crypto which is also sketch that they're misusing the term.

It's just too enticing a target.

[Howitzer86]

I could never trust an online service dedicated to passwords to protect my passwords.

How Ironic, LastPass's Zero Knowledge architecture

[TomGreenhaw]

They really need to rebrand their architecture - zero knowledge doesn't seem like something to brag about under the circumstances.

Cancelled?

[lilTimmy]

I wonder how much of my info they have retained for selling... I cancelled my service several years ago. I hope they deleted/scrubbed my account because I am not their customer anymore.

Lastpass hired Mandiant to investigate (WTF)

[terrorubic]

Is this the same Mandiant that FireEye bought in 2014. The same FireEye that provided security for Equifax.

“We have this category that Equifax calls unhandled malware, [with] which traditional security approaches haven’t been very helpful. Putting in FireEye has really helped us detect this unhandled malware [cnmeonline.com], then gives us the capability to take action to stay secure.”