Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

Lastpass Says Hackers Accessed Customer Data In New Breach (bleepingcomputer.com) 81

AmiMoJo writes: LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said. "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information." Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack. It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."
This discussion has been archived. No new comments can be posted.

Lastpass Says Hackers Accessed Customer Data In New Breach

Comments Filter:
  • ...this is their last pass.

  • Again? (Score:4, Insightful)

    by Murdoch5 ( 1563847 ) on Thursday December 01, 2022 @11:25AM (#63093916) Homepage
    How many times does Last Pass have to drop the ball? At this point, they've crashed into the ball factory! Anyone who is still using Last Pass should get off the service ASAP!
    • Re:Again? (Score:4, Informative)

      by Thantik ( 1207112 ) on Thursday December 01, 2022 @11:31AM (#63093934)
      Sounds like FUD to me. No service, when provided enough attack area and malicious actors will ever be able to get security 100% right, but their core offering is to keep passwords safe, which despite this - they have done. Maybe sound the bull horns when someone has their passwords compromised. Until then, another day, another vulnerability. Yawn.
      • Okay, but you can get products like BitWarden and host yourself, which prevent these massive attack vectors, or at least brings everything in house, which is important.
        • VaultWarden is nice, but you can do pretty well with just KeePass compatible apps. If you use keyfiles, this ensures that what cloud repository the .kdbx file is on, it will remain secure, as if an attacker grabs the database, they not just have to guess your password, but also what was in the keyfile.

          Alternatively, Codebook is nice, as it offers a sync key.

          • Absolutely, there are many ways to do this safely in house, or at least with enough oversight that you manage it yourself. With all attacks, hacks, etc... LastPass has faced, it's really set itself out to not be trusted, even if no passwords have ever been lifted.
      • So they had a security breach a while back, but no customer data was exposed.

        Now, months later, they're saying that customer data was exposed.

        What are they going to say next? You can call it FUD, but if your entire business is keeping customer data secure and you didn't do that, you're a total failure who isn't deserving of my money. And then when you initially lie about that failure only to fess up later, you've done actual harm to customers that could have taken measures to protect themselves MONTHS AGO

        • Re:Again? (Score:4, Insightful)

          by suutar ( 1860506 ) on Thursday December 01, 2022 @01:58PM (#63094438)

          They're not saying customer data was exposed in August. They're saying that data gathered in August (like system configurations or employee info) was used to enable a new breach that did expose customer data. Unless you have evidence they're lying, it seems like they're being very forthcoming and upfront.

          • Oh so they didn't bother investigating what could be done with the data that was exposed, and said "this is fine" while the house burned around them.

            That's so much better.

            • by Ksevio ( 865461 )

              That's a pretty dumb statement. If there was a vulnerability they knew about, I'd guess they'd try to fix it. Sounds like they did an investigation.

        • by dirk ( 87083 )

          It's FUD. They had a security breach and no customer data was exposed. What was exposed was then used to enable this breach, in which some customer data was exposed. You seem to think the 2 are one in the same when they are not. And more importantly, password data was not exposed in either breach, which is actually their entire business.

          • Oh so they didn't bother investigating what could be done with the data that was exposed, and said "this is fine" while the house burned around them.

            That's so much better.

            What's to say they won't use data from this breach to go even further in a third, because clearly LastPass isn't in the business of learning from past mistakes, and you seem fine with that.

      • by AmiMoJo ( 196126 )

        Because they are a paid service they have your name, address, and billing info. And now so do the hackers.

  • > remain safely encrypted due to LastPass's Zero Knowledge architecture

    It just occurred to me, maybe i'm late to the party ... but, If Lastpass has a zero knowledge architecture, could it be used as an encrypted chat system if e2e encrypted chats, like signal, are forced (due to regulation) to have a back door?

    Will password managers like Lastpass or or self hosted ones like Bit Warden or Vault be the next place for criminals to communicate (since that's the whole rational for wanting a back-door e2e encr

    • by raymorris ( 2726007 ) on Thursday December 01, 2022 @11:54AM (#63094010) Journal

      > could it be used as an encrypted chat

      Yes, any communication tool and any cloud service CAN be used to pass encrypted messages. After all:

      The cat ate the grapes. What does that mean? Nobody knows without the key.

      And besides, 8911 54dd 25d25 eb7a 0fae e16.

      It's trivially easy to send encrypted messages using any platform or protocol that posts / sends whatever you type / paste.

      > Will password managers like Lastpass or or self hosted ones like Bit Warden or Vault be the next place for criminals to communicate

      No. They are particularly ill-suited for that purpose.
      They would be a poor choice both in terms of practical use and also security. They are a poor choice simply because it's not a messaging platform. There's no contact list or anything. There's no notification that you received a new "message", etc.

      They are also particularly poor for security, because to either read or update the password (message), you need to have THE master key/password. You'd have to share the master password with whomever you're communicating with! That makes the entire idea mostly useless. That's like sending an email with a password protected zip file and saying "unzip this file using the password "Kaboom". Well that's pointless, because anyone who sees the message has the password.

      Encrypted messaging apps such as Whatsapp and Signal don't have *A* key for the conversation, used to encrypt and decrypt it. They have a total of FOUR keys. When I send you a Whatsapp message, I use your public key. The essential thing to understand here is that the public key, which I use to encrypt the message, can NOT be used to decrypt it! That means I can send you an encrypted message, without including the decryption key in the message.

      You send me your public encryption key, and keep your decryption key private. That's how Whatsapp provides secure messaging, while LastPass doesn't. Lastpass and other password managers are secure only for sending messages to yourself, where you don't have to communicate the master password to someone else.

  • by devslash0 ( 4203435 ) on Thursday December 01, 2022 @11:31AM (#63093930)

    Using cloud-based passwords managers, while convenient, is an absolutely dumb idea in the first place. You hand over all your passwords to a single entity, creating a single point of failure. At the same time, there is no way for you to verify that there is no backdoor built into their zero-knowledge encryption scheme. Zero-knowledge only means that the encryption key is secured with a unique user key not known to the provider. It doesn't preclude the existence of another provider-specific encryption key to the same data set. It's the provider who builds the service and they can do absolutely everything they want without your knowledge.

    • Cloud managers have their place and there are open source alternatives such as Bitwarden if you want to audit the code for backdoors. It's better to have people use a cloud password manager then use the same password on all their sites. It's is a balance always between usability and security. Nothing is perfect and if someone truly wants to get into your stuff they will find a way, the best you can do is slow them down (multiple security professionals have stated this to me).
      • Something like Yubi where its a challenge response and the password is not stored on any server or any device where the private key can be directly read is the best.

        Having the same password on 2 servers is not good, unless you don't care that they get your password, but having a central point of failure where if compromised a hacker now knows the sites you log into and all the passwords you and for millions of other uses is not good either. Its really a case of pick your poison.

      • As demonstrated many times even with open source security is hard. So who are these knowledgeable people rushing to audit everything? Certainly not their advocates.

    • by mysidia ( 191772 )

      No.. It's not a dumb idea At all. It is just imperfect. It is still a huge improvement over the alternative people use otherwise - which is making memorable but weaker passwords and reusing the same password on multiple websites.

      And the real solution is to not have passwords at all. Use Passkeys [apple.com] Or rather Security Keys [google.com]

      Also, Have the authentication undertaken through dedicated OAuth providers such as Apple or Google. There's no reason every website in the world need to implement their own (bad)

      • 1. What if I don't use Apple or Google? (I don't)
        2. What if I don't want Google or any other big company to know what other services around the Internet I use? (they would if they did auth)
        3. Passkeys are terrible if you're forced into scanning your face or unlocking your phone, like many authorities around the globe ask you to.
        4. Again, single point of failure.
        5. Most passkey schemes refuse to work on rooted phones due to security implications. (I use rooted devices myself).

      • No - it's dumb right from the beginning.

        Using cloud you are losing control of your data. Zero knowledge just makes it more difficult to crack.

        With encryption standards historically backdoored, side channel attacks on shared cloud hardware, and brute force cracking capabilities becoming stronger your handing over your data to not only 'authorities' who simply cannot be trusted to act legally, but to OTHER parties who may gain access to that data.

        Only smart storage for sensitive information is offline storage

        • by bws111 ( 1216812 )

          If you're that paranoid you shouldn't have any passwords anyway because you shouldn't be using any online stuff. After all, the same 'authorities' could just break the encryption of whatever connections you have and steal your passwords that way.

          • Bingo.

            As for me, if some government took the time to check out my browsing history and whatnot, they'd be bored to tears.

            "Oh my god, this fuckin' dick is looking at goddamn belt sanders again? Jesus Christ just kill me now..."

        • by mysidia ( 191772 )

          With encryption standards historically backdoored,
          Good thing they used modern crypto that isn't backdoored.

          side channel attacks on shared cloud hardware,

          Side channel attacks on cloud hardware aren't a concern, seeing as all the Crypto is client-side, and the server doesn't get the keys to decrypt the data - that's what zero knowledge means. If there's a concern, then it would have to be about malicious code running on the client.

          and brute force cracking capabilities becoming stronger your handing over y

        • Depends on what I am wanting to secure. If someone is going to do a side channel attack on my PC at home which has a decent tier of LUKS, BitLocker + TPM, or FileVault, then I'm screwed from the get-go.

          The perfect is the enemy of the good in this case. There are many ways to keep passwords secure:

          1: Use a cloud provider like Dropbox, use something like KeePass, KeePassxc, Strongbox, or some app that works with the .kdbx format, have all the endpoints (phones, PCs), all use a keyfile which isn't stored on

      • Double Dumb:
        1. Trusting Apple with every last ducking detail of your life. (wallet, health, geolocation,etc)
        2. Trusting anyone with your biometric data.

        Single point of failure. No oversight.
        Apple (all companies) will keep your data private, except they will share it with any of their trusted partners or authorized law enforcement. Please note the contradiction. Resulting in practice, that anything that moves over the internet is de-facto public domain information because it's so widely shared with "trusted
      • I don't want my entire existence tied to Apple, Google, Amazon, Meta, or whatnot. I've seen people in a world of hurt because they lost access to their Facebook account, and had all their stuff authenticate using it. Stories abound about people getting locked out from Apple, Google, etc... and with thousands of dollars spent on apps and other items, having that is expensive.

        Best thing are MFA mechanisms. Ask for the username, ask for a password, ask for what 2FA token to use... and this option should at

    • by AmiMoJo ( 196126 )

      I think it's fine as long as you control the software. For example, Keepass allows you to keep a copy of the database (fully encrypted) in cloud storage.

      You can be sure the key isn't shared or backdoored. You have a local copy. You don't have to give the cloud provider your real details, or you can run your own "cloud".

    • by Roger W Moore ( 538166 ) on Thursday December 01, 2022 @12:15PM (#63094116) Journal

      You hand over all your passwords to a single entity, creating a single point of failure.

      It's inevitable that your password storage will have a single point of failure. Even if you have enough technical know-how to setup your own secure, encrypted repository that's still a single point of failure and if you never tell anyone your passwords your own brain becomes that single point of failure.

      So really the question is whether you trust a provider like LastPass more than yourself to securely manage your password data. There I would compare it to banks. There is a good reason why most of us trust banks to look after our money and we don't keep it all stuffed under our mattresses or even in a home safe.

      • Not sure that is a good analog for two reasons. Banks are FDIC insured, if they get hacked, your money is still there. Your mattress is not, and if you read your insurance policy, cash is not insured or if it is, only a tiny amount. Second banks interface with the real world. You need to pay and get paid. Banks facilitate this. Passwords on the other hand can easily be handled locally. You don't send someone your password.
        • by bws111 ( 1216812 )

          FDIC does not protect against being hacked, it protects against the bank becoming insolvent. The bank probably has other, independent, insurance against being hacked or robbed, but it isn't the FDIC.

          • If the hack causes the bank to go insolvent, yes fdic would backstop. But that would be a major hack. In most small cases, like I had where they cashed a check they should not have, the bank will use insurance as you suggest. But still it demonstrates yet again the analogy is not good. There is no insurance on a password manager. If they get hacked, where say your bank account password is stolen, the password manager company is not going to make you whole. And likely neither is the bank since it was an auth
        • Banks are FDIC insured

          Faire enough but there is a limit on government insurance. I don't know what it is for the US but here in Canada it is $100k. So let's consider very rich people. Do you think they keep huge amounts of money stuffed in their mattress instead of in the bank even if only a fraction of it is insured by the government? I doubt it so you can't really argue that government insurance is the primary reason why people keep money in banks.

          Second banks interface with the real world. You need to pay and get paid.

          That is an additional function of banks but, if you fundamentally did not trus

          • This is easy. You spread it around. It is per account type if I remember right and per account holder. So husband has one, wife has one, husband and wife have one. So in the US, 250K per account x 3 in above gets you 750, per bank. Then you spread it out among say 10 banks and now you are talking 7.5M insured and making decent interest now. And funny story, a woman I know knew a very very very rich man in the 1940's in her childhood. He was a cattle ranch owner that did not trust banks. He would bury his mo
        • by bws111 ( 1216812 )

          Backups of what? Your brain? Did you even read the post you responded to?

        • by Ksevio ( 865461 )

          You can backup from cloud providers too.

        • How does a backup prevent someone from accessing your passwords?

          A single point of failure means that only one thing has to fail before there is a problem. It does not mean that there is only one way for that one thing to fail.
          • I'll clarify what I meant by that. I was addressing the idea that you could lose access to your passwords by using software/cloud storage.. so what I was proposing is that if you keep a local backup of your password file, then you mitigate the risk of losing all your passwords. I'm not suggesting that backups prevent someone from compromising your passwords in the cloud.
    • Cloud st-whore-age has never really been all that "safe", no matter who is providing what.

      Always wrap (encrypt) your shit before sticking it in some online hole run by an internet byte pimp.

      • sticking it in some online hole run by an internet byte pimp.

        I just found my new online persona...Internet Byte Pimp!

      • This is literally what LastPass does. The client software hashes your password a bunch of times to generate the encryption key, then it hashes it again to derive the login token that it sends to LastPass. So LastPass can't view your passwords; all they see is the hash of your key.
    • "It doesn't preclude the existence of another provider-specific encryption key to the same data set."

      More simply, they can see every page output they send you and every input you send them, if they want. So it would be trivial to simply skim off all that data while it's in transit.

    • ^^^ mod up.
      You're now 100% dependent on them.
    • by ljw1004 ( 764174 )

      Using cloud-based passwords managers, while convenient, is an absolutely dumb idea in the first place. You hand over all your passwords to a single entity, creating a single point of failure.

      I simply don't see any alternative for sharing passwords between (1) laptop, (2) phone, (3) wife's laptop, (4) wife's phone. I view this kind of sharing as table-stakes.

      • by AmiMoJo ( 196126 ) on Thursday December 01, 2022 @02:58PM (#63094688) Homepage Journal

        Keepass. Open source, encrypted in your end. Use a free or home made cloud server for storage, so that if it gets hacked they don't get your billing details.

        • by Ksevio ( 865461 )

          Eh that's the same thing just requires you to maintain a server. No one has yet to get a password from Lastpass despite all the doomsayers

          • by AmiMoJo ( 196126 )

            The people who hacked Lastpass probably have your billing details though. Name, address, maybe CC number and other data needed to authorize recurring payments. Your email address too.

            You can create an anonymous MEGA account and use that to store your encrypted Keepass file. Use a throwaway @mailinator.com email address.

            • by Ksevio ( 865461 )

              Possibly, though if they were storing it correctly they wouldn't have most payment data on the same systems, not to mention most customers don't even have payment data with them. That vast majority of people are still probably better off using an established cloud service than rolling their own with the exception of a few people that are already maintaining servers.

    • "You hand over all your passwords to a single entity, creating a single point of failure."

      Exactly, and that's why I won't use a web-based password manager.

      Services like LastPass are super-juicy targets for bad actors. If you know anything about the internet then you know it's inevitable that they'd be compromised sooner or later.

  • by wakeboarder ( 2695839 ) on Thursday December 01, 2022 @11:35AM (#63093938)
    Don't know why it's even showing up now, the incident was covert widely in Aug and Sept. I had a friend who worked for the company and they said that customer data could have been accessed and the hole has been fixed. They all had to take a security training again.
    • Oh, then everything must be fine then.

      A company who's sole business offering is protecting customer data, leaked customer data. And then they didn't bother telling their customers that their data was leaked, instead offering weak shit platitudes instead of being honest. But hey, they all took security training after they completely failed in their mission, so I'm supposed to trust them now?

      Fuck that.

    • by Pascoea ( 968200 )
      Unless I'm reading this incorrectly (100% possible) this is/was a NEW breach using intel they gathered in the Aug/Sept breach.
  • by blahbooboo2 ( 602610 ) on Thursday December 01, 2022 @11:40AM (#63093946)
    Sad story of the decline of once great and market leading password management system after private equity bought it.

    Between horrible interface changes, buggy plugin and apps, then creating high subscription charges on the assumption they could milk the client base too lazy to move. All they did was motivated a ton of customers to finally migrate to better platforms and piss over the very users who likely got them enterprise contracts.

    Not at all surprised this happened again to LastPass, the new owners have to figure out a way to make money after leveraging it.
    • I started using KeePass last year, it was challenging to configure and still have some stuff to do, but I feel much safer knowing the local db is truly local to me. I can sync it to my various devices at my will, and not fear the cloud.
  • I would comment on how silly you must be to use a password manager like last pass, but I can't remember my slashdot password.
  • At least when I left LastPass the account URL's were being sent in the clear, not TNO encrypted. Metadata leaks are a huge problem.

    https://hackernoon.com/psa-las... [hackernoon.com]

    ZK has a specific meaning in crypto which is also sketch that they're misusing the term.

  • I could never trust an online service dedicated to passwords to protect my passwords.
  • They really need to rebrand their architecture - zero knowledge doesn't seem like something to brag about under the circumstances.
  • I wonder how much of my info they have retained for selling... I cancelled my service several years ago. I hope they deleted/scrubbed my account because I am not their customer anymore.
  • Is this the same Mandiant that FireEye bought in 2014. The same FireEye that provided security for Equifax.

    “We have this category that Equifax calls unhandled malware, [with] which traditional security approaches haven’t been very helpful. Putting in FireEye has really helped us detect this unhandled malware [cnmeonline.com], then gives us the capability to take action to stay secure.”

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...