topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 3:48 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: LastPass hacked  (Read 9873 times)

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
LastPass hacked
« on: June 15, 2015, 06:11 PM »
LastPass has issued a Security Notice saying that they have been hacked resulting in account owners personal information being compromised.

They claim that no password data was breached, but recommend that all users change their master password ASAP.


TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #1 on: June 15, 2015, 06:35 PM »

"They claim ..." - I don't even know how to believe stuff like that anymore. Because if that data were breached? Instant bankruptcy? Lawsuits?

This is the "other shoe dropping" that's always bothered me:

1. Put all your passwords to your entire life into a service
2. Service gets hacked

Uh ...


Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,612
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #2 on: June 16, 2015, 01:27 AM »
^+1 :(

That's exactly the reason I never used LastPass :tellme:

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #3 on: June 16, 2015, 06:42 AM »
^+1 :(

That's exactly the reason I never used LastPass :tellme:

I used it for awhile to make login for forums easier across browsers.  But now I just manage cookies.  I never put anything online that is sensitive unless I am forced to do so.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #4 on: June 16, 2015, 07:20 AM »
That's exactly the reason I never used LastPass

Same here. How ultimately is having one password that opens all accounts really different than using the same password for all accounts? The end result is the same if an attacker picks the right entry point.

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #5 on: June 16, 2015, 07:51 AM »
That's exactly the reason I never used LastPass

Same here. How ultimately is having one password that opens all accounts really different than using the same password for all accounts? The end result is the same if an attacker picks the right entry point.

What I don't get is why are these dictionary attacks succeeding?  What happened to killing access to the account if there are 50 password entry attempts in a minute?

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #6 on: June 16, 2015, 09:22 AM »
Allowing one entry a minute is already a big boost in security and is easy to setup. If it takes much time, most attackers loose interest. Return rates of hacking accounts is financially much less viable this way.

Granted, this method isn't convenient for the end user when he/she doesn't remember the password. The ones that do remember aren't affected at all.

It might even get people that have trouble remembering to use phrases they can remember as a password, which would be an even bigger boost to their security. That is, if they aren't blocked to do so by stupid password systems that are used by companies that provide on-line services that is. Ah well, there's hoping for you...

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #7 on: June 16, 2015, 09:33 AM »
LastPass has issued a Security Notice saying that they have been hacked resulting in account owners personal information being compromised.

They claim that no password data was breached, but recommend that all users change their master password ASAP.



That linked statement says something different than your blurb, IMO.

Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.

we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.

Both of those directly contradict what's in your blurb.  At least... unless I'm missing something?

What they say was accessed:
The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

There's a lot more they'd have to compromise to use that.  Unless they can just guess from your reminder.

And I'm not really worried with two factor enabled.  Unless they can get my device, they aren't getting in by the front door.  So why change it?

It's always a balance between accessibility and security.  Because of the fact that I want my wife to be able to access my accounts if something happens to me, and want the ability to change my passwords without updating some monolithic list for her, this is a good enough compromise, IMO.
« Last Edit: June 16, 2015, 09:43 AM by wraith808 »

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #8 on: June 16, 2015, 09:44 AM »
^ what their email said was:

We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
(my emphasis)
Tom

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #9 on: June 16, 2015, 10:07 AM »
That linked statement says something different than your blurb, IMO.

Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.

we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.

Both of those directly contradict what's in your blurb.  At least... unless I'm missing something?

What they say was accessed:
The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.


In my book, that qualifies as personal information.  Whether or not it is enough to crack your passwords, it can be a serious problem for many users who may not be as sophisticated as you are.  

And your first quote from the LP notice contains language explicitly telling anyone who has a weak master password or has used their master password on other sites needs to change it.

Note also that LP does not say that no passwords were compromised, only that they have not found evidence of that and that they think their encryption methods are strong enough to prevent that from happening.  Of course, they also thought their security was strong enough to prevent a breach in the first place.




Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: LastPass hacked
« Reply #10 on: June 17, 2015, 12:38 PM »
The short reply to this problem is that everyone will most likely be fine and you should at the very least change your master password. Best practices recommends you change all your passwords.

Now, let's examine what happened and the statement issued by LastPass, shall we?

Very, very few cyber-attacks are witnessed and monitored first-hand by human eyes on the scene to watch what the hacker does as events unfold. Nearly all attacks are examined by a security team after the fact by analyzing server logs and a bunch of other forensic analysis techniques. These methods are not fool-proof. Some hackers are good enough to erase their tracks behind them either partially or completely.

LastPass's interpretation of events is most likely accurate, but there is a margin of error. Something could have been missed or something misinterpreted. We're all humans and we all make mistakes.

Now I'm sure that LastPass's security team analyzed everything to the best of their ability and made a comprehensive report of everything they know happened, everything they know didn't happen, everything that that probably happened, and everythign that probably didn't happen. However, the public does not get access to that report.

That report goes to the legal team who examines it and decides what needs to be legally disclosed and what doesn't need to necessarily be divulged as it may hurt the corporate image and they compose a detailed report of the facts. However, we don''t get to see that report, either.

That report goes to the principals, executives, and the board of directors of LastPass for further scrutiny and for a verdict on what needs to be divulged to the public. Yeah....we don't get to see that one, either.

Finally, that report comes down off the mountain-top where it lands in the marketing department who puts their own special spin on things to minimize anything that might appear apocalyptic. :)  That's the announcement the public sees.

Everyone is free to analyze what has transpired and make their own decisions, but if I were a LastPass customer I'd be considering alternatives because this is not their first security breach. Even if nothing was compromised this time or the last, hackers greatest asset is that they have time on their hands. Lots of it. Sooner or later if they are determined enough, they'll find their way in.

In security circles, there is an anecdote that is always said in jest that there are two different kinds of companies in the world: the ones that have been hacked by the Chinese and the ones that don't know they've been hacked by the Chinese. :)

Safeguard your data the best way you see fit is my advice. Only you can decide how important your data is.