LastPass hacked

MichaelB

MichaelB

Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Site Team
Joined
Jan 31, 2008
Messages
40,735
Location
Chicagoland
That's right, sorry to be the bearer of bad news. LastPass users need to change their master passwords right now. From their blog https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
Click to expand...
From the media, with a bit more detail.
LastPass Hacked, Change Your Master Password Now
 
If you have 2nd factor authentication, that will help a lot. Also, make sure your LastPass account can only be accessed from the country of your residence and any you might be visiting in the future.

These two and more are offered in this article from LastPass:

https://blog.lastpass.com/2014/10/7-ways-to-make-your-lastpass-account-even-more-secure.html/

So you know you should be using strong passwords to protect your online accounts. And you ran the LastPass Security Challenge to help you keep improving your passwords. But did you know there are even more security features in LastPass that can help you better protect your account and the data you store in it? Check out these seven security features, and challenge yourself to enable at least one today:
Click to expand...
 
Last edited:
I've always resisted using an online tool to store my passwords but finally succombed and before this year's big travel vacation signed up to LastPass and am now a big user of it :facepalm:
 
I only want to use my LastPass local vault. Is there a way of preventing use of the cloud vault?
 
OMG! We've never been comfortable with storing crtical/sensitive info online/cloud. It's bad enough exposure filing taxes electronically.
 
I use LastPass, but not for core banking or brokerage accounts. I haven't enabled two factor authentication yet but will probably do so now.

Coincidentally, over the past three weeks there have been attempts to log into my Facebook, brokerage, and one bank account - all three have notified me. It's time for me to rethink online security and account access. What concerns me most about two factor is if the mobile device I use is lost or stolen and then compromised it leads to a cascade of account hijacks.
 
audreyh1 said:
OMG! We've never been comfortable with storing crtical/sensitive info online/cloud. It's bad enough exposure filing taxes electronically.
Click to expand...
+1 on both.
 
I don't think anything is really safe. You take as many preventive measures as you can and odds are you'll be safe.

I use Lastpass and although I'm not happy with the security breach (who would be?), I don't think it's that bad. This is why two factor authentication is enabled on all my accounts and I limit access as much as reasonably possible to the account.

MichaelB, I think that having your mobile device compromised is unlikely, especially if you have a strong passcode and it locks after a few attempts. Plus, with iPhones you can remote wipe your device.

Where security is concerned, it's good to be paranoid, but not too paranoid. My family thinks I'm a little nuts with the precautions I have in place, but doing so let's me feel secure having my data in the cloud. I think everyone should think through their security and have a plan for the most common breaches. Beyond that, I think it's important not to get too caught up in the hype.
 
I just changed my master password at lastpass.
I have the feature where I can disable my phone if it is lost.
I also use the fingerprint authentication for Lastpass and my phone.
 
kiki said:
I don't think anything is really safe. You take as many preventive measures as you can and odds are you'll be safe.

I use Lastpass and although I'm not happy with the security breach (who would be?), I don't think it's that bad. This is why two factor authentication is enabled on all my accounts and I limit access as much as reasonably possible to the account.

MichaelB, I think that having your mobile device compromised is unlikely, especially if you have a strong passcode and it locks after a few attempts. Plus, with iPhones you can remote wipe your device.

Where security is concerned, it's good to be paranoid, but not too paranoid. My family thinks I'm a little nuts with the precautions I have in place, but doing so let's me feel secure having my data in the cloud. I think everyone should think through their security and have a plan for the most common breaches. Beyond that, I think it's important not to get too caught up in the hype.
Click to expand...

It's not that bad? Their whole premise is passwords and they failed at that.

I'm pretty happy to have my own system of passwords and double authentication where possible. It's going to be quite a while before I consider a password storage 'solution'.

Sent from my mobile device so please excuse grammatical errors. :)
 
FlyBoy5 said:
It's not that bad? Their whole premise is passwords and they failed at that.
Click to expand...

From The Lastpass blog:

In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
Click to expand...

No encrypted data taken. As I said, no breach is good, but it's not that bad. And what if they did get he encrypted data? Then they'd have to somehow decrypt the data. And let's say they did that and tried accessing Fidelity. Oh, two factor authentication is enabled at Fidelity, so no access there.

It's important to have layers of security. This is why you should run through the various scenarios that can occur and make sure your critical data is safe.

Nothing is safe on the Internet and unless you can find a way to disconnect, then protect yourself as best as you can.

I'll add another example. My house was broken into a few years ago and afterwards I installed an unmonitored security system. Will this prevent someone from breaking into my house? Maybe, but if not, it's a great deterrent. Even if they break into the house, they won't stick around because of the noise, so how much they are able to take is minimized.

In real life or the Internet, you need to protect yourself as best as you can.
 
MichaelB said:
I use LastPass, but not for core banking or brokerage accounts. I haven't enabled two factor authentication yet but will probably do so now.

Coincidentally, over the past three weeks there have been attempts to log into my Facebook, brokerage, and one bank account - all three have notified me. It's time for me to rethink online security and account access. What concerns me most about two factor is if the mobile device I use is lost or stolen and then compromised it leads to a cascade of account hijacks.
Click to expand...

I have 2 factor authentication set up on all my accounts that support it. It really isn't too onerous as the second veriification is only used from devices that you haven't registered. I also use an iPhone on which I have a strong passcode and use fingerprint access so the strong code isn't necessary most of the time. (It can also be wiped remotely).

I will change my Laspass master password this morning and keep on using LastPass.
 
Read Steve Gibson's analysis of LastPass security. [Assuming you are a geek with an extra hour or two in the day. :)]

https://www.grc.com/sn/sn-256.htm
(LastPass discussion starts about half way down.)

https://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html/

https://twit.tv/shows/security-now/episodes/257

Even if they got your encrypted LastPass, it would take a while to decrypt it if they can at all. Presumably, you will have changed it before it is de-encrypted. Unless you choose something like 'Password1234 or 'qwerty' as your password. Even then it's hashed and mixed up more.

3. We never receive the key to decrypt that data.
The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.
Not satisfied?
Click to expand...
 
Last edited:
audreyh1 said:
OMG! We've never been comfortable with storing crtical/sensitive info online/cloud. It's bad enough exposure filing taxes electronically.
Click to expand...

+1
Regarding taxes, I've always used the download option as well, for this very reason. I am uncomfortable with any cloud-based service.
 
Here's the problem with the cloud. All else services are big "hack me" signs to state sponsored hackers. China only goes after the big targets.

Now big targets like Amazon and Google should have the best security people or the ability to hire them. But they're like the World Trade Center towers to cyber terrorists. Or less starkly, they're like Mount Everest and K2 for people who want big notches on their belts.

An individual can't lock down their systems as well as experts. But your home computers are like pebbles of sand in all the beaches in the world. Now hackers do have big net hacks like crypto locker and various malware which catch the careless but otherwise, the hackers don't see individuals.

When there are products like 1Password and Keypass, it's a wonder Lastpass got anyone to pay on an ongoing basis. Yeah it's convenient but it's not that onerous to manually sync your encrypted password databases across your devices once every few weeks.

It'll be interesting to see how many customers they lose.
 
Use full device encryption on your devices. The FBI and other intelligence agencies are whining about Apple and Google enabling FDE by default, so if the govt can't easily crack it, you should be okay with losing it.

There are stories about people being victimized by cops who demand phones from people and they go through them. They leave their devices unlocked or actually unlock it for the cops when asked to unlock.

They can't go through your device without a warrant and unlike your vehicle, they can't use probable cause to look inside.
 
explanade said:
Here's the problem with the cloud. All else services are big "hack me" signs to state sponsored hackers. China only goes after the big targets.
Click to expand...

+1

Willie Sutton's famous quote comes to mind.
 
ALL sites should use this logon process currently underdevelopment:

https://www.grc.com/sqrl/sqrl.htm

In short:


  • The user can tap or click directly on the SQRL code to login,
    or launch their smartphone's SQRL app, and scan the QR code.
  • For verification, SQRL displays the domain name contained in the SQRL code.
  • After verifying the domain, the user permits the SQRL app to authenticate their identity.
  • Leaving the login information blank, the user clicks the “Log in” button... and is logged in.
I can't do this process justice, just check out the page and say, "Why the heck haven't we been doing this for years?"
 
Alan said:
I have 2 factor authentication set up on all my accounts that support it. It really isn't too onerous as the second veriification is only used from devices that you haven't registered. I also use an iPhone on which I have a strong passcode and use fingerprint access so the strong code isn't necessary most of the time. (It can also be wiped remotely).

I will change my Laspass master password this morning and keep on using LastPass.
Click to expand...
I'm a bit confused on 2FA. For Vanguard, for example, one can choose to just have a verification from a cell phone you own if an attempt is made to login from an unknown IP address. If you are using your home computer to login, no 2FA is required. Is this what you mean in the above (blue text)?

Then I wonder, suppose I'm in Europe and my phone is stolen or broken. Now what do I do if I need to confirm with the airlines using the hotel computer and I have 2FA with them? If I use Lastpass with 2FA and a generated password am I out of luck? I suppose this is only a remote possibility.

Regarding the password change suggested by Lastpass, I wonder why change if one has a strong password to begin with. I really like my password because it fits in a scheme I can easily remember for very important passwords -- and I'd have to break that scheme to change it this year.
 
Lsbcal said:
I'm a bit confused on 2FA. For Vanguard, for example, one can choose to just have a verification from a cell phone you own if an attempt is made to login from an unknown IP address. If you are using your home computer to login, no 2FA is required. Is this what you mean in the above (blue text)?

Then I wonder, suppose I'm in Europe and my phone is stolen or broken. Now what do I do if I need to confirm with the airlines using the hotel computer and I have 2FA with them? If I use Lastpass with 2FA and a generated password am I out of luck? I suppose this is only a remote possibility.

Regarding the password change suggested by Lastpass, I wonder why change if one has a strong password to begin with. I really like my password because it fits in a scheme I can easily remember for very important passwords -- and I'd have to break that scheme to change it this year.
Click to expand...

2FA is not done by ip address as it is easy to spoof ip addresses. Vanguard I believe leave a cookie after the first time you authenticate, which is why if you use a different browser from the same PC you must 2FA again. (same goes for major upgrades, or deleting all cookies).

As for being on vacation and losing your cellphone then I approach that by having 2 personal devices with Lastpass installed and authenticated. My laptop and iPad. If I lose my phone then I can still log on from my iPad and laptop, and can change how I do the 2FA.
 
I changed my Lastpass password as a precaution, the email they sent me said I didn't need to change my password unless they contacted me and told me to.
 
Options said:
+1
Regarding taxes, I've always used the download option as well, for this very reason. I am uncomfortable with any cloud-based service.
Click to expand...

Not good enough, unfortunately, as your completed return is transmitted when you eFile.
 
It was expected, will happen again.

The really dangerous thing, is they truly cannot tell everything that happened, so they tell folks the happy story, that your data is safe.

I'll keep using a local encrypted password manager that I can copy and carry on a thumb drive within an encrypted file.

And I'll still be worried :(
 
You must log in or register to reply here.

Similar threads

S
TurboTax on a Mac puts an unknown password on the file
Replies
10
Views
348
braumeister
braumeister
R
Travel Hack - Works for Me
2
Replies
27
Views
2K
CarbonaNotGlue
C
R
E-mail address compromised, need advice to stay safe.
2
Replies
44
Views
4K
RetiredAndLovingIt
R
Chuckanut
Passkeys replacing passwords
3 4 5
Replies
109
Views
8K
sengsational
sengsational
Tranquility Base
When to Sell Positions With Unrealized Gains
2
Replies
38
Views
2K
TheWizard
T

Latest posts

Back
Top Bottom