Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
LastPass hacked
Old 06-15-2015, 05:40 PM   #1
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,487
LastPass hacked

That's right, sorry to be the bearer of bad news. LastPass users need to change their master passwords right now. From their blog https://blog.lastpass.com/2015/06/la...y-notice.html/

Quote:
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
From the media, with a bit more detail.
LastPass Hacked, Change Your Master Password Now
__________________

__________________
MichaelB is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 06-15-2015, 05:53 PM   #2
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
If you have 2nd factor authentication, that will help a lot. Also, make sure your LastPass account can only be accessed from the country of your residence and any you might be visiting in the future.

These two and more are offered in this article from LastPass:

https://blog.lastpass.com/2014/10/7-...e-secure.html/

Quote:
So you know you should be using strong passwords to protect your online accounts. And you ran the LastPass Security Challenge to help you keep improving your passwords. But did you know there are even more security features in LastPass that can help you better protect your account and the data you store in it? Check out these seven security features, and challenge yourself to enable at least one today:
__________________

__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 06-15-2015, 10:27 PM   #3
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,132
I've always resisted using an online tool to store my passwords but finally succombed and before this year's big travel vacation signed up to LastPass and am now a big user of it
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 06-15-2015, 10:56 PM   #4
Recycles dryer sheets
 
Join Date: Aug 2014
Location: Phoenix
Posts: 473
I only want to use my LastPass local vault. Is there a way of preventing use of the cloud vault?
__________________
Ian S is offline   Reply With Quote
Old 06-16-2015, 06:06 AM   #5
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,515
OMG! We've never been comfortable with storing crtical/sensitive info online/cloud. It's bad enough exposure filing taxes electronically.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 06-16-2015, 07:23 AM   #6
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,487
I use LastPass, but not for core banking or brokerage accounts. I haven't enabled two factor authentication yet but will probably do so now.

Coincidentally, over the past three weeks there have been attempts to log into my Facebook, brokerage, and one bank account - all three have notified me. It's time for me to rethink online security and account access. What concerns me most about two factor is if the mobile device I use is lost or stolen and then compromised it leads to a cascade of account hijacks.
__________________
MichaelB is offline   Reply With Quote
Old 06-16-2015, 08:28 AM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Midpack's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 11,978
Quote:
Originally Posted by audreyh1 View Post
OMG! We've never been comfortable with storing crtical/sensitive info online/cloud. It's bad enough exposure filing taxes electronically.
+1 on both.
__________________
No one agrees with other people's opinions; they merely agree with their own opinions -- expressed by somebody else. Sydney Tremayne
Retired Jun 2011 at age 57

Target AA: 60% equity funds / 35% bond funds / 5% cash
Target WR: Approx 2.5% Approx 20% SI (secure income, SS only)
Midpack is offline   Reply With Quote
Old 06-16-2015, 09:58 AM   #8
Full time employment: Posting here.
 
Join Date: Aug 2007
Posts: 894
I don't think anything is really safe. You take as many preventive measures as you can and odds are you'll be safe.

I use Lastpass and although I'm not happy with the security breach (who would be?), I don't think it's that bad. This is why two factor authentication is enabled on all my accounts and I limit access as much as reasonably possible to the account.

MichaelB, I think that having your mobile device compromised is unlikely, especially if you have a strong passcode and it locks after a few attempts. Plus, with iPhones you can remote wipe your device.

Where security is concerned, it's good to be paranoid, but not too paranoid. My family thinks I'm a little nuts with the precautions I have in place, but doing so let's me feel secure having my data in the cloud. I think everyone should think through their security and have a plan for the most common breaches. Beyond that, I think it's important not to get too caught up in the hype.
__________________
tulak is offline   Reply With Quote
Old 06-16-2015, 10:12 AM   #9
Moderator
Sarah in SC's Avatar
 
Join Date: Sep 2005
Location: Charleston, SC
Posts: 13,456
I just changed my master password at lastpass.
I have the feature where I can disable my phone if it is lost.
I also use the fingerprint authentication for Lastpass and my phone.
__________________
“One day your life will flash before your eyes. Make sure it's worth watching.”
Gerard Arthur Way

Sarah in SC is offline   Reply With Quote
Old 06-16-2015, 10:17 AM   #10
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 1,977
Quote:
Originally Posted by kiki View Post
I don't think anything is really safe. You take as many preventive measures as you can and odds are you'll be safe.

I use Lastpass and although I'm not happy with the security breach (who would be?), I don't think it's that bad. This is why two factor authentication is enabled on all my accounts and I limit access as much as reasonably possible to the account.

MichaelB, I think that having your mobile device compromised is unlikely, especially if you have a strong passcode and it locks after a few attempts. Plus, with iPhones you can remote wipe your device.

Where security is concerned, it's good to be paranoid, but not too paranoid. My family thinks I'm a little nuts with the precautions I have in place, but doing so let's me feel secure having my data in the cloud. I think everyone should think through their security and have a plan for the most common breaches. Beyond that, I think it's important not to get too caught up in the hype.
It's not that bad? Their whole premise is passwords and they failed at that.

I'm pretty happy to have my own system of passwords and double authentication where possible. It's going to be quite a while before I consider a password storage 'solution'.

Sent from my mobile device so please excuse grammatical errors.
__________________
Founder and Head Lounger @ The Life of Leisure Institute
Retired in 2014 at the Ripe Age of 40.
ExFlyBoy5 is offline   Reply With Quote
Old 06-16-2015, 10:43 AM   #11
Full time employment: Posting here.
 
Join Date: Aug 2007
Posts: 894
Quote:
Originally Posted by FlyBoy5 View Post
It's not that bad? Their whole premise is passwords and they failed at that.
From The Lastpass blog:

Quote:
In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
No encrypted data taken. As I said, no breach is good, but it's not that bad. And what if they did get he encrypted data? Then they'd have to somehow decrypt the data. And let's say they did that and tried accessing Fidelity. Oh, two factor authentication is enabled at Fidelity, so no access there.

It's important to have layers of security. This is why you should run through the various scenarios that can occur and make sure your critical data is safe.

Nothing is safe on the Internet and unless you can find a way to disconnect, then protect yourself as best as you can.

I'll add another example. My house was broken into a few years ago and afterwards I installed an unmonitored security system. Will this prevent someone from breaking into my house? Maybe, but if not, it's a great deterrent. Even if they break into the house, they won't stick around because of the noise, so how much they are able to take is minimized.

In real life or the Internet, you need to protect yourself as best as you can.
__________________
Eat, Drink and Be Merry.
tulak is offline   Reply With Quote
Old 06-16-2015, 10:46 AM   #12
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,132
Quote:
Originally Posted by MichaelB View Post
I use LastPass, but not for core banking or brokerage accounts. I haven't enabled two factor authentication yet but will probably do so now.

Coincidentally, over the past three weeks there have been attempts to log into my Facebook, brokerage, and one bank account - all three have notified me. It's time for me to rethink online security and account access. What concerns me most about two factor is if the mobile device I use is lost or stolen and then compromised it leads to a cascade of account hijacks.
I have 2 factor authentication set up on all my accounts that support it. It really isn't too onerous as the second veriification is only used from devices that you haven't registered. I also use an iPhone on which I have a strong passcode and use fingerprint access so the strong code isn't necessary most of the time. (It can also be wiped remotely).

I will change my Laspass master password this morning and keep on using LastPass.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 06-16-2015, 11:02 AM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
Read Steve Gibson's analysis of LastPass security. [Assuming you are a geek with an extra hour or two in the day. :-)]

https://www.grc.com/sn/sn-256.htm
(LastPass discussion starts about half way down.)

https://blog.lastpass.com/2010/07/la...security.html/

https://twit.tv/shows/security-now/episodes/257

Even if they got your encrypted LastPass, it would take a while to decrypt it if they can at all. Presumably, you will have changed it before it is de-encrypted. Unless you choose something like 'Password1234 or 'qwerty' as your password. Even then it's hashed and mixed up more.

Quote:
3. We never receive the key to decrypt that data.
The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.
Not satisfied?
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 06-16-2015, 11:23 AM   #14
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by audreyh1 View Post
OMG! We've never been comfortable with storing crtical/sensitive info online/cloud. It's bad enough exposure filing taxes electronically.
+1
Regarding taxes, I've always used the download option as well, for this very reason. I am uncomfortable with any cloud-based service.
__________________
Options is offline   Reply With Quote
Old 06-16-2015, 12:19 PM   #15
Thinks s/he gets paid by the post
 
Join Date: May 2008
Posts: 3,423
Here's the problem with the cloud. All else services are big "hack me" signs to state sponsored hackers. China only goes after the big targets.

Now big targets like Amazon and Google should have the best security people or the ability to hire them. But they're like the World Trade Center towers to cyber terrorists. Or less starkly, they're like Mount Everest and K2 for people who want big notches on their belts.

An individual can't lock down their systems as well as experts. But your home computers are like pebbles of sand in all the beaches in the world. Now hackers do have big net hacks like crypto locker and various malware which catch the careless but otherwise, the hackers don't see individuals.

When there are products like 1Password and Keypass, it's a wonder Lastpass got anyone to pay on an ongoing basis. Yeah it's convenient but it's not that onerous to manually sync your encrypted password databases across your devices once every few weeks.

It'll be interesting to see how many customers they lose.
__________________
explanade is online now   Reply With Quote
Old 06-16-2015, 12:25 PM   #16
Thinks s/he gets paid by the post
 
Join Date: May 2008
Posts: 3,423
Use full device encryption on your devices. The FBI and other intelligence agencies are whining about Apple and Google enabling FDE by default, so if the govt can't easily crack it, you should be okay with losing it.

There are stories about people being victimized by cops who demand phones from people and they go through them. They leave their devices unlocked or actually unlock it for the cops when asked to unlock.

They can't go through your device without a warrant and unlike your vehicle, they can't use probable cause to look inside.
__________________
explanade is online now   Reply With Quote
Old 06-16-2015, 12:52 PM   #17
Thinks s/he gets paid by the post
 
Join Date: Nov 2011
Posts: 2,370
Quote:
Originally Posted by explanade View Post
Here's the problem with the cloud. All else services are big "hack me" signs to state sponsored hackers. China only goes after the big targets.
+1

Willie Sutton's famous quote comes to mind.
__________________
GrayHare is online now   Reply With Quote
Old 06-16-2015, 01:58 PM   #18
Dryer sheet aficionado
 
Join Date: May 2015
Posts: 49
ALL sites should use this logon process currently underdevelopment:

https://www.grc.com/sqrl/sqrl.htm

In short:

  • The user can tap or click directly on the SQRL code to login,
    or launch their smartphone's SQRL app, and scan the QR code.
  • For verification, SQRL displays the domain name contained in the SQRL code.
  • After verifying the domain, the user permits the SQRL app to authenticate their identity.
  • Leaving the login information blank, the user clicks the “Log in” button... and is logged in.
I can't do this process justice, just check out the page and say, "Why the heck haven't we been doing this for years?"
__________________
alistair is offline   Reply With Quote
Old 06-16-2015, 08:51 PM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,695
Quote:
Originally Posted by Alan View Post
I have 2 factor authentication set up on all my accounts that support it. It really isn't too onerous as the second veriification is only used from devices that you haven't registered. I also use an iPhone on which I have a strong passcode and use fingerprint access so the strong code isn't necessary most of the time. (It can also be wiped remotely).

I will change my Laspass master password this morning and keep on using LastPass.
I'm a bit confused on 2FA. For Vanguard, for example, one can choose to just have a verification from a cell phone you own if an attempt is made to login from an unknown IP address. If you are using your home computer to login, no 2FA is required. Is this what you mean in the above (blue text)?

Then I wonder, suppose I'm in Europe and my phone is stolen or broken. Now what do I do if I need to confirm with the airlines using the hotel computer and I have 2FA with them? If I use Lastpass with 2FA and a generated password am I out of luck? I suppose this is only a remote possibility.

Regarding the password change suggested by Lastpass, I wonder why change if one has a strong password to begin with. I really like my password because it fits in a scheme I can easily remember for very important passwords -- and I'd have to break that scheme to change it this year.
__________________
Lsbcal is offline   Reply With Quote
Old 06-16-2015, 09:06 PM   #20
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,132
Quote:
Originally Posted by Lsbcal View Post
I'm a bit confused on 2FA. For Vanguard, for example, one can choose to just have a verification from a cell phone you own if an attempt is made to login from an unknown IP address. If you are using your home computer to login, no 2FA is required. Is this what you mean in the above (blue text)?

Then I wonder, suppose I'm in Europe and my phone is stolen or broken. Now what do I do if I need to confirm with the airlines using the hotel computer and I have 2FA with them? If I use Lastpass with 2FA and a generated password am I out of luck? I suppose this is only a remote possibility.

Regarding the password change suggested by Lastpass, I wonder why change if one has a strong password to begin with. I really like my password because it fits in a scheme I can easily remember for very important passwords -- and I'd have to break that scheme to change it this year.
2FA is not done by ip address as it is easy to spoof ip addresses. Vanguard I believe leave a cookie after the first time you authenticate, which is why if you use a different browser from the same PC you must 2FA again. (same goes for major upgrades, or deleting all cookies).

As for being on vacation and losing your cellphone then I approach that by having 2 personal devices with Lastpass installed and authenticated. My laptop and iPad. If I lose my phone then I can still log on from my iPad and laptop, and can change how I do the 2FA.
__________________

__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacked bank server hosts phishing sites -Heads Up for Chase and Ebay poboy FIRE and Money 6 03-14-2006 06:22 PM
OS X hacked in under 30 minutes cute fuzzy bunny Other topics 8 03-06-2006 09:35 PM
ARGH! Hacked twice in a month. BigMoneyJim Other topics 23 03-05-2006 11:34 AM

 

 
All times are GMT -6. The time now is 10:41 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.