News LastPass developer systems hacked to steal source code

UsandThem

Elite Member
Super Moderator
May 4, 2000
16,069
7,364
146
https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/

After sending questions about the attack, LastPass released a security advisory today confirming that it was breached through a compromised developer account that hackers used to access the company's developer environment.

While LastPass says there is no evidence that customer data or encrypted password vaults were compromised, the threat actors did steal portions of their source code and "proprietary LastPass technical information."
Still, I changed my master password just to be safe, and I already had 2-factor security enabled in my profile before this latest breach.
 

mxnerd

Diamond Member
Jul 6, 2007
6,597
1,031
126
That's huge embarrassment.

LastPass is one of the largest password management companies in the world, claiming to be used by over 33 million people and 100,000 businesses.
 

balloonshark

Diamond Member
Jun 5, 2008
5,802
2,040
136
How many breaches have they had over the years? At this point if you're still using lastpass it's shame on you. (not directed at the OP.) I also don't understand why someone would trade their security for the convenience of being able access their passwords from the cloud.

However, LastPass stores passwords in 'encrypted vaults' that can only be decrypted using a customer's master password, which LastPass says was not compromised in this cyberattack.

Last year, LastPass suffered a credential stuffing attack that allowed threat actors to confirm a user's master password. It was also revealed that LastPass master passwords were stolen by threat actors distributing the RedLine password-stealing malware.

Due to this, it is vital to enable multi-factor authentication on your LastPass accounts so that threat actors won't be able to access your account even if your password is compromised.
 

UsandThem

Elite Member
Super Moderator
May 4, 2000
16,069
7,364
146
After this latest compromise, I will be looking for another password manager. I've always had 2-factor authentication, and an authentication app enabled to be more secure.

I make sure to use different usernames and long passwords for all the different websites, so it's not so much of it being a convenience, but a necessity in generating and remembering all the logins.

I used a couple different managers over the 20 years of doing this, and Lastpass has really been the only one with multiple breaches. I know anything that is connected to the internet will eventually be breached at some point, but some companies are much more progressive in their prevention (not looking at you T-Mobile, Home Depot, Target, Yahoo etc.) than others.
 

balloonshark

Diamond Member
Jun 5, 2008
5,802
2,040
136
After this latest compromise, I will be looking for another password manager. I've always had 2-factor authentication, and an authentication app enabled to be more secure.

I make sure to use different usernames and long passwords for all the different websites, so it's not so much of it being a convenience, but a necessity in generating and remembering all the logins.

I used a couple different managers over the 20 years of doing this, and Lastpass has really been the only one with multiple breaches. I know anything that is connected to the internet will eventually be breached at some point, but some companies are much more progressive in their prevention (not looking at you T-Mobile, Home Depot, Target, Yahoo etc.) than others.
I think lastpass is a target because they have so many users. Sort of like IE, flash, etc. were constant targets. I don't think they've had a breach where the databases were compromised yet.

I've been using keepass for years since it's open source and a smaller target. I also like that it doesn't store my database online. I think it has the option to store the databases online via Dropbox, Google Drive, OneDrive, etc. plus it has two plugins for online storage or sync if the default method doesn't work with your service.

 
  • Like
Reactions: UsandThem

ch33zw1z

Lifer
Nov 4, 2004
36,300
16,000
146

Users data also compromised

fwiw, I use safe in cloud.


I never liked the fact that last pass data was stored on their servers.

I don’t use browser plugins either
 
Last edited:
  • Wow
Reactions: Ajay

Ajay

Lifer
Jan 8, 2001
12,018
5,678
136

Users data also compromised

fwiw, I use safe in cloud.


I never liked the fact that last pass data was stored on their servers.

I don’t use browser plugins either
Rats. Just bought LastPass premium (25% off). Dashlane re-up was going to be $80/yr (vs the previous $60).
 

ch33zw1z

Lifer
Nov 4, 2004
36,300
16,000
146
Rats. Just bought LastPass premium (25% off). Dashlane re-up was going to be $80/yr (vs the previous $60).
yea that’s tough.
At this point I have 300+ profiles, even if I wanted to switch it would be very difficult
 
  • Like
Reactions: Ajay

ringtail

Golden Member
Mar 10, 2012
1,009
24
81
Does anybody know if KeePass is safer than a password-protected 7Zip file?
After reading up on KeePass it sounds about the same as a 7Zip file with a password, but I can't really tell.
 

ch33zw1z

Lifer
Nov 4, 2004
36,300
16,000
146
Does anybody know if KeePass is safer than a password-protected 7Zip file?
After reading up on KeePass it sounds about the same as a 7Zip file with a password, but I can't really tell.

Keepass db’s are encrypted by default. Do t believe zips are?
 

Ajay

Lifer
Jan 8, 2001
12,018
5,678
136
Not related to the above. I wish I had bought Keeper instead of LastPass this go around. It has a good reputation and isn't as big a target for hackers as LastPass is.
Hmm, wonder if I can get a refund??
 

ASK THE COMMUNITY