News LastPass developer systems hacked to steal source code

[UsandThem]

https://www.bleepingcomputer.com/ne...eveloper-systems-hacked-to-steal-source-code/

After sending questions about the attack, LastPass released a security advisory today confirming that it was breached through a compromised developer account that hackers used to access the company's developer environment.

While LastPass says there is no evidence that customer data or encrypted password vaults were compromised, the threat actors did steal portions of their source code and "proprietary LastPass technical information."

Still, I changed my master password just to be safe, and I already had 2-factor security enabled in my profile before this latest breach.

 

[mxnerd]

That's huge embarrassment.

LastPass is one of the largest password management companies in the world, claiming to be used by over 33 million people and 100,000 businesses.

 

[balloonshark]

How many breaches have they had over the years? At this point if you're still using lastpass it's shame on you. (not directed at the OP.) I also don't understand why someone would trade their security for the convenience of being able access their passwords from the cloud.

However, LastPass stores passwords in 'encrypted vaults' that can only be decrypted using a customer's master password, which LastPass says was not compromised in this cyberattack.

Last year, LastPass suffered a credential stuffing attack that allowed threat actors to confirm a user's master password. It was also revealed that LastPass master passwords were stolen by threat actors distributing the RedLine password-stealing malware.

Due to this, it is vital to enable multi-factor authentication on your LastPass accounts so that threat actors won't be able to access your account even if your password is compromised.

 

[UsandThem]

After this latest compromise, I will be looking for another password manager. I've always had 2-factor authentication, and an authentication app enabled to be more secure.

I make sure to use different usernames and long passwords for all the different websites, so it's not so much of it being a convenience, but a necessity in generating and remembering all the logins.

I used a couple different managers over the 20 years of doing this, and Lastpass has really been the only one with multiple breaches. I know anything that is connected to the internet will eventually be breached at some point, but some companies are much more progressive in their prevention (not looking at you T-Mobile, Home Depot, Target, Yahoo etc.) than others.

 

[balloonshark]

After this latest compromise, I will be looking for another password manager. I've always had 2-factor authentication, and an authentication app enabled to be more secure.

I make sure to use different usernames and long passwords for all the different websites, so it's not so much of it being a convenience, but a necessity in generating and remembering all the logins.

I used a couple different managers over the 20 years of doing this, and Lastpass has really been the only one with multiple breaches. I know anything that is connected to the internet will eventually be breached at some point, but some companies are much more progressive in their prevention (not looking at you T-Mobile, Home Depot, Target, Yahoo etc.) than others.

I think lastpass is a target because they have so many users. Sort of like IE, flash, etc. were constant targets. I don't think they've had a breach where the databases were compromised yet.

I've been using keepass for years since it's open source and a smaller target. I also like that it doesn't store my database online. I think it has the option to store the databases online via Dropbox, Google Drive, OneDrive, etc. plus it has two plugins for online storage or sync if the default method doesn't work with your service.

KeePass Password Safe

KeePass is a free open source password manager. Passwords can be stored in an encrypted database, which can be unlocked with one master key.

keepass.info

 

[ch33zw1z]

LastPass Security Breach Worse Than Initially Reported

It's worse than you think.

www.reviewgeek.com

Users data also compromised

fwiw, I use safe in cloud.

SafeInCloud — Safe — Passkey & Password Manager

No more hacks and forgotten passwords. Safe securely stores them and helps you log in with one click.

safe-in-cloud.com

I never liked the fact that last pass data was stored on their servers.

I don’t use browser plugins either

 

[Ajay]

LastPass Security Breach Worse Than Initially Reported

It's worse than you think.

www.reviewgeek.com

Users data also compromised

fwiw, I use safe in cloud.

SafeInCloud — Safe — Passkey & Password Manager

No more hacks and forgotten passwords. Safe securely stores them and helps you log in with one click.

safe-in-cloud.com

I never liked the fact that last pass data was stored on their servers.

I don’t use browser plugins either

Rats. Just bought LastPass premium (25% off). Dashlane re-up was going to be $80/yr (vs the previous $60).

 

[ch33zw1z]

Rats. Just bought LastPass premium (25% off). Dashlane re-up was going to be $80/yr (vs the previous $60).

yea that’s tough.
At this point I have 300+ profiles, even if I wanted to switch it would be very difficult

 

[Chiefcrowe]

Lastpass posted a new update on this:

Security Incident December 2022 Update - LastPass - The LastPass Blog

Please refer to the latest article for updated information.nbs[..]

blog.lastpass.com

 

[ringtail]

Does anybody know if KeePass is safer than a password-protected 7Zip file?
After reading up on KeePass it sounds about the same as a 7Zip file with a password, but I can't really tell.

 

[ch33zw1z]

Does anybody know if KeePass is safer than a password-protected 7Zip file?
After reading up on KeePass it sounds about the same as a 7Zip file with a password, but I can't really tell.

KeePass Password Safe

KeePass is a free open source password manager. Passwords can be stored in an encrypted database, which can be unlocked with one master key.

keepass.info

Keepass db’s are encrypted by default. Do t believe zips are?

 

[Ajay]

Not related to the above. I wish I had bought Keeper instead of LastPass this go around. It has a good reputation and isn't as big a target for hackers as LastPass is.
Hmm, wonder if I can get a refund??

 

[ringtail]

LastPass breach explained
authored by the guy who re-wrote and runs
Adblock Plus

 

[ch33zw1z]

LastPass breach explained
authored by the guy who re-wrote and runs
Adblock Plus

that guy is not amused, lol.

I’m sorry for all those LastPass users, it’s time to bail tho.

I still recommend and use Sade In Cloud, but never any browser plug in, never lol.

SiC allows you to store your dbon any supported cloud repository.

 

[ScottAD]

This impacted me recently. I moved from LastPass to Bitwarden years ago, but when I was test driving BW, my password was stored with it in a LP vault...dumb I know.

I received a notification that my Bitwarden account and my box.com account had been logged in to.

Dumped my vault, kicked all sessions, upped my encryption to 350,000 iterations and then created a new passphrase.

Ran through all my financial accounts and changed those passwords and then social media.

Everything is secured now and on the services I did not use 2FA on, they all use it now.