LastPass says hackers stole a backup copy of users' encrypted and unencrypted vault data using cloud storage keys stolen from a LastPass employee in August 2022

If you have a LastPass account you should have received … Camila Foster / Sammy Fans : Samsung fans using LastPass should know, hackers stolen cloud data Fabian A. Scherschel / The Sleepy Fox : A Christmas Surprise from Lastpass Ed Bott / Ed Bott's READ.ME : Is it time to replace your password manager? Abhijeet Mishra / SamMobile : Using LastPass password manager on your Galaxy phone? You might be in trouble Nathan Wasson / HotHardware : LastPass Confirms Hackers Stole Its Password Vault, What You Should Know George Georgiev / CryptoPotato : Using LastPass to Store Passwords? You Must Act Quickly Nehal Malik / iPhone in Canada Blog : LastPass Admits Encrypted Password Vaults Were Stolen in Breach Deeba Ahmed / HackRead : LastPass: Hackers Stole User Data and Encrypted Password Vaults Tom Blackstone / Cointelegraph : LastPass attacker stole password vault data, showing Web2's limitations Nida Zafar / MobileSyrup : LastPass' August breach resulted in vault leaks Laurent Giret / Thurrott : LastPass Confirms Hackers Gained Access to Users' Password Vaults Mitchell Clark / The Verge : Hackers stole encrypted LastPass password vaults, and we're just now hearing about it Brad Linder / Liliputing : Lilbits: LastPass customer data stolen (included encrypted password vaults) and what you can do about it Anthony Spadafora / Tom's Guide : LastPass hack was even worse than originally reported - should you delete your account? Matt Milano / IT Management : LastPass: Hackers Stole Encrypted User Password Vaults Tim / Droid Life : LastPass Vault Backups Get Stolen, Data Should be Safe Tom Merritt / Tom Merritt Tech Newsletter : LastPass Got Hacked Here's What to Do Ben Wilson / Windows Central : LastPass security breach leaked encrypted customer password vaults Mack DeGeurin / Gizmodo : Yikes! Hackers Had Access to LastPass Users' Password Vaults Mihir Bagwe / BankInfoSecurity.com : LastPass Breach: Attacker Stole Encrypted Password Vaults Ben Schoon / 9to5Google : How to export your passwords from LastPass and pick another password manager Urian B. / Tech Times : LastPass Confirms Customer Password Vaults Stolen by Hackers Alexander Martin / The Record : LastPass: Hackers accessed and copied customers' password vaults Cynthia Brumfield / Metacurity : Cybercriminals Stole LastPass Customers' Encrypted Password Vaults Davey Winder / Forbes : LastPass Password Vaults Stolen By Hackers—Change Your Master Password Now Tyler Lee / Phandroid : The worst just happened: LastPass customer password vaults were stolen Chris Smith / BGR : LastPass hackers stole your encrypted passwords, Merry Christmas! John Gruber / Daring Fireball : LastPass Admits Hackers Stole Customers' Password Vaults Dark Reading : LastPass Cops to Massive Breach Including Customer Vault Data Michael Tsai : LastPass Breach  —  Dan Goodin:  —  LastPass, one of the leading password managers … Sead Fadilpašić / TechRadar : LastPass confirms customer password vaults were stolen Matt Stoller / BIG : Private Equity Gave Your Bank Password to Hackers Pierluigi Paganini / Security Affairs : LastPass revealed that encrypted password vaults were stolen Sofia Wyciślik-Wilson / BetaNews : LastPass data breach is worse than first thought; user data and password vaults grabbed by hackers Phil Muncaster / Infosecurity : LastPass: Customer Vault Data Was Taken Martin Brinkmann / gHacks Technology News : LastPass Hack Update: user vault data and information stolen Jeffrey Goldberg / @jpgoldberg@ioc.exchange : I will take the opportunity to post out what 1Password does differently. … The Hacker News : LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen Michael Potuck / 9to5Mac : LastPass security breach update: Customer password vaults were obtained Amber Neely / AppleInsider : Hackers obtained LastPass customer data vaults in recent data breach Duncan Riley / SiliconANGLE : LastPass reveals hacker copied encrypted customer password vaults William Turton / Bloomberg : LastPass Says Hackers Stole Customer Data, Encrypted Passwords Andrew Tarantola / Engadget : The Lastpass hack was worse than the company first reported Nickie Louise / Tech News : LastPass says hackers stole its customers' encrypted password vaults Mastodon: Nicholas Weaver / @ncweaver@thecooltable.wtf : Being compromised is, well, it happens.  But to not notify the customers of this is a gross abdication of their job. @malwaretech@infosec.exchange : The reason online password managers use client side encryption is so that if they're hacked, the attacker can't do anything without bruteforcing the master password for every account. … Robert Graham / @ErrataRob@infosec.exchange : LastPass password cracking rate on the order of 100k/sec, what various sources tell me.  Given the complexity rules for passwords, you are safe from brute forcing.  There is some small danger from mutated dictionary attacks, but still adversaries can try only a few billion. Adrian Sanabria / @sawaba@infosec.exchange : While cleaning up the Lastpass mess, I discovered that, at some point, Lastpass dumped a plaintext config into the unprotected note field for all Wi-Fi Password entries. … @SwiftOnSecurity@infosec.exchange : LASTPASS NEWS ALERT AND COMMENTARY: LastPass attackers know your name and billing address and all websites you have saved passwords for, and if your master password isn't sufficiently strong may be possible to brute-force open everything on attacker's machines. … @hacks4pancakes@infosec.exchange : Anyway, like other sane people have said, you don't have to stop using LastPass - for gods' sakes just use a password manager.  If you use it, spend some time over the holidays changing all your meaningful passwords in it and your master password. … @malwaretech@infosec.exchange : Getting ChatGPT to write a phishing email https://www.youtube.com/... @og@infosec.exchange : * We were breached, but don't worry, your data was *not* stolen.  * Ok, we were breached, and your data *was* stolen, but don't worry, it was encrypted. … @Aaron@social.aaroncrocco.com : @eric_capuano@infosec.exchange @spencerdailey@journa.host Oh, we know why: bEcAuSe ThAt'S nOt PeRsOnAl IdEnTiFyInG iNfOrMaTiOn.  🫠 Eric Capuano / @eric_capuano@infosec.exchange : Here's the immediate problem I see with the #LastPass breach... I think it's news to most of us (it is for me at least) that the URLs of every saved credential were unencrypted … Dan Goodin / @dangoodin@infosec.exchange : Infosec Mastodon tonight is feeling a lot like Twitter did on a good day. @gsuberland@chaos.social : if you run into anyone trying to discount the severity of the lastpass breach by saying the master keys are impossible to crack, ask them how lastpass' key derivation works, what a credential stuffing attack is … @accidentalciso@infosec.exchange : If you were using Lastpass to store seeds for crypto wallets with any meaningful amount of coins in them, this might be a good time to move those funds to new wallets with fresh new seeds. @snipe@hackers.town : middot; Content warning: From the Birbsite @hacks4pancakes@infosec.exchange : I'm also worried about all y'all going “lololol pEoPle UsE LasTPaSs” when getting just one person on a reputable password manager they'll actually understand how to use is a massive, uphill battle. Dan Goodin / @dangoodin@infosec.exchange : LastPass customers should ensure they have changed their master password and all passwords stored in their vault.  They should also make sure they're using settings that exceed the LastPass default. … Matthew Green / @matthew_d_green@ioc.exchange : I guess this is the major holiday week companies designate for dumping terrible breach news. Dare Obasanjo / @carnage4life@mas.to : If you use LastPass this is extremely important news.  Attackers have access to all your website URLs and encrypted passwords.  This was effectively their only job and they failed. … @hacks4pancakes@infosec.exchange : @malanalysis “why don't you roll your own encryption in Arch to create a custom vault and” as they shrivel into a corncob @filippo@abyssdomain.expert : I would like a round of applause for remembering my #LastPass password I last changed in 2013 and last used in 2016.  The bad news is that apparently they were storing it with 5000 rounds of PBKDF2. @weaponplus@infosec.exchange : For anyone that is looking to switch to 1Password, slickdeals has a link available that gives you 50% off of the first year for a family subscription. #cybersecurity #LastPassHack Matt Blaze / @mattblaze@federate.social : @jsrailton@mastodon.social yes, this.  Even with this breach, you're STILL better off using a password manager.  Even the most crappy password manager is better than the alternative people generally end up using, which is low-entropy (memorizable) passwords re-used in different places. Andrew Tarantola / @Terrortola@masto.ai : #Lastpass has released additional details about the August 2022 #hack on its systems.  Hoo boy, it was so much worse than we were initially led to believe.  Turns out the thieves made off with entire customer password vaults. … John Scott-Railton☕ / @jsrailton@mastodon.social : The #LastPass breach is frustrating.  Yes, users that didn't follow “best practices” for their master passwords may get their stolen vaults brute forced.  But also, we spend big effort trying to get users to use a password manager so that they will use unique passwords. … @zate@infosec.exchange : It looks like we have another round of the #LastPass running in circles arm waving, so I will add here what I just replied to one of the threads.  So, generally, many, many websites use your email address to log you in. some use a username, but it's more the norm to use your email. … Jesse Harris / @elforesto@infosec.exchange : Every subsequent update of the #LastPass breach makes it worse.  The latest one makes it clear that someone, somewhere, is probably putting a room full of discarded mining GPUs to work trying to crack that master password. … Tweets: @snipeyhead : FWIW, here's what I told my employees re: the LastPass breach. Feel free to re-use without attribution. Hope it helps. What a mess. https://twitter.com/... John Scott-Railton / @jsrailton : Latest #LastPass breach may be worse than you think. Attacker didn't just get encrypted passwords. They got unencrypted URLs. Think: URLs with account tokens, API keys & credentials, etc... 1/ https://blog.lastpass.com/... https://twitter.com/... @swiftonsecurity : LastPass attackers now know all websites you have passwords stored for and the blobs, encrypted only by your master password https://blog.lastpass.com/... https://twitter.com/... Lady G / @gabsmashh : LastPass update: The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data as well as fully-encrypted sensitive fields. https://blog.lastpass.com/... @swiftonsecurity : tldr LastPass attackers know your name and billing address and all websites you have saved passwords for, and if your master password isn't sufficiently strong may be possible to brute-force open everything on attacker's machines AJ Stuyvenberg / @astuyve : LastPass breach gets worse and worse. First: We were breached but no customer data was accessed Next: Okay some customer data was accessed, but not password vaults. Now: Customer password vaults were copied by the attacker but don't worry, it will be hard to crack your vault. https://twitter.com/... https://twitter.com/... Kate Bevan / @katebevan : This is great from @zackwhittaker - it explains what the LastPass breach means to you. If your master password is short/weak/been used elsewhere, change it. Your vault is safe unless your password is weak or compromised. https://techcrunch.com/... Eva / @evacide : Pour one out for all of the security practitioners who are going to have to patiently explain that using a password manager is still good, actually, to people who have glanced at a headline about the latest LastPass breach. @stringstory : This is v. bad LastPass. Solution: - add 2FA - use Authenticator - move to new password manager https://twitter.com/... @dystopiabreaker : lastpass has been obviously shit ever since tavis ormandy found a relatively simple “extiltrate all passwords” bug in their chrome extension and they responded poorly to it Sean Wright / @seanwrightsec : The LastPass incident is big news. But not for the reason why folk may think. We have a difficult time convincing folk to use password managers. This is most likely to harm that effort, sowing doubt with those who are a bit hesitant about doing so. @nixcraft : Regarding lastpass, folks asking me: >>>LastPass just keeps having security incidents why do people still use it? For starters, having something like LastPass for the masses is more convenient. Second, it always depends upon your threat vector. @uk_daniel_card : also a few things: 1) it's never nice being ownd 2) our friends work in orgs that get pwn3d. don't be a shitty human 3) the passwords are encrypted, if you have a “good” master password then risk is much much much lower 4) there is always some risk 5) use MFA ... mor2 follow @altcoinpsycho : PSA: Stop using cloud-based password managers. I was called paranoid for ages for bad talking LastPass The safest place to store a password is in your brain https://twitter.com/... John Scott-Railton / @jsrailton : 2/ #LastPass has a giant target on their back because of the juicy data & password trove that they handle. And they are absolutely failing their customers. At this point, each time I hear about Last Pass it's: hey, they had *another breach* @cz_binance : LastPass suffered a breach recently. I recommended this password manager in my blog article before. They claim no impact to customer passwords, as it should be client side encrypted, but best to make sure you have 2FA enabled. https://www.npr.org/... Mark Aangenaam / @markvdnld : Not only was @LastPass breached - hackers got the binary blobs of all data and even some unencrypted URL data. This is the end of LastPass. How can you recover from this? Your company has been failing on providing proper updates to begin with. Zero trust left. https://twitter.com/... @b1ack0wl : Big yikes from LastPass lol https://twitter.com/... Greg Osuri / @gregosuri : Lastpass was hacked, and customer vaults are with the attacker that can run a brute force attack to reveal your password and secret notes — it's only a matter of time. Change your passwords and renew your secrets ASAP if you've ever used Lastpass. https://twitter.com/... @cz_binance : LastPass provided an update. The hacker has all the user info including email address and websites URLs unencrypted. If the you reused passwords for the master password or has a weak master password, then it is possible for the hacker to obtain all of his/her credentials. Arnav Gupta / @championswimmer : Despite even many well known infosec researchers actually suggesting users to use password managers, I'll never use one, because exactly this reason. The entropy of generated passwords isn't useful. I can remember high entropy passwords myself. “correct horse battery staple” https://twitter.com/... Rick Dudley / @afdudley0 : Friendly reminder the odds are such that if you use one of these services, they will be significantly compromised while you're using them and thus you shouldn't put anything important in them. https://twitter.com/... Shibetoshi Nakamoto / @billym2k : lastpass was hacked 🤣 i think we should just assume that anything we do is public and will be hacked @swiftonsecurity : The fact LastPass doesn't encrypt website URLs is a known flaw it appears they never fixed on purpose, going back almost 6 years https://hackernoon.com/... @accidentalciso : Folks that are migrating from LastPass to something else, what are you migrating to and why did you select that vendor? Is there something about that product's architecture that would materially reduce the potential risk that LastPass customers face right now? Graham Cluley / @gcluley : Unfortunate timing with this latest disclosure. I'm sure LastPass wanted to be as transparent as possible about what occurred, and get the news out there as quickly as possible to users. It's just unfortunate some might not see it due to proximity to Christmas. https://twitter.com/... John Scott-Railton / @jsrailton : This #LastPass breach = worse than you think. Attacker didn't just get encrypted passwords. They got unencrypted URLs. Think: URLs with account tokens, API keys & credentials, etc... You or your company a LastPass customer? Change everything. https://blog.lastpass.com/... https://twitter.com/... @chrismessina : Merry Christmas you filthy LastPass threat actor https://twitter.com/... https://twitter.com/... Matthew Green / @matthew_d_green : Nice announcement, LastPass. https://blog.lastpass.com/... https://twitter.com/... John Scott-Railton / @jsrailton : The #LastPass breach (just the latest, btw) is frustrating. Users that didn't follow “best practices” for their master password are vulnerable (customer password vaults were stolen!). But also because we've collectively spent years trying to move users to password managers. 1/ @carnage4life : If you use LastPass this is extremely important news. Attackers have access to all your website URLs and encrypted passwords. This was effectively their only job and they failed. This feels somewhat inevitable given how big a prize the LastPass vault is but scary to see happen. https://twitter.com/... Tom Warren / @tomwarren : I'm glad I use 1Password and not LastPass because this is 😬 https://www.theverge.com/... James Ball / @jamesrbuk : Feels like we need a much more decentralised framework for these - password managers are better than the alternative for most users, but they're *such* honeypots for hackers. https://twitter.com/... Sebastian Bicchi / @secresdoge : This basically means you can offline brute force them (masterpasswords) and as it is done clientside, it is known *how* to do it. Fun. https://twitter.com/... Tim Stevens / @tim_stevens : Whelp. Sometimes it's hard to know whether to recommend Lastpass or 1password when people ask me about managers. This'll make that a lot easier going forward. https://twitter.com/... Matthew Green / @matthew_d_green : People seem to be misunderstanding this: as best I can tell it means that the attackers can now start running dictionary “password guessing” attacks against your master password. Kevin Collier / @kevincollier : This is downright scandalous. Significantly more damning than anything in the Twitter files. More overt abuse of access to users' data from a tech company than anything I can think of in recent memory. https://www.ft.com/...

TechCrunch 2022-12-24 Zack Whittaker