Skip to main content

Search

Items tagged with: lastpass


LastPass Sibling Company GoTo Loses Encrypted Backups to Hackers

The hacker also stole an encryption key for a portion of the encrypted backups by accessing a cloud storage database shared by both LastPass and GoTo.

#news #tech #technology #security #privacy #Lastpass #breach #hacking

https://www.pcmag.com/news/lastpass-sibling-company-goto-loses-encrypted-backups-to-hackers


I think we can all agree that #lastpass ducked up seriously, but what happens now? Find out on the #osspodcast with @kurtseifried and @joshbressershttps://opensourcesecurity.io/2023/01/01/episode-356-lastpass-ducked-up-now-what/ TL;DR: #lastpass is a bag of weasels that still has a website that makes it sound like all your vault data is encrypted. It's not.


I’ve now seen four reports of people’s #LastPass accounts being configured with 1 (in words: one!) PBKDF2 iteration. This used to be the LastPass default somewhere around 2010. And it’s 310,000 times less than it should be per current OWASP recommendation.

So: LastPass updated the PBKDF2 defaults three times in total. Each and every time they failed to update the security settings for existing accounts, at least for some of them. So in year 2022 we still have accounts that have the default from 2010 configured, even though it was completely inadequate even back then already.

Not just that. LastPass could do a simple database query and notify the affected users. But so far people are left to figure it out on their own. Nobody knows how many people are affected but unaware of it because the official LastPass statement essentially says “nothing to worry about, it’s all safely encrypted.”

#LastPassBreach


I have a person comment on my blog that their #LastPass account was set to 500 (in words: five hundred) PBKDF2 iterations. That’s factor 620 (!!!) less than what OWASP currently recommends.

And now that I’ve seen it I also found a Reddit comment from a person who went into their account settings and also found 500 iterations there. And another person saying the same thing on Hacker News.

So LastPass didn’t merely mess up upgrading accounts from 5,000 to 100,100 when they increased the default in 2018. They also failed to upgrade people when they went from 500 to 5,000 iterations before that. Anyone have an idea when that even was?

Sue them. Sue them to the ground. This is gross negligence.

#LastPassBreach


Just a #reminder, the #LastPass data #leak happened despite all the military grade and government verified as well as standardized encryption 🔐

#Encryption alone is not #security, but its implementation, and some do it better and others just badly. If the single point of #failure is vulnerable, the rest is usually useless 😉

Please do not fall for #buzzwords and the associated #advertising promises 🙏



Been reading more and stewing on this. #LastPass knew about this weeks, maybe months ago. They dropped it right before all of the security and IT people would be out on vacation for the rest of the year. Now we're all forced to try and contain the conflagration during what should be relaxing time off. Once again, the response is becoming the story more than the incident. Technical mistakes I can forgive, but bad COMMs much less so.


Every subsequent update of the #LastPass breach makes it worse. The latest one makes it clear that someone, somewhere, is probably putting a room full of discarded mining GPUs to work trying to crack that master password. Since the URLs are in plain text, whoever has the data has a list of all websites that a user cared enough about to make and store accounts on. That #metadata is going to be very useful for someone, somewhere. That the data hasn't yet popped up leaked or for sale hints that this could be yet another state-sponsored effort.

PS I highly recommend @bitwarden for all your credential manager needs, and please pay them to host it for you.


🤔 It's shocking to me the number of #infosec professionals that perpetuate the myth that a company is required in order to use a password manager.

#OpenSource #passwordManager #LastPass

cc @keepassxc


I'm seeing a lot of hot takes on #LastPass, from people in #infosec coming to the conclusion that LastPass transparently disclosing breaches, or near breaches, or any incidents, is a sign of something terrible.

I think those people have not been at this long.

All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.

And if you are a company storing millions of passwords, you better believe you are being attacked constantly.

Given that world, I want a company that:
  • is transparent and lets their users know immediately when something is up and gives as many details as they can.
  • can actually detect incidents and has a solid process to follow in dealing with them and communicating about them
If you think a company that never says, "hey, we had an incident," is more secure. .. oh boy.

It merely means they either a) can't detect incidents or b) are hiding them from you

If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.