All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
chicagovps.net user database hacked? Lastpass security email
Did anyone else get an email from Lastpass saying that the chicagovps.net database was hacked on Feb 28 and was posted on Mediafire?
Hello,
>
Hackers claim to have hacked the site chicagovps.net on 2013-02-28 and we've detected that your email address was included in the data published as part of the leak. The full description of the leak is as follows:
The hacker known as NITEDREAM has published an archive to MediaFire.com, consisting of a MySQL dump that seems to belong to chicagovps.net. The data contains dumps of several DB tables, including account credentials for admin accounts.
Please update the password for your chicagovps.net account immediately. The LastPass Security Challenge, located in the Tools menu of the LastPass addon, will help find any other accounts using the same password as the leaked account.
Thanks,
The LastPass Team
Comments
Yep. We discussed this about a week ago.
http://www.lowendnetwork.com/discussion/8383/chicagovps-database-leaked-chicagovps-customers-change-your-root-passwords-immediately
Ssshhhhh. If we close threads discussing it, it never happened.
Sorry, I thought I searched but apparently was not thorough enough.
Wait, what? LastPass found your email in the database dump and emailed you? Is that something they usually do?
I never have received an email like this before from Lastpass, but I also never received the earlier email from chicagovps...
Looks more linke they found out that:
@acollins has a password for a ChicagoVps.net account stored in LastPass
LastPass found out that ChicagoVPS got hacked
So they alerted everyone that is potentially at risk due to the hack
I think LastPass download the files, scan them, for matching e-mails then e-mail affecting clients who are signed up to them, nifty, but scary, considering they then have your details in a DB ^^
Seriously sums up what I just thought. I understood LastPass to be an application, is it a service? A team of people looking out across the internet for the safety of your data across the internet?
Cool in a way, unless they're out there googling your info all the time
That's what I call above and beyond. Telling somebody (who previously didn't know) about their password for a completely unrelated service being compromised and then telling them how to minimize the impact.
http://blog.lastpass.com/2012/10/lastpass-sentry-now-checks-your-entire.html
So, and then that's why I don't trust that thing...
Keepass and period.
As long as they don't look at my passwords I think it is a good idea to inform users that their data is leaked when the leaked service itself doesn't do it or provides incorrect information. Who knows Lastpass is on LET...
If you don't want them to see your passwords, you probably shouldn't use LastPass.
This thread won't stay open for long. Colocrossing/CVPS/LET Mafia Shit.
Good idea, it fears me that they even bother checking my passwords, might make an altermative when I have time
don't forget pwgen (in every X months)
I actually think it's pretty good they respond to threats like this. They don't have access to your password, so it's a pretty save process.
You apparently haven't got a clue about how LastPass works.
Yeah, I know what you mean and I was just like that. However, I now use LastPass for all my "website" passwords, with two-factor (YubiKey) enabled and restricted mobile access. This is something I wasn't able to achieve with KeePass. I still use KeePass for all other passwords, but without two-factor because it's too complicated for mobile.
They check your email against PwnedList. I don't see a security threat in that. It's nice to see that they take an interest in actual security rather than passing the tool to the user and hoping they keep tabs on everything themselves. That's the kind of service I appreciate.
inb4 close
... while the affected service still hasn't sent out an explicit advisory.
And you guys say that there's no possible non-malicious reason for wanting to get a hold of the database... well, some of you here at LET, at least. You guys going to criticize LastPass for downloading the database? Even though they downloaded it so that they could notify people of the issue (since ChicagoVPS hasn't) ?
@KuJoe true
pwnedlist.com did it actually, I assume. LastPass may have, or may have just researched it. My guess is that if anyone wants to give pwnedlist a lecture, they'd be happy to play a little violin for them.
I got this email too. It's the only way I found out about it.