Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Lastpass Hacked Again, and worse than what we thought! Use self-hosted solutions!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Lastpass Hacked Again, and worse than what we thought! Use self-hosted solutions!

stonedstoned Member
edited February 2023 in News

This maybe old news but I just found out, so it's 'news' to me! :D https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

I switched to KeyPass a couple of years ago and deleted everything from Lastpass and emailed them a few times to ensure they got rid of all my data.

You should move away from third party authentication providers like this and switch to self hosted for more security. I use KeyPassXC for now but I'm going to check out some other ones. Any other ones worth mentioning? I would never consider any more commercial services for password management.

Cheers, folks!

«1

Comments

  • Old news, thanks anyway

  • ArkasArkas Moderator

    I guess being stoned does slow time? I keep looking at complicated answers!

  • mustafamw3mustafamw3 Member, Patron Provider

    I use kaspersky password manager

  • emgemg Veteran
    edited February 2023

    See this recent thread:
    https://lowendtalk.com/discussion/181068/lastpass-hacked

    Here are my recommendations from that thread, edited to make it easy to read and understand:

    • Change the master password for your LastPass vault immediately.
    • Go through each and every password in the vault and its associated website or whatever, one by one. Change each individual password to a new, unique, strong, random password. Do that as soon as you can. You are in a race with the attackers who want to get to your accounts first.
    • Reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way? I recommend eliminating online "sync'd" password vaults in favor of a locally stored vault with proper backups.

    Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. You just reset the bad guys' work back to the starting point, which can't hurt. Yes, it is a lot of work, but it is essential to do. If you are using the same password repeatedly, now is your chance to give each website its own unique random and strong password, a very good idea.

    Repeating:
    I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?

  • YmpkerYmpker Member
    edited February 2023

    @emg said:
    See this recent thread:
    https://lowendtalk.com/discussion/181068/lastpass-hacked

    Here are my recommendations from that thread, edited to make it easy to read and understand:

    • Change the master password for your LastPass vault immediately.
    • Go through each and every password in the vault and its associated website or whatever, one by one. Change each individual password to a new, unique, strong, random password. Do that as soon as you can. You are in a race with the attackers who want to get to your accounts first.
    • Reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way? I recommend eliminating online "sync'd" password vaults in favor of a locally stored vault with proper backups.

    Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. You just reset the bad guys' work back to the starting point, which can't hurt. Yes, it is a lot of work, but it is essential to do. If you are using the same password repeatedly, now is your chance to give each website its own unique random and strong password, a very good idea.

    Repeating:
    I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?

    I like the approach Enpass takes. Everything is local, but you can optionally store/sync your vault in your GDrive/Dropbox/some other popular cloud storage services.

    You can also just sync via your wifi though.

    Maybe 100% offline is safer, but this is quite a good compromise, imho. Ofc, DYOR.

    Thanked by 1default
  • ArkasArkas Moderator

    @mustafamw3 said: I use kaspersky password manager

    Nice. At least you know who you are sharing your passwords with.

    Thanked by 1desperand
  • Wouldn't be surprised to see lastpass hacked again, but old news :(

  • Tony40Tony40 Member
    edited February 2023

    The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

    “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba wrote, referring to the Advanced Encryption Scheme and a bit rate that’s considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt. The CEO continued:

    https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

  • emgemg Veteran

    @Ympker said:

    I like the approach Enpass takes. Everything is local, but you can optionally store/sync your vault in your GDrive/Dropbox/some other popular cloud storage services.

    You can also just sync via your wifi though.

    [images of Enpass marketing materials]

    Maybe 100% offline is safer, but this is quite a good compromise, imho. Ofc, DYOR.

    On principle, I do not like the idea of storing all of your passwords on internet-accessible storage, even though the passwords are encrypted with today's best encryption technology.

    I will grant that Enpass' approach is better than LastPass' approach on several levels, but it still fails the essential principle that I stated above.

    Thanked by 2Ympker leyun
  • stonedstoned Member
    edited February 2023

    Ok thanks folks. My aplogies for old news. Though, if I'm discovering it now, maybe more like me are also finding out through this thread so I guess it's not completely useless. Cheers.

    Thanks for the suggestions. I'll check those out. I am only doing self hosted credential management now, and no more third party providers.

    I switched to keypassXC and use that app on android as well as PC and sync my password file through GDrive and use my biometric to unlock the password file.

    So far it's alright, but I want a self hosted solution I can put on my private secure VPS and use from anywhere, on any device, from anywhere. I think that's the goal anyway.

    Every single password in my DB if different. Not a single password is reused. Unless the site does not allow it, every password is using all possible and extended charsets, 64 characters in length minimally unless the sites enforces 32 or 24 or 16 or 12 chars. In which case I have to use their max length.

    And since I abandoned LastPass, I've manually changed every single password to the above policy. On lastpass, I had actually reused many passwords in my youth. I had to spend 1-2 hours daily and it took about 1.5 months to finally change all my passwords everywhere to the above secure policy.

    Now I should be fairly/relatively secure. I say fairly/relatively, as there is no absolute security.

  • @emg said:

    @Ympker said:

    I like the approach Enpass takes. Everything is local, but you can optionally store/sync your vault in your GDrive/Dropbox/some other popular cloud storage services.

    You can also just sync via your wifi though.

    [images of Enpass marketing materials]

    Maybe 100% offline is safer, but this is quite a good compromise, imho. Ofc, DYOR.

    On principle, I do not like the idea of storing all of your passwords on internet-accessible storage, even though the passwords are encrypted with today's best encryption technology.

    I will grant that Enpass' approach is better than LastPass' approach on several levels, but it still fails the essential principle that I stated above.

    Fair enough, but Enpass doesn't force you to use any sync. And if you don't want to sync via the cloud, it offers wifi sync.

  • I thought it had happened again already lol. I am happy with Bitwarden. Still wondering if I should self host it again though - at the moment I am using the hosted version. The hosted version if just $10/year so it's ultra cheap, but there is always the chance that Bitwarden is targeted by attackers, which would be less likely with a self hosted anonymous instance. But with self hosting I am worried if my server goes down in the wrong moment... that's why I self hosted it for a very short time in the past.

    Does anyone here self host Bitwarden or another password manager?

  • @Ympker said:

    @emg said:
    See this recent thread:
    https://lowendtalk.com/discussion/181068/lastpass-hacked

    Here are my recommendations from that thread, edited to make it easy to read and understand:

    • Change the master password for your LastPass vault immediately.
    • Go through each and every password in the vault and its associated website or whatever, one by one. Change each individual password to a new, unique, strong, random password. Do that as soon as you can. You are in a race with the attackers who want to get to your accounts first.
    • Reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way? I recommend eliminating online "sync'd" password vaults in favor of a locally stored vault with proper backups.

    Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. You just reset the bad guys' work back to the starting point, which can't hurt. Yes, it is a lot of work, but it is essential to do. If you are using the same password repeatedly, now is your chance to give each website its own unique random and strong password, a very good idea.

    Repeating:
    I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?

    I like the approach Enpass takes. Everything is local, but you can optionally store/sync your vault in your GDrive/Dropbox/some other popular cloud storage services.

    You can also just sync via your wifi though.

    Maybe 100% offline is safer, but this is quite a good compromise, imho. Ofc, DYOR.

    I have a lifetime license for EnPass and I used it for a while, syncing the vault with Nextcloud. It has more features than Bitwarden and seems almost a clone of 1Password, so it's pretty rich in features. The fact that it doesn't store the vault on a centralized server is awesome, but like for self hosted Bitwarden I am worried if the server I use for syncing goes down...> @stoned said:

    Ok thanks folks. My aplogies for old news. Though, if I'm discovering it now, maybe more like me are also finding out through this thread so I guess it's not completely useless. Cheers.

    Thanks for the suggestions. I'll check those out. I am only doing self hosted credential management now, and no more third party providers.

    I switched to keypassXC and use that app on android as well as PC and sync my password file through GDrive and use my biometric to unlock the password file.

    So far it's alright, but I want a self hosted solution I can put on my private secure VPS and use from anywhere, on any device, from anywhere. I think that's the goal anyway.

    Then try Vaultwarden, a lightweight self hosted version of Bitwarden.

  • @vitobotta said:
    I have a lifetime license for EnPass and I used it for a while, syncing the vault with Nextcloud. It has more features than Bitwarden and seems almost a clone of 1Password, so it's pretty rich in features. The fact that it doesn't store the vault on a centralized server is awesome, but like for self hosted Bitwarden I am worried if the server I use for syncing goes down

    I use vaultwarden-backup https://github.com/ttionya/vaultwarden-backup for self-hosting Bitwarden with hourly backups to Cloudflare R2

  • @jcolideles said:

    @vitobotta said:
    I have a lifetime license for EnPass and I used it for a while, syncing the vault with Nextcloud. It has more features than Bitwarden and seems almost a clone of 1Password, so it's pretty rich in features. The fact that it doesn't store the vault on a centralized server is awesome, but like for self hosted Bitwarden I am worried if the server I use for syncing goes down

    I use vaultwarden-backup https://github.com/ttionya/vaultwarden-backup for self-hosting Bitwarden with hourly backups to Cloudflare R2

    Yesterday I set up EnPass synced with Seafile and will try it for a while

  • I've been using lastpass for about 8 years. After OP's message back then I finally migrated to selfhosted bitwarden (vaultwarden / bitwarden-rs ).

    @jcolideles said:

    @vitobotta said:
    I have a lifetime license for EnPass and I used it for a while, syncing the vault with Nextcloud. It has more features than Bitwarden and seems almost a clone of 1Password, so it's pretty rich in features. The fact that it doesn't store the vault on a centralized server is awesome, but like for self hosted Bitwarden I am worried if the server I use for syncing goes down

    I use vaultwarden-backup https://github.com/ttionya/vaultwarden-backup for self-hosting Bitwarden with hourly backups to Cloudflare R2

    Thanks for this, this is exactly what I've been looking for a while!

    @Tony40 said:
    The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

    “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba wrote, referring to the Advanced Encryption Scheme and a bit rate that’s considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt. The CEO continued:

    https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

    If I recall correctly "secure notes" were not encrypted.

  • YmpkerYmpker Member
    edited February 2023

    @vitobotta said:

    @Ympker said:

    @emg said:
    See this recent thread:
    https://lowendtalk.com/discussion/181068/lastpass-hacked

    Here are my recommendations from that thread, edited to make it easy to read and understand:

    • Change the master password for your LastPass vault immediately.
    • Go through each and every password in the vault and its associated website or whatever, one by one. Change each individual password to a new, unique, strong, random password. Do that as soon as you can. You are in a race with the attackers who want to get to your accounts first.
    • Reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way? I recommend eliminating online "sync'd" password vaults in favor of a locally stored vault with proper backups.

    Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. You just reset the bad guys' work back to the starting point, which can't hurt. Yes, it is a lot of work, but it is essential to do. If you are using the same password repeatedly, now is your chance to give each website its own unique random and strong password, a very good idea.

    Repeating:
    I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?

    I like the approach Enpass takes. Everything is local, but you can optionally store/sync your vault in your GDrive/Dropbox/some other popular cloud storage services.

    You can also just sync via your wifi though.

    Maybe 100% offline is safer, but this is quite a good compromise, imho. Ofc, DYOR.

    I have a lifetime license for EnPass and I used it for a while, syncing the vault with Nextcloud. It has more features than Bitwarden and seems almost a clone of 1Password, so it's pretty rich in features. The fact that it doesn't store the vault on a centralized server is awesome, but like for self hosted Bitwarden I am worried if the server I use for syncing goes down...> @stoned said:

    Ok thanks folks. My aplogies for old news. Though, if I'm discovering it now, maybe more like me are also finding out through this thread so I guess it's not completely useless. Cheers.

    Thanks for the suggestions. I'll check those out. I am only doing self hosted credential management now, and no more third party providers.

    I switched to keypassXC and use that app on android as well as PC and sync my password file through GDrive and use my biometric to unlock the password file.

    So far it's alright, but I want a self hosted solution I can put on my private secure VPS and use from anywhere, on any device, from anywhere. I think that's the goal anyway.

    Then try Vaultwarden, a lightweight self hosted version of Bitwarden.

    If the server for syncing goes down, you just restore the local backup file. Enpass also creates (weekly?) Local backups automatically (or maybe I had to tick an option in settings for that).

  • Vaultwarden is the best solution in selfhosted.
    Maybe let will be interested by a tutorial for a migration ?

    Thanked by 1stoned
  • emgemg Veteran
    edited March 2023

    There is a recent update from LastPass. My summary:

    The breach started with a targeted attack against the home computer of one of the only four LastPass employees who had access to the corporate vault. Based on what I read, the attack showed a very high level of sophistication.

    More information here. In my opinion, they are worth your time to read:

    https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

    https://www.securityweek.com/lastpass-says-devops-engineer-home-computer-hacked/

    https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/

  • I'm so glad I stopped using them and changed every single password since I stopped using them.

    Thanked by 1emg
  • Exported my data, deleted all data from LastPass and account is also deleted. Would prefer bitwarden or keypass.

  • KonbuKonbu Member

    Update is here : March 1, 2023 | By Karim Toubba
    https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/

    Lastpass is really bad. (X_X)
    better off using Keepass or Bitwarden.

  • sadly using 1Password,
    master password is hard, but not impossible

    sadly using it for convinience/sharing passwords and managing family.
    if they get hacked in theory someone needs my master password and account key... so meh, i feel safe

  • WebProjectWebProject Host Rep, Veteran

    Try Enpass or Bitwarden

  • WebProjectWebProject Host Rep, Veteran

    @Konbu said:
    Update is here : March 1, 2023 | By Karim Toubba
    https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/

    Lastpass is really bad. (X_X)
    better off using Keepass or Bitwarden.

    Sounds like Lostpass instead off Lastpass

  • im using bitwarden
    not selfhosting
    prolly will
    or no
    idk

    ipv6 roll outs still suck in india so i cant really SELF host it but i can on a vm but i wont because why would i

  • Nothing close comes to LastPass in terms of usability. I tried EnPass, Dashlane, BitWarden and 1Password.

    I finally liked 1Password. Started changing all the passwords known in LastPass with randomly generated passwords by an iCloud chain. Also, I have enabled 2FA as 1Password to make it easy to log in.

    Since being Mac and iOS users, I believe the default iCloud chain will be more useful, and then we can use 1password as a backup for non-apple products.

  • I use KeepassXC. That's not an option for Mac/iOS users?

  • @stoned said:
    I use KeepassXC. That's not an option for Mac/iOS users?

    Works fine on Mac. On iOS there are Stongbox and Keepassium which you need to pay for to get all the features.

    Thanked by 1stoned
  • So how much risk am I in here?

    I used to use lastpass a year ago.
    But after one such breach, I stopped using it and moved to bitwarden.
    Stupid of me, I didn't delete my vault from lastpass.

    I have 100s of passwords saved in there.

    Can anyone please suggest briefly how much security risk I'm in?

    Should I go ahead and change all passwords? That'll be a nightmare.

Sign In or Register to comment.