LastPass report a breach

[SydneySideSteveSomewheres]

The network at LastPass was apparently breached recently...

"In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed"

This is an extract from an email received today here is the link to the -LastPass blog-

Having used this free password management system for nearly a year, and just upgraded to a subscription account. The thought of an unwanted attack upon my privacy, is not one will lead to any loss of sleep. Even though the warning blog carries a message of "LastPass account email address" being compromised.

Goodnight ZZZZZZZZZZZZZZZZZZZZZZZZ.

[Sakkura]

This is why you use KeePass instead of LastPass. LastPass is insecure by design.

[RH00D]

This is why you use KeePass instead of LastPass. LastPass is insecure by design.

 

This is why you read articles before commenting on them.

 

"In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed."

[tsk]

This is why you use KeePass instead of LastPass. LastPass is insecure by design.

LastPass is one of the most secure services for passwords.

[thunderdog512]

This is why you use KeePass instead of LastPass. LastPass is insecure by design.

Totally agree. Why would you store your passwords somewhere else even if its "encrypted". I don't trust services like LastPass or dropbox with my info. Why would I want someone else encrypting my data and holding the key? Glad to see someone with similar views.

[SydneySideSteveSomewheres]

Totally agree. Why would you store your passwords somewhere else even if its "encrypted". I don't trust services like LastPass or dropbox with my info. Why would I want someone else encrypting my data and holding the key? Glad to see someone with similar views.

Every piece of information within the application is encrypted locally, on your machine! Then it gets sent over the "unsecured" internet to your cloud based vault. The only way to unencrypt the data, is by using your master password, which is the "key" to the vault. This password could have as many characters as you desire, which makes cracking it without any "known " return somewhat highly unlikely...

[Sakkura]

This is why you read articles before commenting on them.

 

"In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed."

 

You apparently didn't understand my point. The fact that they can be hacked means their service is inherently less secure than the alternatives on the market. It doesn't matter whether the hackers got through this time, but that there's anything to get to in the first place. And bear in mind this is just LastPass doing public damage control - it's certainly possible they are lying, and it's also possible they are simply mistaken.

[Nexxus]

You apparently didn't understand my point. The fact that they can be hacked means their service is inherently less secure than the alternatives on the market. It doesn't matter whether the hackers got through this time, but that there's anything to get to in the first place. And bear in mind this is just LastPass doing public damage control - it's certainly possible they are lying, and it's also possible they are simply mistaken.

..It doesnt mean that at all. 

[Sakkura]

..It doesnt mean that at all. 

 

Yes it does.

 

In addition, their poor security practices have been criticized in the past, so we can't trust them to have top notch security in place. And we only have trust to go on, since LastPass is closed source, which is another inherent security flaw.

[Nexxus]

Yes it does.

 

In addition, their poor security practices have been criticized in the past, so we can't trust them to have top notch security in place. And we only have trust to go on, since LastPass is closed source, which is another inherent security flaw.

If you have software "A" where 12 monkeys are trying to crack its security, and software "B" where 12 world class hackers are trying to crack it, the security on these programs is the EXACT same and software B is cracked 1st it doesn't mean software B is inherently insecure. Same thing if you have software X with 100 hackers working on it and software Y with 1.

If you feel that way I can only assume you don't know what inherently means

[Sakkura]

If you have software "A" where 12 monkeys are trying to crack its security, and software "B" where 12 world class hackers are trying to crack it, the security on these programs is the EXACT same and software B is cracked 1st it doesn't mean software B is inherently insecure. Same thing if you have software X with 100 hackers working on it and software Y with 1.

If you feel that way I can only assume you don't know what inherently means

 

No. The point is that software A doesn't even make it possible to crack the security this way, while software B does. That means software B has a security flaw in enabling such attacks in the first place.

[Nexxus]

No. The point is that software A doesn't even make it possible to crack the security this way, while software B does. That means software B has a security flaw in enabling such attacks in the first place.

...What?! I seriously cant even figure out what you're trying to say/imply my mind is straight up boggled right now.

If software A and B are using the exact same security measures whos trying to crack them is 100% irrelevant software A is JUST as possible to crack as B. B just happen to have someone skilled attack them over A for whatever reason.

The fact an element of lastpass was compromised has ZERO to do with it being "insecure by design." The single thing that makes lastpass a target over any other password manager is the user base numbers, which has absolutely nothing to do with how it was designed.

[Murdoch]

I guess this is my prompt to switch everything over to Keepass. I found the Lastpass integration with Firefox too convenient to bother before, but I've heard good things about KeeFox so I'll give that a go.

 

As to the argument about whether cloud based password managers are inherently insecure due to their design. I'm on the fence about that, they certainly make themselves a big target for hackers, but I'm pretty confident they use adequate encryption to secure user data. However, this is based predominately on "trust" and any sort of breach no matter how little, diminishes that trust.

[Xorbot]

...What?! I seriously cant even figure out what you're trying to say/imply my mind is straight up boggled right now.

If software A and B are using the exact same security measures whos trying to crack them is 100% irrelevant software A is JUST as possible to crack as B. B just happen to have someone skilled attack them over A for whatever reason.

The fact an element of lastpass was compromised has ZERO to do with it being "insecure by design." The single thing that makes lastpass a target over any other password manager is the user base numbers, which has absolutely nothing to do with how it was designed.

 

If the site can be hacked, and the hackers can access the data (albeit encrypted), then having that secure layer becomes useless.

 

This means that LastPass is not much different than having a MySQL database with an open public port and the password posted on the front page of their website.  If LastPass actually did this, how many people would sign-up for the service?  Sure, the data in the database may be encrypted, but what user would be attracted to the aforementioned description?

[Sharif]

I am glad,it wasn't anything severe 

[SydneySideSteveSomewheres]

You apparently didn't understand my point. The fact that they can be hacked means their service is inherently less secure than the alternatives on the market. It doesn't matter whether the hackers got through this time, but that there's anything to get to in the first place. And bear in mind this is just LastPass doing public damage control - it's certainly possible they are lying, and it's also possible they are simply mistaken.

LastPass being hacked and them telling the public about it, actually is one of the reasons to use them.

The password encrypting manager not being a public target for hackers could be more of a concern. As it might indicate they are an unworthy platform to try and crack.

Not that they should be bragging too hard, but selling their own virtues is a credit to the protection layer. Especially considering that Microsoft email (mail.live.com) only very recently added 2 step verification to "enhance" their privacy methodology.

[Doobeedoo]

Hows Dashlane?

[Sakkura]

LastPass being hacked and them telling the public about it, actually is one of the reasons to use them.

The password encrypting manager not being a public target for hackers could be more of a concern. As it might indicate they are an unworthy platform to try and crack.

Not that they should be bragging too hard, but selling their own virtues is a credit to the protection layer. Especially considering that Microsoft email (mail.live.com) only very recently added 2 step verification to "enhance" their privacy methodology.

 

No, the fact that they tell people they were hacked does not make the fact that it is possible to hack them less of an issue, let alone a good thing.

[SydneySideSteveSomewheres]

No, the fact that they tell people they were hacked does not make the fact that it is possible to hack them less of an issue, let alone a good thing.

 

A good thing no, I will concur.

 

However a pivotal security breach admitted to is reassuring in that it shows that they are just as vulnerable as everyone else in internet land.

 

You may remember Microsoft did not admit their operating system needed a "included" firewall until quite recently!

[Michael McAllister]

If you're using two-factor authentication, this 'breach' shouldn't be of concern, no?

[SydneySideSteveSomewheres]

If any one is having security issues they should read the LastPass Security Notice -click here- over on their website to find out more.

 

So you have a need to see if details about your privacy have been "leaked" recently: https://haveibeenpwned.com/

 

Found a great looking graphic regarding data breaches and hacks -click here-. In which it has some of the numbers of involved "clients" and a time line to add to the reference.

Woops...the image would not be posted! It could be because its a rather big *.gif (disallowed here)...so this one in its place, but worth checking out so follow the link.

 

 

Sources:- Jeffrey Edwards: LinkedIn

News article     w w w ://solutions-review.com/identity-management/the-worlds-largest-data-breaches-visualized/

[SydneySideSteveSomewheres]

I just pay for the phone apps using google wallet and donate to places like Wikipedia through PayPal. Too small of a fish even if they got into either those accounts. With both of them any changes or activity is directly emailed to me, something some people do not even bother setting-up...it is basically these days a "self preservation" tactic having that one (or more) email account that you monitor just for your own security breach.

Another breach (as well as Linus Tech) Ars technica report on Patreon breach -click here- from earlier this year. The hackers are just following the money.

[Glenwing]

Necro thread locked.