LastPass Faces Class-Action Lawsuit Over Password Vault Breach

[Proud Cipher]

Summary

 

A LastPass user is filing a class-action lawsuit against the company, citing the recent vault breaches and other security concerns.

 

Quotes

Quote

The lawsuit(Opens in a new window), filed this week in the US district court in Massachusetts, comes from an anonymous LastPass user named John Doe, who originally signed up for the service in May 2016. He’s now demanding the company pay in damages after LastPass announced last month it had lost a copy of every users’ password vaults to a hacker. 

“Plaintiff and the Class are anxious and alert as they are at a substantial risk of being bombarded with phishing emails and other scams, in addition to the fraud they have already suffered,” reads the lawsuit, which is suing LastPass for negligence, breach of contract, and deceptive acts.   

 

My thoughts

 This is upsetting to me personally because I am a regular LastPass user, and I've likely been affected by the breach. I've already changed my passwords, and although I use 2FA on everything it still has me feeling anxious. I had loved the service up until this point. In a cruel twist, I had purchased another year of the service a week before this breach was announced. I'm going to keep using LastPass until this year is up, or until I find a replacement that matches my preferences.

 

Sources

https://www.pcmag.com/news/lastpass-faces-class-action-lawsuit-over-password-vault-breach

[thrasher_565]

oh a password site being hacked didn't see that coming...

[BlueChinchillaEatingDorito]

Quote

 user suspects the breach at LastPass may have led a hacker to steal $53,000 in bitcoin from him over Thanksgiving weekend

 

[Proud Cipher]

Just now, BlueChinchillaEatingDorito said:

 

 

[Eigenvektor]

16 minutes ago, Proud Cipher said:

I'm going to keep using LastPass until this year is up, or until I find a replacement that matches my preferences.

I'd check if you can't use the hack as a reason to get out of that year early and then switch somewhere else asap.

[Proud Cipher]

1 minute ago, Eigenvektor said:

I'd check if you can't use the hack as a reason to get out of that year early and then switch somewhere else asap.

That would be a huge pain in the ass, but it's certainly an option. I've got a lot of other stuff on my plate currently but I'm going to be keeping an eye out for a similar service that also allows Yubikeys as a 2FA method.

[Eigenvektor]

Just now, Proud Cipher said:

That would be a huge pain in the ass, but it's certainly an option. I've got a lot of other stuff on my plate currently but I'm going to be keeping an eye out for a similar service that also allows Yubikeys as a 2FA method.

Bitwarden supports it, if you have a premium account. They should also have an option to import from LastPass: https://bitwarden.com/help/import-from-lastpass/

[Proud Cipher]

I was looking at Bitwarden, it's definitely the #1 option for me right now. Maybe I will take a crack at that refund from LastPass...

 

EDIT: Oh wow, it's also way cheaper. Looks like Bitwarden is the winner by default lmao

[Proud Cipher]

In fact I've gone ahead and got a year of premium for Bitwarden. Transferring everything over from LastPass was extremely simple and the software and interfaces are pretty good, not quite as polished as LastPass though. The way it handles TOTP is a little jank.

[jagdtigger]

1 hour ago, Proud Cipher said:

The way it handles TOTP is a little jank.

You shouldnt store that there....

[Proud Cipher]

Just now, jagdtigger said:

You shouldnt store that there....

I never said I was going to use Bitwarden's built in authenticator, only that the way it's handled is weird.

[Eigenvektor]

9 hours ago, Proud Cipher said:

I never said I was going to use Bitwarden's built in authenticator, only that the way it's handled is weird.

Weird how? You enter a secret key and it spits out a new 2FA code every 30 seconds, just like the authenticator app on a phone does it. Only difference would be that you need to manually enter the code, instead of scanning a QR code.

[strajk-]

Was always a bit skeptical as far as password managers are concerned that aren't from Google.

Personally I wouldn't trust anything that isn't part of Cloudflare or Google, at least those two have to always keep their services at the state of the art as far as security is concerned, and of course those aren't a sure bet either, it is always a matter of when a breach happens, not if it happens, but I like to have the belief that those two have the lowest chance of having something of the sort ocuring to them.

[StDragon]

Just be sure to register more than one Yubikey with one being a backup of the other in case it's lost or stolen.

 

Ideally you have a 3rd registered and kept offsite. Though definitely get a 2nd if you haven't already.

[exile42069]

On 1/15/2023 at 12:57 PM, Eigenvektor said:

Weird how? You enter a secret key and it spits out a new 2FA code every 30 seconds, just like the authenticator app on a phone does it. Only difference would be that you need to manually enter the code, instead of scanning a QR code.

You can scan a QR on the app

[jagdtigger]

[dilpickle]

9 hours ago, jagdtigger said:

That's actually better since they said LastPass wasn't affected. But no one trusts this company anymore anyway. 

[thrasher_565]

i think the point is not to trust anyone with your data. vpns, password storage, cripto wallet, data center, photo upoload sites, any and all will be hacked. some one is buying your data and they would sell it to anyone... that the point of all apps collecting data. there are long term sites and projects that losses moeny for years and have a plan to make it back just like youtube. it was one free if you can remember. 

Edited January 26, 2023 by thrasher_565

[mr moose]

And people laugh at me for using a pen and paper.  The term "putting all your eggs in one basket"  sounds fairly apt here.

[Mark Kaine]

24 minutes ago, mr moose said:

And people laugh at me for using a pen and paper.  The term "putting all your eggs in one basket"  sounds fairly apt here.

what i find amusing, funny, weird (and ultimately irritating) is how they go from one key logger pass service to another saying its the best thing ever, not realizing that they're all the same, inherently unsecure, unreliable,  jank. 

 

 

[LAwLz]

24 minutes ago, mr moose said:

And people laugh at me for using a pen and paper.  The term "putting all your eggs in one basket"  sounds fairly apt here.

Dismissing the benefits of one thing because it might at some point have a drawback is not a very smart thing to do.

 

 

4 minutes ago, Mark Kaine said:

what i find amusing, funny, weird (and ultimately irritating) is how they go from one key logger pass service to another saying its the best thing ever, not realizing that they're all the same, inherently unsecure, unreliable,  jank.

Wanna know what is actually irritating? People who lack basic understanding of computer-security making dumb comments which are incorrect 99/100 cases, and then act smug when that 100th time happens to be somewhat correct.

 

Not all password managers are the same. I think it is ridiculous to say that they are. It's like saying all cars are the same, or all games are the same. Of course they are not the same.

Password managers are not "inherently secure". Security is not binary, and certain things have both strengths and drawbacks. What's important is weighting the benefits vs the drawbacks, and implementing things that minimizes the risks that comes with the drawbacks.

Not sure how all password managers are unreliable, and I especially don't see why all password managers would be more unreliable than for example pen+paper or just remembering passwords in your head.

[Donut417]

2 hours ago, Mark Kaine said:

what i find amusing, funny, weird (and ultimately irritating) is how they go from one key logger pass service to another saying its the best thing ever, not realizing that they're all the same, inherently unsecure, unreliable,  jank. 

 

 

Not all these services are the same however. While Bitwarden can store passwords on the cloud, which is how I currently use it. You can also store your password database locally. There are similar password managers that do this as well. The reason the Lastpass thing is so bad was because its a cloud based solution, also some people were down right dumb and stored their 2FA backup keys as well as other information in last pass. When I used Last Pass I never stored any other info besides my passwords, Name, Address and Phone number. My name, address and phone number have been leaked countless times by other hacks. 

 

To me the biggest take aways from this is cloud based password managers are probably a bad idea. Now hosting a pass word database locally is likely fine, because its not like the average hacker is going to hack in to a persons home network to get passwords when they can hack in to a corporate network and get accounts from many people at once. 

 

I for one am thinking about bringing my database local, maybe investing in to Yubikey's.  

[Dominik W]

On 1/15/2023 at 1:20 AM, Proud Cipher said:

In fact I've gone ahead and got a year of premium for Bitwarden. Transferring everything over from LastPass was extremely simple and the software and interfaces are pretty good, not quite as polished as LastPass though. The way it handles TOTP is a little jank.

When LastPass pulled their weird-ass "one device" policy for free accounts, I jumped ship over to Bitwarden and I haven't looked back. It works like a gem, and I can't recommend it enough. I'm glad you joined the club! (I use the free version)

[Godlygamer23]

4 hours ago, mr moose said:

And people laugh at me for using a pen and paper.  The term "putting all your eggs in one basket"  sounds fairly apt here.

At this point, I store most of my passwords on my iPhone in the Passwords section, as well as Cryptical, and my phone is set to automatically completely erase itself after around 10 attempts of trying to get into it. I have never used a password manager in my life lol.

[mononymous]

My LastPass subscription was ending in 2 months so I made the switch to Bitwarden. 

I would like to use an external key but I'm super forgetful with where I place my things. So I'm afraid I will lose it.

Wish there was a FIDO2 compliant bio implant on the market.