Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LastPass announces security breach on their network.


  • Please log in to reply
22 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:07 PM

Posted 15 June 2015 - 04:09 PM

lastpass-logo.png


Today LastPass, the online password storage site, announced that they detected a security breach on their network last Friday. They further state that there was no evidence that encrypted user vaults, which contain the passwords, were taken or user accounts were accessed. Unfortunately, account email addresses, password reminders, and authentication hashes were accessible to the hackers. Though LastPass states the authentication hashes are secure with thousands of rounds of SHA256 encryption, they are asking people to verify their accounts again and update their master password.

It may be true that user's passwords are secure, but the information that was accessible still poses a major security risk. Criminals can use this information to create targeted phishing campaigns that can be used to trick people into entering their master passwords or other sensitive information in order to gain further access to a victim's LastPass account.

Unfortunately, LastPass decided not to immediately send emails to all affected users and only posted the announcement today; 3 days after the security breach. There are already numerous comments from LastPass users on the announcement page on how they feel LastPass did a bad job handling the situation and notifying their users.


BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:07 PM

Posted 15 June 2015 - 04:10 PM

Now I need to go and change the password of my LastPass Vault :angry:

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:07 PM

Posted 15 June 2015 - 04:11 PM

Sigh. Time to change all my passwords just to be sure.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 TechnicianOnline

TechnicianOnline

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Online
  • Local time:01:07 PM

Posted 15 June 2015 - 04:15 PM

I just started using LP! I at least I still use Keepass, going to update all my passwords now.


A Network isn't something you 'own' or 'have'; you may only wield it like the sword of Excalibur.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:07 PM

Posted 15 June 2015 - 04:17 PM

At least for people who uses 2FA on LastPass and all their other accounts it's not that bad but still.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 TechnicianOnline

TechnicianOnline

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Online
  • Local time:01:07 PM

Posted 15 June 2015 - 04:33 PM

At least for people who uses 2FA on LastPass and all their other accounts it's not that bad but still.

 

Provided TOTP wasn't leaked as well, I'm done using LP. Best security is to keep your data offline.


A Network isn't something you 'own' or 'have'; you may only wield it like the sword of Excalibur.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:07 PM

Posted 15 June 2015 - 04:36 PM

I agree, however it's hard to access your data offline from multiple places, hence why I put it online. Or I could just share a KeePass DB file on Dropbox and use it from there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 PM

Posted 15 June 2015 - 05:24 PM

2FA here. No worries until you announce they've learned to spoof or crack that scheme.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:07 PM

Posted 15 June 2015 - 07:20 PM

Email they send you:

Dear LastPass User,

We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.

Regards,
The LastPass Team


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 15 June 2015 - 08:03 PM

I have just done the "Reset Master Password" procedure.

 

Typed the newie in...repeated it....submitted.

 

Went for a cuppa....returned to the PC after approx 30 minutes...

 

Typed in the 'new' master password......only to be 'informed' via pop up...invalid password...try again ...!

 

ok....retyped very carefully...same result...

 

Ok...maybe i made a mistake...highly unlikely given the degree of care i used...but....you never know....stranger things have happened...

 

Go through the process to "recover' my new password...again...doesnt want to know me !

 

Left it for 20 minutes...so its servers could catch up....(and i could recover my composure !)

 

Same result.

 

So....did the procedure to "Revert' to my prior password......was told there had been NO change to my password in recent memory....and reset my account to its state as of 25 days ago. Any new sites changes etc made in that time would be lost.

 

Get your act together LastPass.....I have a great deal resting in your "secure" hands


Condobloke

Outback Australian  

 

fed up with Windows antics...??

 

LINUX IS THE ANSWER

 

I USE LINUX MINT EXCLUSIVELY... NO DUAL BOOT, NO VIRTUAL MACHINE

 

 

 Failure is not an option. It comes bundled with your Microsoft product.

 

 

 


#11 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:01:37 AM

Posted 16 June 2015 - 06:27 AM

Took  3hours to fix the master passord and tighten the security levels, change some sitepasswords, sync and backup the altered database... the new master password tried to screw me too....

Improved the rounds to do hashing to 10k and added multiple TFA sources... :cowboy:

 

BTW, if this didn't happen, something worse would have happened later...

:idea: But, I figured that they have a translation forum which needs assistance :apple:


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:07 PM

Posted 16 June 2015 - 06:51 AM

Improved the rounds to do hashing to 10k and added multiple TFA sources


Where is that setting if I may ask? Also, how come it was so hard to change the master password, took me 2 minutes and I even have 2FA enabled :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:07 PM

Posted 16 June 2015 - 06:53 AM

I can't enable LastPass's 2FA, all the apps used for 2FA refused to cooperate with my iPhone. *sigh*

#14 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:01:37 AM

Posted 16 June 2015 - 08:36 AM

Where is that setting if I may ask? Also, how come it was so hard to change the master password, took me 2 minutes and I even have 2FA enabled :P

Lastpass vault > Settings > Advanced settings > Password Iterations > set the value you need... :)

 

This problem was, I changed the email id and grid (2FA) but forgot to update my local folder where such data are stored...

Then time of 3 hours was not by that, but I had to change a lot of account passwords which were either reported vulnerable or was changed before 2 years... Just as a precaution...

 

 

I can't enable LastPass's 2FA, all the apps used for 2FA refused to cooperate with my iPhone. *sigh*

Try the grid... It doesn't need any special app except the ability to open .csv files(excel etc)


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:07 PM

Posted 16 June 2015 - 09:48 AM

Thank you :P Modified the hash rounds as well to 10,000, and only allowed connections from my country. I should be good now :) Also added the option to e-mail me whenever a suspicious connection, form filling, etc. is used/modified.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users