Notice of Recent Security Incident.......LastPass

I've always thought it was a dumb idea for anyone to store passwords on an online password account or use a password manager.

I'll stick to my old fashion way of keeping passwords which hasn't failed me yet.

Write them in a ledger and make a few copies a store them in different safe places which you can access easily if and when needed.
This works. Everybody has their own "threat model". Please don't leave the ledger open in front of your camera during a video chat!

Reporters take photos of the documents in peoples' hands as they walk into the government buildings, courtrooms, etc. So do intelligence operatives. A well-known example is when Mike Lindell was photographed by reporters as he entered the White House with documents in hand.
 


This works. Everybody has their own "threat model". Please don't leave the ledger open in front of your camera during a video chat!

Reporters take photos of the documents in peoples' hands as they walk into the government buildings, courtrooms, etc. So do intelligence operatives. A well-known example is when Mike Lindell was photographed by reporters as he entered the White House with documents in hand.
I don't video chat or even have a camera or microphone connected to any of my computers.

If I was to video chat I wouldn't be stupid enough to leave a confidential ledger in plain site in the background in front of a camera to be viewed.

Unlike a lot of users I have common sense and exercise common sense on a regular bases :rolleyes: least wise try to. :p

I know what you are saying and have seen users stupid enough to leave confidential documents in plain view to be viewed by others however I ain't one of them. ;)
 
I am blessed to not have a wife with a voice like that.
 
I hope people are missing the point. I never commented about the speaker's voice per se. In my opinion, it is not right to comment about her voice. My comments were about the speaker's design and style choices. The includes her presentation style as well. In my personal opinion, they distract from the message. I concede that her presentation style may be more effective for her target audience. Almost by definition, that target audience is younger than me.
 
If she comes out in the public arena and speaks....then her voice is heard by the general public.....that includes me.

She obviously has good knowledge and is quite masterful at putting together the various videos which she is responsible for.

In my opinion, if she lends her voice to the public domain then she leaves herself wide open to comments about any aspect of her presentation....and that includes her voice.

Yes, the target audience is decidedly younger than me, as well
 
It'd be my personal preference to scrutinize ideas, rather than people.

If nothing else, in formal debate you will be awarded no points for criticizing the speaker.

Then again, I did not watch the video...
 
When I have 22:22 to spare I will watch it.

I am with @Bartman to a large extent, but I rely mostly on memory. When I was a teenager I could recite the mathematical coefficient pi to 206 decimal places, so that might be of assistance.

If I feel a need to record a password, I do so using a code of my personal experiences that only I can crack.

A password has only let me down once in over 24 years and following that happening, I have used 2 factor authentification.

Cheers

Wiz
 
Just as a matter of interest.....is it possible to use animal icons....or any other type of icon for that matter....as password "letters"..........
If it was possible to drop a meow into the mix....would that not extend the security etc etc etc......?
1674706548589.png
 
yup....agree !! lol

I was thinking more so of it being an added advantage to those using password managers.....just somehting to 'mix it up' a bit and maybe encourage the use of using strong passwords....
 


This below, received via email


Dear LastPass Customer, 

We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.

Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.

Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.  

Please review the Security Bulletin and make any necessary changes to your account.

In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.

The Team at LastPass
 


This below, received via email


Dear LastPass Customer, 

We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.

Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.

Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.  

Please review the Security Bulletin and make any necessary changes to your account.

In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.

The Team at LastPass
Isn't this their 2nd breach in as many years? Maybe 3rd
 
I receive a regular security bulletin from SANS. At the bottom of the summary article were links to media articles (see below). Those articles came out a day or two ago, before LastPass released the information that @Condobloke linked in their post above.

The articles below have amplifying details that I did not see in a quick skim of the LastPass bulletins and blogs. My impressions of the LastPass breaches include:
  • The attack exploited a home computer that belonged to one of only four people at LastPass with access to their corporate encrypted vaults.
  • This was a directed, targeted attack.
  • The attack was highly sophisticated.
    • I will leave it to others to speculate on who may have performed the attack, but indications from the various articles and reports give the impression of a well-funded adversary.
In my opinion, LastPass is still in "damage control" mode. I read the Security Bulletin mentioned in the email that @Condobloke received (see link in the email above). In it, LastPass failed to instruct users to change every password for every website and other entity in your LastPass vault. Admittedly, it is a painful, time consuming, and onerous task, but it must be done. That necessity should be obvious to anyone with even a modicum of security experience.

I wrote the following in response to the feedback question after reading the blog on their website: "LastPass has not yet advised customers to change all of the passwords for websites and other entities in their vaults. LastPass keeps referring to their Zero Knowledge security architecture, depending on customers using strong Master Passwords. That's great for the lawyers and LastPass, but shows disdain for real-world customers who do not always follow best practices. It leaves many customers vulnerable."

These articles were published a day or two before LastPass sent out its email to @Condobloke and others. They are worth your time to read:

https://arstechnica.com/information...yees-home-computer-and-stole-corporate-vault/

https://www.securityweek.com/lastpass-says-devops-engineer-home-computer-hacked/

https://www.bleepingcomputer.com/ne...-to-steal-password-vault-data-in-2022-breach/
 
Isn't this their 2nd breach in as many years? Maybe 3rd
That sounds about right....I don't pay that much attention any more....there are so many 'security incidents' etc etc now they have become all but "usual".....seemingly never ending.
To be honest, all it will take to send me back to my own security/password approach.....will be for Bitwarden to get themselves hacked or whatever. That will be the last straw. I am lazy...I love the convenience that Bitwarden affords me. I would lay a bet that bitwarden are working hard to ensure that everything is locked down ultra securely......if they aren't, then they should be. Consistent reliability is the name of the game.

I left lastpass behind me, because of their money grab, which was consistently accompanied by errors. Plus the ongoing feeling that I could not trust them. Call it instinct....it proved to be correct.

I do not pay money for a grubby app like that. If I am going to part with money it has to be good....and i mean good !

As for changing passwords...the laborious, onerous tasks involved there.....the majority of last pass users want their moneys worth. They are not into having to keep an eye on something they pay $ for. They expect it to work. Period.
And, I can only assume they will leave in droves when it does not.
 
That sounds about right....I don't pay that much attention any more....there are so many 'security incidents' etc etc now they have become all but "usual".....seemingly never ending.
To be honest, all it will take to send me back to my own security/password approach.....will be for Bitwarden to get themselves hacked or whatever. That will be the last straw. I am lazy...I love the convenience that Bitwarden affords me. I would lay a bet that bitwarden are working hard to ensure that everything is locked down ultra securely......if they aren't, then they should be. Consistent reliability is the name of the game.

I left lastpass behind me, because of their money grab, which was consistently accompanied by errors. Plus the ongoing feeling that I could not trust them. Call it instinct....it proved to be correct.

I do not pay money for a grubby app like that. If I am going to part with money it has to be good....and i mean good !

As for changing passwords...the laborious, onerous tasks involved there.....the majority of last pass users want their moneys worth. They are not into having to keep an eye on something they pay $ for. They expect it to work. Period.
And, I can only assume they will leave in droves when it does not.
I left LastPass for the same reason you did. Glad I did. A couple of nice things about BitWarden, it's only $10/yr for teh premium plan, it's open source and you can self-host it if you want to.

I've been using BitWarden since the LP money grab and couldn't be happier.
 
Last edited:
Isn't this their 2nd breach in as many years? Maybe 3rd
I suppose that it depends on how people count breaches. The multiple disclosures and notifications from LastPass starting with the August 2022 attack are related to each other. With each new disclosure from LastPass, we learn more about what the attackers accessed and what data they may have captured. Are they separate breaches or just one breach trickling out bit by bit?

When the October 2022 announcement came and LastPass claimed that the attackers got into LastPass' development environment, I issued warnings about LastPass' carefully worded disclosure, and especially their emphasis on the security of their Zero Knowledge architecture. I had a feeling that LastPass suspected that customer vaults may have been exposed, but no knowledge or proof. It turned out to be true when we all saw the disclosure in December 2022 that customer vaults were copied by the attacker.

To this day, LastPass continues to emphasize the security of their "Zero Knowledge" architecture. The basis of that security is the customer's chosen Master Password. In my opinion, LastPass is thrusting the responsibility for the security of the customer password vaults onto its customers, in an attempt to avoid liability for the disaster that has unfolded.

As I said above, it is shameful that LastPass is not advising customers to change all of the passwords in their vaults, especially the ones that fail the Master Password quality tests in their Security Bulletin.
-> Changing all passwords should be done immediately, whether or not the customer chooses to continue using LastPass. To me, it feels like LastPass is most concerned about the alarm such advice may cause, and especially its effect on their revenue stream and the future value of their business.

I believe that LastPass values their corporate interests over the security of their customers. That is a breach of ethics in the security industry. True, a different kind of "breach", but as bad or worse than the incident itself.

Am I upset? Darn tootin' I am. I will state for the record that when LastPass announced their internet vault sync feature about 15 years ago, I warned my coworkers and colleagues and family and friends that this would happen and not to use it. I was right. I am not clairvoyant; it was obvious.
 
I suppose that it depends on how people count breaches. The multiple disclosures and notifications from LastPass starting with the August 2022 attack are related to each other. With each new disclosure from LastPass, we learn more about what the attackers accessed and what data they may have captured. Are they separate breaches or just one breach trickling out bit by bit?

When the October 2022 announcement came and LastPass claimed that the attackers got into LastPass' development environment, I issued warnings about LastPass' carefully worded disclosure, and especially their emphasis on the security of their Zero Knowledge architecture. I had a feeling that LastPass suspected that customer vaults may have been exposed, but no knowledge or proof. It turned out to be true when we all saw the disclosure in December 2022 that customer vaults were copied by the attacker.

To this day, LastPass continues to emphasize the security of their "Zero Knowledge" architecture. The basis of that security is the customer's chosen Master Password. In my opinion, LastPass is thrusting the responsibility for the security of the customer password vaults onto its customers, in an attempt to avoid liability for the disaster that has unfolded.

As I said above, it is shameful that LastPass is not advising customers to change all of the passwords in their vaults, especially the ones that fail the Master Password quality tests in their Security Bulletin.
-> Changing all passwords should be done immediately, whether or not the customer chooses to continue using LastPass. To me, it feels like LastPass is most concerned about the alarm such advice may cause, and especially its effect on their revenue stream and the future value of their business.

I believe that LastPass values their corporate interests over the security of their customers. That is a breach of ethics in the security industry. True, a different kind of "breach", but as bad or worse than the incident itself.

Am I upset? Darn tootin' I am. I will state for the record that when LastPass announced their internet vault sync feature about 15 years ago, I warned my coworkers and colleagues and family and friends that this would happen and not to use it. I was right. I am not clairvoyant; it was obvious.
With each new announcement the breach becomes more and more serious.
You have a point with them shifting liability. Firms rarely have to pay for the damage to customers.
 
Once in a while, I do an 'inspection' of the site (this one) and look for problems that may need to be mentioned to an admin. This involves an incognito browser instance and allowing ads.

Well, I did such an inspection today. All was as expected, more or less...

But then I saw this, which made me kinda chuckle:

Selection_086.png
 
wow...talk about the small print !
 

Members online


Top