LastPass - Notice of Recent Security Incident

[FatFork]

This morning, I received a notification to my email address about a security incident involving the LastPass password manager. Here is the notice in full:

Dear valued customer,

We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.

In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.

Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.

We have set up a blog post dedicated to providing more information on this incident: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you.

Sincerely,
The Team at LastPass

[1715216303]

1715216303

[1715216303]

1715216303

[1715216303]

1715216303

[dkbit98]

This morning, I received a notification to my email address about a security incident involving the LastPass password manager. Here is the notice in full

Compromised developer is the problem, but nothing was breached allegedly... sorry but I don't trust them
Switch from LastPass to KeePass and you wont' receive any email ever, but you will be only responsible person if you lose your backup and login details.
KeePass is open source and it's available on all operating systems and for AndroidOS (keepassDX), they even accept Bitcoin and other crypto donations.

[TryNinja]

Thanks, somehow this email was market as a spam for me. Meanwhile I received a "Failed login attempts detected" email warning from Bitwarden 2 days ago, maybe related to this?

(I haven't used LastPass for years, but my account is still there - inactive)

[lovesmayfamilis]

The most popular password manager has been subjected to technical data theft, but this will surely lead to an outflow of users due to a loss of trust. It is also interesting that the hack was about two weeks ago, but only today this information was launched in the news. Although there are no dangers to disclosing user data, this is unfortunately not the first story when the work of this manager has been called into question.

https://appleinsider.com/articles/21/12/28/lastpass-master-passwords-may-have-been-compromised

[hd49728]

The most popular password manager has been subjected to technical data theft, but this will surely lead to an outflow of users due to a loss of trust. It is also interesting that the hack was about two weeks ago, but only today this information was launched in the news. Although there are no dangers to disclosing user data, this is unfortunately not the first story when the work of this manager has been called into question.

A good password manager is not the one store your password on their servers.

All should be stored in your devices and if you lose that device or you don't have backup, you lose your passwords. No one can hack your password from password manager if you don't let your device infected.

However, if data stored on server, it can be breached.

[jackg]

It is also interesting that the hack was about two weeks ago, but only today this information was launched in the news.

I wonder if people using the service were given warnings in advance of the news to try to mitigate any hacks before this was published in the news.

I'd assume they were trying to hide that the hack actually took place given these circumstances, although if they just didn't notice it, there might be more news to follow.

[PowerGlove]

Remember, using a service like LastPass exposes you to risks that can be avoided by using a good offline password manager, like KeePassXC [1].

Different strokes for different folks and all that, but I would never trust a closed-source "online" password manager, especially when there are such great alternatives available.

Also worth noting that KeePassXC is a community fork of KeePassX (now unmaintained) which was a cross-platform port of the original KeePass.

It being included by default in a security-focused Linux distribution like Tails gives me some confidence that it's trustworthy.

[1] https://en.wikipedia.org/wiki/KeePassXC

[BitMaxz]

I never trust any of these extensions in my browser to auto-fill all sites that I always visit. If you have some sites that involve money always memorize your password because it's not safe if you let your password save to a plugin/extension like Lastpass I never trust any of these memorizing them is always safe.

If your reason is that you forgot the password why not make a backup by writing them on a piece of paper and put it in your wallet or anywhere safe? actually, most of the websites right now have "forgot password recovery" where you can able to reset your password through SMS or email verification so it won't be a problem if you forgot the password.

[FatFork]

This morning, I received a notification to my email address about a security incident involving the LastPass password manager. Here is the notice in full

Compromised developer is the problem, but nothing was breached allegedly... sorry but I don't trust them
Switch from LastPass to KeePass and you wont' receive any email ever, but you will be only responsible person if you lose your backup and login details.
KeePass is open source and it's available on all operating systems and for AndroidOS (keepassDX), they even accept Bitcoin and other crypto donations.

I can't help but feel the same way. It will be interesting to see what an independent investigation will reveal at the end (of course, if there is one).

Honestly, I have been thinking about alternatives to LastPass for some time. KeePass is a logical choice, but the only thing that's holding me back so far is the fact that I want to use LastPass on multiple platforms. I still have to explore reliable options to do this with a KeePass password manager.

[DVlog]

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

[dkbit98]

Honestly, I have been thinking about alternatives to LastPass for some time. KeePass is a logical choice, but the only thing that's holding me back so far is the fact that I want to use LastPass on multiple platforms. I still have to explore reliable options to do this with a KeePass password manager.

KeePassXC for all desktop OS (LIN,MAC,win), KeePassDX for AndroidOS, there are extensions for Firefox and Chrome browsers, and you just need to remember (and backup) one master password.
KeePass allows importing of CSV files import (export it from LastPass); than you can keep KeePass database locally on all your devices, use your own server for hosting, or  some cloud for that (less secure).
Simple, secure and easy to use.

For all other open source alternatives you can check here:
https://alternativeto.net/software/lastpass/?license=opensource

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

If your mind is your safest place than you are just a time ticking bomb waiting to explode, and it's impossible to remember hundreds of passwords, but maybe you are using one more revolutionary (bad) thing - one password for all websites  

[NeuroticFish]

Meanwhile I received a "Failed login attempts detected" email warning from Bitwarden 2 days ago, maybe related to this?

I didn't get any mails from Bitwarden, so I'd guess that somebody may have been indeed trying your account at Bitwarden.
So it's not related to OP issue. And I also recommend OP switching to Bitwarden.

[DVlog]

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

If your mind is your safest place than you are just a time ticking bomb waiting to explode, and it's impossible to remember hundreds of passwords, but maybe you are using one more revolutionary (bad) thing - one password for all websites  

It's not the same for all but a few have a similar password and I can remember all of them because I made them in such a pattern that only I can figure out what that password could be.

[lovesmayfamilis]

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

If your mind is your safest place than you are just a time ticking bomb waiting to explode, and it's impossible to remember hundreds of passwords, but maybe you are using one more revolutionary (bad) thing - one password for all websites  

It's not the same for all but a few have a similar password and I can remember all of them because I made them in such a pattern that only I can figure out what that password could be.

It is always important not to overestimate your strengths. Underestimating is a motivation for development, but being confident in one's own memory is really a bomb. A strong password is always one that a person cannot learn because of its complexity. You probably understand that using the brute method, hackers can quickly pick up a password that does not contain sufficient protection. 
But relying on your brain has been proven to be a  weak defense.

[Pmalek]

A good password manager is not the one store your password on their servers.
...
However, if data stored on server, it can be breached.

All true, but if we can trust that the LastPass statement is true, the vault data is encrypted. Even if stolen, it still needs to be decrypted. But if/since there are better alternatives even to encrypted data storage, better use that.

I keep my password in the safest place on earth(My mind).

Let's hope the safest place on earth doesn't stumble and fall down the stairs or grows old and starts forgetting things.

KeePass allows importing of CSV files import (export it from LastPass); than you can keep KeePass database locally on all your devices, use your own server for hosting, or  some cloud for that (less secure).
Simple, secure and easy to use.

That depends. What you just described is not as secure as it would be if you started with KeePass from scratch without using passwords that originate from other software. If LastPass stores passwords or vault information on a centralized server somewhere (encrypted or unencrypted), exporting and importing that data elsewhere would be like exporting your seed from a hot wallet and importing it into a cold wallet and considering it to be cold storage from now on. It isn't. That data was still stored in LastPass' environment and we don't know in what form and if anyone might have accessed all or parts of it.

[Findingnemo]

I think that is why I do not use a password manager. I keep my password in the safest place on earth(My mind). Though I do use an external device to keep my password safe in case I forget them which usually does not happens.

As a regular person I can't be able to remember 100s of passwords even 10s which is completely random combinations of characters so that is the reason why password managers exist. I do agree that storing password in an online server is not safe but what is the alternative? We need to learn encryption and decryption along with our own server to save all the data of us, and I am wondering is that thing is really possible?

[dkbit98]

That depends. What you just described is not as secure as it would be if you started with KeePass from scratch without using passwords that originate from other software. If LastPass stores passwords or vault information on a centralized server somewhere (encrypted or unencrypted), exporting and importing that data elsewhere would be like exporting your seed from a hot wallet and importing it into a cold wallet and considering it to be cold storage from now on. It isn't.

You can't simply stop using all those passwords at once because you will lose access to all your accounts.
That is why I said to import them all, and you can later change them one by one, if you think something is compromised with lastpass.
Data should be encrypted and not exposed but I would follow what happens next with lastpass case.

KeePassXC and KeePassDX aren't the only fork/modification of Keepass though. Keepass website also mention several fork at https://keepass.info/download.html.

Yeah sure, you can use any keepass fork you want, but it's best to pick something that is updated on regular basis.
Important thing that forks should be compatible with each other with file formats.
 

[Fivestar4everMVP]

Well, I am guessing the email was not sent to every user of last pass as I personally did not receive any email from them , or maybe because my account have been dormant for quite some time now, I can't even remember the last time I logged in on the platform.

I will just hope that the issue isn't serious as they company said, and that users password database was not accessed by the hacker, otherwise, this could be very disastrous.

[Pmalek]

Well, I am guessing the email was not sent to every user of last pass as I personally did not receive any email from them , or maybe because my account have been dormant for quite some time now, I can't even remember the last time I logged in on the platform.

As TryNinja mentioned in his post, the email he received was marked as spam. Maybe your email landed in the spam folder as well and you simply deleted it alongside other spam emails. Check your deleted emails folder, maybe it's there.

Only a part of the database was allegedly breached. Maybe you are not on the list of potential victims. 

[NotATether]

As a regular person I can't be able to remember 100s of passwords even 10s which is completely random combinations of characters so that is the reason why password managers exist. I do agree that storing password in an online server is not safe but what is the alternative? We need to learn encryption and decryption along with our own server to save all the data of us, and I am wondering is that thing is really possible?

LastPass premium user here. There's no way to export your passwords, so the only way to migrate to another platform is to copy and paste all the users and passwords - a tedious and error-prone process, and burns you out quickly if you have hundreds of passwords.