Hackers stolen Last Pass users passwords and sensitivw information

[bitmover]

Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.

In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses. It’s not clear how recent the stolen backups are.

LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

Toubba said that the cybercriminals also took vast reams of customer data, including names, email addresses, phone numbers and some billing information.
https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/

We should never trust our data to those big corporations.


Hackers got Employees keys  , customers passwords, name, billing information,  email..
What the fuck! This is a password manager. How does this kind of shit happens?
And why do people share so much sensitive information (such as billing information) with a password manager?

Password managers are a must today. You should always use a different password , and a strong one  and we can't remind all of them
But the problem is which pass manager to choose.

Keypass and bitwarden are probably the best.

Protecting our passwords is similar to protecting our bitcoin and our exchange accounts.

[decodx]

As for the password manager, I would suggest an open source solution and one that does not store data on a centralized server. When choosing an open-source password manager, it's important to do your own research and compare the features and reviews of different options to find the one that's right for you. Here are a few options you may want to consider:

KeePass
Bitwarden
Password Safe
KeepassXC

[Woodie]

I remember seeing this story make headlines 2-3 months back and lastpass themselves weren't sure of how much data was stolen  but am certain the effects of such a hack will be felt after 6months or so when the black market makes use of this data.
 I guess changing passwords on a regular basis would be a good counter measure to such or better yet go for open-source alternatives.

[Igebotz]

We should never trust our data to those big corporations.
<cut.
Protecting our passwords is similar to protecting our bitcoin and our exchange accounts.

It is not a matter of trust; rather, it is a matter of verifying the type of password manager we use; is it open source? Is it AES-256 encrypted end-to-end? These are questions that anyone should consider before storing or using a password manager for sensitive information. Is it necessary to have one for those of us who have multiple social accounts, as well as for those of us who use different passwords for each of our online accounts? You need a password manager if you are the type who uses "forgot password" after a short period of time. Last time I checked, Last Pass was not open source, which is a red flag.

Bitwarden; is one of the best and this is what i use ( open source )


If these companies are not held accountable for selling and leaking private data to hackers, these "oh we got hacked" BS excuses will continue, and people will continue to lose money and private documents to criminals.

[tech30338]

I heard this last week one of our manager posted on our telegram group, i myself would not trust any third party software to keep my data, just like my saying a secret is not a secret once shared with a person, i would leak eventually, sooner or later, you're pc could be infected with a virus and stole your precious data, no one is safe forever, they could have been breaching that for a long time and finally the last defense falls and that goes your data to the black market.

[UchihaSarada]

It is sensitive to store passwords at servers of any company.

I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.

Basic backups are enough.

[witcher_sense]

It is sensitive to store passwords at servers of any company.

I write my password on paper, store them at home and I have my own banks, own backups. Online hackers can not hack my wallet, can not steal my passwords. They can't.

Basic backups are enough.

Let us not forget that password managers are not exclusively about "storing" your logins, passwords, and other sensitive information. They also help you organize your passwords and generate them in a secure manner using strong random number generators. They protect you from reusing passwords: they will warn you if some of your passwords aren't unique, and they incentivize you to change your credentials more frequently. They offer auto-filling functionality that is very handy and also may theoretically protect you from keyloggers since you no longer need to enter information manually with the keyboard. This is not to say that I am in support of LastPass (I stopped using this password manager a long time ago), but DIY solutions like pieces of paper with passwords written on them don't guarantee that your passwords are unhackable and random because the human brain can't do real randomness.

[dansus021]

I just thought that paid service like LastPass have better security than free service password manager. Currently I'm using bitwarden and all good and I'm also using chrome password manager but i don't recommended this.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Qoute from : https://cointelegraph.com/news/lastpass-attacker-stole-password-vault-data-showing-web2-s-limitations

[Yogee]

Many transactions are done online nowadays and a lot of companies relied on their service. I even read in a group that an outsourced virtual worker lost a long-time client because of the breach. There are probably millions of dollars lost by private companies who used Last Pass.

I just thought that paid service like LastPass have better security than free service password manager.

It remains true in most cases. They usually have more resources to invest in data security compared to those offering it for free.

[Outhue]

I like writing down my passwords in a book and still use 2FA code to log into any platform or website, I believe this is the safest way to stay secured online when it comes to passwords and log in, as for my email account I use for receiving log in verification I still use 2Fa google Auth and limited login device under security settings.

[348Judah]

There's no doubt that hackers can come in through any means to operate including routes from centralized exchanges, cloud storage, and any other know security means we adopt for storing our keys to the wallet on blockchain, that's why you see many people loosing their assets and falling hands of hacker because they were not been careful enough when trying to secure their key the makes it more vulnerable for an attack.

[DdmrDdmr]

In a recent notice from LastPass on the matter that I read a few days ago, there’s a detail that caught my attention, that is also summarized in the OP’s quote. Besides the dreadful fact that the hacker may be able to, at some point, at least break weak passwords on the vault’s backup, they seemingly have access in cleartext to all the urls being stored.

Now if this url data can be associated to the customer identification data that they mention in the last paragraph (unencrypted presumably), then they can create a pretty targeted database for phishing/smishing, whereby they’d be able to tailor the phishing message to a particular site that the user has an account on, with a wide variery of choices derived from the complete dataset.

[Lucius]

I have never used password managers and no matter how normal and desirable some people think it is, good old paper and quality ink have always served me well. To some, it may seem old-fashioned and less effective, considering that most of you have a lot of passwords these days, but for me it is better to spend a little more time on finding the password and typing it, than to trust companies that are more than obviously vulnerable.

As always, the man proves to be the weakest link in everything, because the hackers obviously had their target in one of the company's employees, and he is the one to blame for the fact that they managed to get all that data. One such weak link exists in most companies, it's only a matter of time when someone will take advantage of it.

[_BlackStar]

No one is safe entrusting third parties for sensitive data. I have never used any password manager so far and probably never will. Even if someone says some tools are quite safe, I tend to believe in simpler ways without involving other people and parties.

Recently twitter customer data was hacked and will be sold on black market, I also heard that CMC customer data is also hacked and sold, meaning that there is no online platform which is totally safe for our personal data. Even our KYC data on several online platforms such as exchange and casino can also be misused, so we must really take care of our own security by avoiding it as much as possible.

[examplens]

this seems a bit comical. they exist with only one purpose and have one task, which is to save the keys. Now they failed to do it.
I have never had confidence in such services, mostly for such reasons.

LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.

[bitmover]

as the hackers have already reached the database, how can we believe that they will not crack the "master" password? once things like this are compromised, I think it's impossible to repair reputation and trust.

Yeah, and it is closed source, we can't know for sure if our master password isn't in their servers and if they leaked or not.

But theoretically,  passwords are safe and encrypted behind this master password.  If it is a strong one , they are still relatively safe.

[Solosanz]

As long as the password manager is open source, has been used by many people and can be accessed in offline, it's safe. But no matter what, I always skepticism to store my password in digital form, I always feel it's not 100% safe.

But since I have many password and it will not be comfortable to always open my physical paper, I split my password on different password manager.

So let's say the password is: Bitcointalkorg

I will save "Bitcoin" in Keepass, "talk" in Bitwarden, and "org" in Password safe.

[aysg76]

This is the risk when we use these third party softwares and it's security can be compromised any time resulting in these types of scenarios.I remember at the time of mailchimp hack the employee ID was compromised and hacker have the access of database which further resulted in Ledger account holder getting phissy mails and scam happened.

Password manager helps you in lot way to manage and generate password without the need of memorizing them but it also possess these risk in which we believe the traditional methods are more safe.

If we speak about how they get your sensative information then I think when they ask for permission or have long box of terms we simply agree to it giving them access to our device and some of them might be using it themselves for hacking purposes.The hackers will always target these software gaining access to users data so it's not advisable to have any  of unknown password managers on your device and use security measures to extend possible.

[bitmover]

. Besides the dreadful fact that the hacker may be able to, at some point, at least break weak passwords on the vault’s backup, they seemingly have access in cleartext to all the urls being stored.

 Url should be encrypted with the passwords. Obviously

Are they storing navigation data as well?

[Rikafip]

I saw this news few days ago and thought to myself "this is exactly the reason why I don't trust any of those pass managers and still prefer old school way of writing down passwords on a piece of paper". Yeah I understand that there are pretty good open-source solutions and that my way of storing passwords has its set of problems too, but I simply don't trust any program to do it for me.