LastPass hack - move your crypto assets to a more secure place right now!

[Smack That Ace]

I'm on an iphone and do you have any app suggestions for iOS devices since I don't see KeePassXC for iOS or Android?

I just went through KeePassXC website and it's not supported on mobile. KeePass, Padloc and Passbolt are open sourced password managers that are available on mobile versions. You can use them to save your passwords but I wouldn't advise you to save your seed phrase or private keys on them. For maximum security, anything seed phrase or private keys should be kept offline.

Also, I just visited KeePassXC's website, they don't have a mobile version but they directly recommend apps for 2 popular phone operating systems. Strongbox and KeePassium for iOS, KeePassDX and KeePass2Android for Android operating system. I haven't tried these apps yet but it's worth a try. But even if they are open source and secure, we should never store important things like private keys there. As for the seed phrase and private key, there is no safer way to store them than keeping them offline at all times.

[coolcoinz]

This is sad but whoever stores their crypto backups / seeds / passwords to wallets etc in an ONLINE password manage totally misunderstood tthe self-custody aspect of crypto / Bitcoin.
I still believe password managers do have some value - for throwaway logins or stuff that is just very convenient to access via some basic account. Anythign related to your identity or any real value does not belong there however.

Also, I do believe there are hardware solutions - didn't Trezor have a built-in password manager? Not sure if they continued this service, though

I believe that not all of these people had their seeds in LastPass. Some of them might have their exchange and email logins and passwords. This allowed the attackers to access their exchange accounts and withdraw money.
Currently people are holding cryptocurrencies on lending and staking platforms as well and it's enough to have access to email account to reset password on these sites and withdraw funds, since the confirmation often comes to that same email.

Also, don't underestimate people. They still fall victim to emails sent by Nigerian princes and send money to new investment platforms promoted by Elon Musk and Jeff Bezos

[Stalker22]

This is sad but whoever stores their crypto backups / seeds / passwords to wallets etc in an ONLINE password manage totally misunderstood tthe self-custody aspect of crypto / Bitcoin.
I still believe password managers do have some value - for throwaway logins or stuff that is just very convenient to access via some basic account. Anythign related to your identity or any real value does not belong there however.

Also, I do believe there are hardware solutions - didn't Trezor have a built-in password manager? Not sure if they continued this service, though

I believe that not all of these people had their seeds in LastPass. Some of them might have their exchange and email logins and passwords. This allowed the attackers to access their exchange accounts and withdraw money.
Currently people are holding cryptocurrencies on lending and staking platforms as well and it's enough to have access to email account to reset password on these sites and withdraw funds, since the confirmation often comes to that same email.

Also, don't underestimate people. They still fall victim to emails sent by Nigerian princes and send money to new investment platforms promoted by Elon Musk and Jeff Bezos

That is my thinking too. It has been over a year since the LastPass hack happened.  There is no telling what kind of data the hackers got their hands on in that time and  id bet the farm that the database has spread all over the dark web at this point, with hundreds or maybe thousands of shady characters trying to crack it and to get into those accounts.  

I bet most LastPass users probably didnt even know their info was stored in the cloud.  Your average LastPass user likely isnt tech savvy.  They installed the extension without thinking twice about where their data would go. The browser extension works in the background - and not much different than the built-in password manager.  And let us not forget that LastPass was supposed to be mega secure too.  Tons of pros said it was top of the line.  Whether thats true or not, LastPass was definitely the popular choice for managing passwords.  

[Bananington]

This is sad but whoever stores their crypto backups / seeds / passwords to wallets etc in an ONLINE password manage totally misunderstood tthe self-custody aspect of crypto / Bitcoin.
I still believe password managers do have some value - for throwaway logins or stuff that is just very convenient to access via some basic account. Anythign related to your identity or any real value does not belong there however.

Also, I do believe there are hardware solutions - didn't Trezor have a built-in password manager? Not sure if they continued this service, though

I believe that not all of these people had their seeds in LastPass. Some of them might have their exchange and email logins and passwords. This allowed the attackers to access their exchange accounts and withdraw money.
Currently people are holding cryptocurrencies on lending and staking platforms as well and it's enough to have access to email account to reset password on these sites and withdraw funds, since the confirmation often comes to that same email.

Also, don't underestimate people. They still fall victim to emails sent by Nigerian princes and send money to new investment platforms promoted by Elon Musk and Jeff Bezos

That is my thinking too. It has been over a year since the LastPass hack happened.  There is no telling what kind of data the hackers got their hands on in that time and  id bet the farm that the database has spread all over the dark web at this point, with hundreds or maybe thousands of shady characters trying to crack it and to get into those accounts.  

I bet most LastPass users probably didnt even know their info was stored in the cloud.  Your average LastPass user likely isnt tech savvy.  They installed the extension without thinking twice about where their data would go. The browser extension works in the background - and not much different than the built-in password manager.  And let us not forget that LastPass was supposed to be mega secure too.  Tons of pros said it was top of the line.  Whether thats true or not, LastPass was definitely the popular choice for managing passwords.  

This makes me fear for those of us who store our passwords on browsing apps. This will definitely be a motivation to those who still retained their conservative lifestyle of journaling.
Anyway, anyone who doesn't notice their BTC or Crypto assets stolen from this LastPass hack, doesn't really really care about their asset. This is also a why, why notifications and authentication apps be used so as to assure safety of any crypto based asset of such.

[serjent05]

I remember someone in the forum suggesting Lastpass to use to secure their password way back years ago.   Luckily, I did not follow that suggestion.  For me, any online storage has a high possibility of getting hacked.  If it is secure today, we don't know if it is still secure in the next years.  Hackers are getting smarter by the day, if the security does not evolve then it is more likely that it can be breached one day.  Just like what happens in LastPass.

One lesson should be learned here, storing anything in cloud services is susceptible to hacking so we shoul avoid using this kind of service if we can.

[Iron Fist]

I'm on an iphone and do you have any app suggestions for iOS devices since I don't see KeePassXC for iOS or Android?

KeePassXC is like a total rewrite of the original KeePass password manager.  The developers rewrote everything from scratch so it could work natively on Linux, Windows, and Mac instead of just Windows. But turns out the developers decided not to make their own mobile app because there's already some really good KeePass apps for Android and iPhone. 

For Android, they recommend KeePassDX or KeePass2Android.  Both seem solid based on reviews. 

And on iPhone Strongbox or KeePassium are their top picks.  I checked out Strongbox briefly and it looked slick and simple to use.

Anyway, the key thing is that all these mobile apps are open source and compatible with KeePassXC.  So they can sync up and work together nicely.

[vinc3]

Dang~~~ Lesson learned once again. Hackers will always  be there look at the weakness and its our task to safe guard our passcodes. It is sad that maybe owners use hardware wallet yet they still put their keys online what's the point in doing so. That might be their retirement or future of their children that we are talking about, nevertheless let's just learn once again on this kind of incidents.

[Fivestar4everMVP]

I am just coming across this news right now, and need i say that this is absolutely shocking? This is indeed shocking, as I myself have been a very active user of LastPass all through 2018 to (i think 2021), and even up until now, some of the passwords to my email addresses are still passwords obtained from LastPass.

I sure have not noticed anything like a hack on any of my emails but i guess this is a warning for me to change them, though i am no longer using LastPass, but somehow, i think this passwords may still be on their platform, thank you OP for bringing this topic up here, this is indeed a wakeup call for us all, i also will be working on buying my first hardware wallet, all this online hacks have become one too many to not give attention to.

[laurenB7742]

I am just coming across this news right now, and need i say that this is absolutely shocking? This is indeed shocking, as I myself have been a very active user of LastPass all through 2018 to (i think 2021), and even up until now, some of the passwords to my email addresses are still passwords obtained from LastPass.

I sure have not noticed anything like a hack on any of my emails but i guess this is a warning for me to change them, though i am no longer using LastPass, but somehow, i think this passwords may still be on their platform, thank you OP for bringing this topic up here, this is indeed a wakeup call for us all, i also will be working on buying my first hardware wallet, all this online hacks have become one too many to not give attention to.

I'm also a fan of Lastpass but this isn't the first time they've been hacked and their customer data stolen. Almost every year I hear about this password manager being hacked and I have given up on it since 2020 until now. It's the worst app I've ever used.

Owning a hardware wallet is definitely something any bitcoin investor should do. But what's more important in this story is that we should never store seed phrases or important things using online storage services. The risks of online storage are too great and we should not risk it just for the sake of convenience.

[FatFork]

I am just coming across this news right now, and need i say that this is absolutely shocking? This is indeed shocking, as I myself have been a very active user of LastPass all through 2018 to (i think 2021), and even up until now, some of the passwords to my email addresses are still passwords obtained from LastPass.

I sure have not noticed anything like a hack on any of my emails but i guess this is a warning for me to change them, though i am no longer using LastPass, but somehow, i think this passwords may still be on their platform, thank you OP for bringing this topic up here, this is indeed a wakeup call for us all, i also will be working on buying my first hardware wallet, all this online hacks have become one too many to not give attention to.

I'm also a fan of Lastpass but this isn't the first time they've been hacked and their customer data stolen. Almost every year I hear about this password manager being hacked and I have given up on it since 2020 until now. It's the worst app I've ever used.

Well, I wouldn't exactly say LastPass is the worst app I've ever used, because it did many things right.  Their password generation and seamless integration with browsers was great.  But that's worthless if your private info gets compromised.

If you still use this password manager (or did in the past but reuse those passwords), the best course of action would be to switch to something like KeePassXC or KeePass2.  And change all the passwords LastPass saved, like right now.  If this news about hacked wallets connects to LastPass's hack last year there's no telling what other info could get exposed later.  Things may look okay today but your credentials are still at risk.

[Wend]

I am just coming across this news right now, and need i say that this is absolutely shocking? This is indeed shocking, as I myself have been a very active user of LastPass all through 2018 to (i think 2021), and even up until now, some of the passwords to my email addresses are still passwords obtained from LastPass.

I sure have not noticed anything like a hack on any of my emails but i guess this is a warning for me to change them, though i am no longer using LastPass, but somehow, i think this passwords may still be on their platform, thank you OP for bringing this topic up here, this is indeed a wakeup call for us all, i also will be working on buying my first hardware wallet, all this online hacks have become one too many to not give attention to.

I'm also a fan of Lastpass but this isn't the first time they've been hacked and their customer data stolen. Almost every year I hear about this password manager being hacked and I have given up on it since 2020 until now. It's the worst app I've ever used.

Well, I wouldn't exactly say LastPass is the worst app I've ever used, because it did many things right.  Their password generation and seamless integration with browsers was great.  But that's worthless if your private info gets compromised.

If you still use this password manager (or did in the past but reuse those passwords), the best course of action would be to switch to something like KeePassXC or KeePass2.  And change all the passwords LastPass saved, like right now.  If this news about hacked wallets connects to LastPass's hack last year there's no telling what other info could get exposed later.  Things may look okay today but your credentials are still at risk.

I'm not a tech person, but can you help me understand a little, what's the difference between Lastpass and these applications? Currently, I'm using bitwarden password manager and it's also open source, but I don't know if it's more secure enough than Lastpass. In addition, I saw that the reddit community recently announced that the most voted application is Totalpassword, do you know about it?

Of course, I use them to store passwords because memorizing or storing hundreds of passwords manually is not easy, and I never use it to store my seed phrases.

[libert19]

I used to use LastPass as primary password manager, couple months ago I moved everything sensitive after reading Taylor Monahan's tweet, she mentioned LastPass was common link in drained accounts long before ZackXBT that you have quoted, it's just that she was unsure then if it was really the cause.

I had to manually move entries, because lastpass export does not work correctly, entries kept missing. I wonder myself why did I use this password manager who can't get basic thing right.

[riantolie]

That's why I keep my seed phrase and password from OWNR wallet on paper. You never want to keep things like that online. My social media data is in Excel, but I wouldn't feel safe to keep my seed phrase like that.

[kingvirtus09]

Yes, the last pass was really hacked last year in the month of December. But even though that happened, LastPass was still able to protect their customers' data using strong encryption, and it was not compromised as far as I know.

Maybe if there are still users who will use their last pass despite the events of the issue last year, it would be better for them to update their last pass accounts to the latest version. But if I'm the only one who can follow you, find someone else because there's already been a hole or it's still damaged somehow.

[n00ber]

Yes, the last pass was really hacked last year in the month of December. But even though that happened, LastPass was still able to protect their customers' data using strong encryption, and it was not compromised as far as I know.

Maybe if there are still users who will use their last pass despite the events of the issue last year, it would be better for them to update their last pass accounts to the latest version. But if I'm the only one who can follow you, find someone else because there's already been a hole or it's still damaged somehow.

If Lasttpass can protect user data and it is not compromised then is the article the OP is referring to fake? If that article is not true, I believe Lastpass will object and even sue because it will ruin their reputation. There is no need to update to the latest version, but people using laspass should delete their account and all data on that app. To avoid worse accidents in the future. Lastpass is showing its weaknesses in the same area as other applications.

[Bushdark]

I remember someone in the forum suggesting Lastpass to use to secure their password way back years ago.   Luckily, I did not follow that suggestion.  For me, any online storage has a high possibility of getting hacked.  If it is secure today, we don't know if it is still secure in the next years.  Hackers are getting smarter by the day, if the security does not evolve then it is more likely that it can be breached one day.  Just like what happens in LastPass.

One lesson should be learned here, storing anything in cloud services is susceptible to hacking so we shoul avoid using this kind of service if we can.

I have always been a conscious person when it comes to online password backup. This is never a good option for anyone because the consequences can be bigger than what we ever seen. I don't even back up any of my important password or whatever on any password backup store or even on an email. If everything get hacked, we might lose access to our important accounts and portfolios that could worth so much than what we expected. The LastPass hacked had don an outrageous reactions to people that was affected and I hope those who knew this earlier would have transfer their funds from their actual wallets.

[fuguebtc]

I remember someone in the forum suggesting Lastpass to use to secure their password way back years ago.   Luckily, I did not follow that suggestion.  For me, any online storage has a high possibility of getting hacked.  If it is secure today, we don't know if it is still secure in the next years.  Hackers are getting smarter by the day, if the security does not evolve then it is more likely that it can be breached one day.  Just like what happens in LastPass.

One lesson should be learned here, storing anything in cloud services is susceptible to hacking so we shoul avoid using this kind of service if we can.

I have always been a conscious person when it comes to online password backup. This is never a good option for anyone because the consequences can be bigger than what we ever seen. I don't even back up any of my important password or whatever on any password backup store or even on an email. If everything get hacked, we might lose access to our important accounts and portfolios that could worth so much than what we expected. The LastPass hacked had don an outrageous reactions to people that was affected and I hope those who knew this earlier would have transfer their funds from their actual wallets.

If you don't use any password storage apps, how can you remember all your passwords? How can you use it when you're on a business trip, vacation, or away and need to access a few personal accounts? I think very few people wouldn't use a password manager, and using them isn't necessarily a bad thing. It is important that we choose open source, trustworthy applications...and apps from Keepass are among the password managers worth using. Not all is bad.

[Yamane_Keto]

A password manager selling its own vaults which leads to major losses for its own customers? That's a bit far fetched if you ask me, because if that were true, it would certainly mean the end of LastPass (if not already).

The code is closed source, so I can make any claim and it will be difficult to prove otherwise. Facebook has sold user data and still has growth in its user base. I am certain that if FTX returns to work, you will find some people willing to trust them again, and this is not the first time lastpass has been hacked may not be the last one


https://bitcointalk.org/index.php?topic=5424994.msg61386195#msg61386195
Even opensouce option, you may need to add  a second layer of encryption

[Assface16678]

That's why I don't ever trust even once in an online password manager. As an IT professional, I know the risk and danger of storing passwords or seed phrases in password managers. First,  of course, the application or website is being managed by other people; it of course has the risk of being breached or hacked. It is a common sense, especially now that hacking and scamming are prominent.


If you are a cryptocurrency holder and are storing seed phrases and passwords online, this is a wake-up call thanks to the topic, and op he discovered this news and posted it here immediately, so if you do that, then stop it right now, any minute, or anytime. We never know your passwords or valuable keys can be stolen by those who take advantage of the technology. Instead of relying on password managers or even an online note, find another option or way to keep your passwords or anything that is a credential to your accounts.

[Iron Fist]

Instead of relying on password managers or even an online note, find another option or way to keep your passwords or anything that is a credential to your accounts.

Personally, I use a password manager. It's convenient not having to remember passwords or use weak ones I can actually recall.  But I know everyone has their own system and not all are created equal from a security standpoint. I'm curious what your preferred method is and any password wisdom you'd share! How do you balance security and convenience when it comes to managing credentials?