Letter from Lastpass about "incident"

[rfrazier]

Hi all. I think @Steve was talking at one point about the recent "incident" at Lastpass. Frankly, I haven't followed the details. I think I heard @Steve say he wasn't too worried about it. Anyway, they sent me this useless letter which I thought I'd share. It does however link to the blog but I haven't had a chance to read it. If y'all find something that's critical in there, please post it here.

"Dear LastPass Customer,

We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.

We thank you for your patience and continued support of LastPass.

The Team at LastPass"

Blog link: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

May your bits be stable and your interfaces be fast. Ron

 

[CredulousDane]

Yeah, will be interesting to hear Steve's opinion on this. It's bad that they got access to vault data but following the password guidelines it's should be OK.

 

[MarkGoddard]

Hopefully the latest update is the extent of the issue, but lots of people have serious doubts. It is definitely causing me to finally completely shut down my account and complete my transition to 1Password.

 

[Lob]

This is becoming symptomatic of many attacks - either someone makes a mess of the security at a 3rd party (them or you) or access control is borked. Why create accounts at a 3rd party when federation is possible? That way, you limit how the 3rd party can be attacked - which seems to not be the case here. It reads like there was one secret or a badly-managed secret for that service.....

 

[rfrazier]

I'm still with Lastpass. I have been ever since @Steve recommended them so many years ago. Thanks @Steve . Properly running a password service for millions of people is a monumental and expensive undertaking. At least Lastpass has a business model, although I'll admit I'm currently on their free tier. I paid for many years until they raised their prices substantially. Still, doing all that R and D and running servers and customer support doesn't happen for free. I believe they still have the best infrastructure and implementation out there. I tried BitWarden once and immediately had problems with their plugin and couldn't get support. I may change my mind someday, but for the moment, Lastpass is still my go to password service.

May your bits be stable and your interfaces be fast. Ron

 

[PHolder]

If any of what this guy writes is true, then the true depth of the LastPass problem is very concerning.

Jeremi M Gosney :verified: (@epixoip@infosec.exchange)

I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people...

twit.social

 

[rfrazier]

That's an interesting article. I find it hard to believe all his allegations are true. But, I don't understand the hacker technojargon. It doesn't seem to correlate with what @Steve said about their technology in the past. I could be wrong though. It would be interesting to see what @Steve says about it.

May your bits be stable and your interfaces be fast. Ron

 

[dg1261]

"If any of what this guy writes is true ..."

That's a key qualifier, IMHO. I'm not a LP supporter and switched to BW several years ago, but I found his post to be lacking, and have summarily dismissed it.

I'm a pessimist, and I immediately became skeptical when this Jeremi guy presented so much to be "facts" without any links or backing references. There's not a single link in his post to support his allegations, despite some pretty specific claims -- which ought to be easy to find links to. (No, I'm not going to waste my time doing his research for him.)

Even worse, he pretends so many claims are obvious or trivial to fix, as though the reader is too stupid to understand if you don't believe him. It's the same kind of tactics we've grown accustomed to seeing on Twitter and YouTube, and basically the internet at large.

Then he alleges LP uses [awful] encryption. IIRC, Steve confirmed the original LP's encryption was rock solid. So is Jeremi disagreeing with Steve's assessment, or is he implying the current owners tossed the encryption code and re-invented the wheel? The latter seems incomprehensible, but if he's disagreeing with Steve I know which horse I'd back between the two of them.

As counterpoint to his lack of evidence, I had to LOL at his argument that 1PW is superior because he "personally know(s) the people". Wow.

I used to be a LP user, but I ditched them when LogMeIn took over and am now a satisfied BW user, so I have no love for LP. But I also have no patience for people who masquerade their own opinions as "facts".

 

[sholden]

The details of the last breach pushed me to try out Bitwarden. So far it is working well for me (only 5 days of testing using the free account). I have to move my whole family from LastPass so that is a challenge to find something that non-techies can use.

 

[miquelfire]

My switch from LastPass to Bitwarden is giving me a reason to change my passwords... which is going to take a long time because I have a lot of sites to change, and some I haven't used in forever and forgot I even had an account with them. For now, I put sites I use, or at least important to change sooner in one category, and it is sitting at 42, but one catch all category has 175 sites. Then there are other categories that LastPass created for me when I saved some sites, I think the biggest of them is 16 sites.

And there's the work account...

 

[Ralph]

Not LastPass related, but may be of interest:

My first password manager is Bitwarden based on SN podcasts. I used the browser plugin for a while then deleteed it after 'spotty' auto fill results. I find the copy/ paste easy and reliable. I upgraded to the $10 per year plan after a short while and every once in a while run the web vault reports. Interestingly a recent check on the reports showed a partial breach of one of my accounts- not the account itself but from some partner they deal with. That explained the recent spam emails trying to get me to click on email links.

Access to BW on Windows 10 works offline but you can't do any kind of editing without an online connection. Although I haven't had any reason to not trust BW I've thought of a backup just in case (eggs in one basket). I started playing with PasswordSafe recently and like it more as I use it. To me, the most interesting feature is the portable/ on key version. I set it up with a Yubikey for opening the vault and am slowly adding items into it. I am not sure yet if I can just import the Bitwarden database, I haven't tried so far.

Perhaps the most interesting thing about PasswordSafe is the portable feature. You can copy the entire folder elsewhere as a functional backup. I messed something up trying to add my Yubikey to PWS and lost access to it. I just deleted the whole thing, took a copy I made of that folder as a backup and tried again. You can back up the whole folder somewhere, encrypt it if wanted, and you have a safe backup that is fully functional if ever needed. It runs just fine off a flash drive.

I am sure other password managers have portable versions (I've seen one for Bitwarden but haven't tried it), but I like the idea of 2 different programs just in case. I also like that I can safely keep a backup safely on my keychain. Yes, I also export an encrytped database from Bitwarden. Relying so heavily on a password manager it makes sense to have reliable backups of it- just in case.