-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Have you ever been to an airshow?
LastPass hacked and source code stolen
- Thread starter Hanno Labuschagne
- Start date
-
- Tags
- lastpass password manager
My_King
Honorary Master
Problem for me is bad sectors in my brain.
shaggy_beef_on_a_tricycle
Well-Known Member
Question is if it is worth the neurological effort to hack someone's brain for just one password.
To quell panic (if there is any), this wasn't a breach of their production environment/storage. This was a breach of their source control via a compromised developer's account. Basically, Lastpass is now open source!
In terms of password storage, Lastpass and 1password are very similar in their storage/encryption practices.
Out of interest, I'd like to know how the developers account was compromised. Typically source control access requires MFA so even if the dev had been careless with their credentials, there should have been another line of defense.
In terms of password storage, Lastpass and 1password are very similar in their storage/encryption practices.
Out of interest, I'd like to know how the developers account was compromised. Typically source control access requires MFA so even if the dev had been careless with their credentials, there should have been another line of defense.
gregmcc
Honorary Master
Nothing to really worry about - you should have 2FA already enabled and there is no way to decrypt your database even if they managed to get hold of it.
TedLasso
Executive Member
- Joined
- Feb 23, 2016
- Messages
- 5,155
- Reaction score
- 2,845
And you can increase the security on your encryption hashing, etc in settings - which I what I did years ago when I started with LastPass. Perhaps it's time to finally find another service. Am paying for family at the moment.
Edit: I think it was this setting (password iterations)
Muttley
Expert Member
- Joined
- Jan 6, 2016
- Messages
- 1,904
- Reaction score
- 531
From their blog post about it:
"
o All LastPass Customers,
I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.
Thank you for your patience, understanding and support.
Karim Toubba
CEO LastPass
FAQs
1. Has my Master password or the Master Password of my users been compromised?
No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.
2. Has any data within my vault or my users’ vaults been compromised?
No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.
3. Has any of my personal information or the personal information of my users been compromised?
No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.
4. What should I do to protect myself and my vault data?
At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.
5. How can I get more information?
We will continue to update our customers with the transparency they deserve. "
"
o All LastPass Customers,
I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.
Thank you for your patience, understanding and support.
Karim Toubba
CEO LastPass
FAQs
1. Has my Master password or the Master Password of my users been compromised?
No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.
2. Has any data within my vault or my users’ vaults been compromised?
No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.
3. Has any of my personal information or the personal information of my users been compromised?
No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.
4. What should I do to protect myself and my vault data?
At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.
5. How can I get more information?
We will continue to update our customers with the transparency they deserve. "
shaggy_beef_on_a_tricycle
Well-Known Member
Yeah, that is linked in the OP. At least they give some feedback. Unlike Capitec who went offline for days and no proper report (unless I missed it.).
killerbyte
Expert Member
Thank you for correcting me.
Polymathic
Honorary Master
- Joined
- Mar 22, 2010
- Messages
- 33,670
- Reaction score
- 14,746
Me storing password in my brain, works well.
adrianx
Expert Member
The day LastPass announced that they would be crippling their free tier even more, I switched over to Bitwarden and haven't looked back. Gone are those ugly, misaligned icons that cluttered up input fields. For me, Bitwarden is actually better than LastPass.
hahahahaha man that can be a problem.
backstreetboy
Honorary Master
- Joined
- Jun 15, 2011
- Messages
- 49,397
- Reaction score
- 56,416
You missed it...
Capitec is finally back online
Capitec spokesperson Francois Viviers has confirmed that all of the bank’s digital channels are online again, and any delayed payments should now have been processed.
mybroadband.co.za
Not a fan of LastPass but appreciate and applaud their transparency.
I wouldn't call a one sentence explanation a proper report...You missed it...
Capitec is finally back online
Capitec spokesperson Francois Viviers has confirmed that all of the bank’s digital channels are online again, and any delayed payments should now have been processed.
shaggy_beef_on_a_tricycle
Well-Known Member
My friend, that is not a report on the issue form Capitec. That is purely a brief article form the Media, and a brief statement from Capitec. No report.You missed it...
Capitec is finally back online
Capitec spokesperson Francois Viviers has confirmed that all of the bank’s digital channels are online again, and any delayed payments should now have been processed.
An example of a report would be the discussion I quoted above.
backstreetboy
Honorary Master
- Joined
- Jun 15, 2011
- Messages
- 49,397
- Reaction score
- 56,416
Well Capitec wasn't hacked. Lastpass is just trying to save face by having this report.
shaggy_beef_on_a_tricycle
Well-Known Member
No they didn't. Their communication is piss poor though.
Lastpass is doing what every company should do when the service has been negatively hit by an important event.
Whether it is a week of downtime (look at you Sage) or data compromised.
In Africa "We are sorry for the inconvenience".
passwords.txt
Vorastra
Honorary Master
Imagine not using KeePass.