WebProNews

Tag: LastPass

  • Hackers Stole LastPass Encryption Key

    Hackers Stole LastPass Encryption Key

    The news from LastPass keeps getting worse, with parent company GoTo admitting an encryption key was stolen in its latest breach.

    LastPass suffered a data breach in August and has been slowly releasing more details regarding the severity of the breach. What began as theft of source code graduated to theft of user password vaults. Even then, the company reassured users that their passwords were secure, since the vaults were still protected by encryption.

    Unfortunately, the company has revised its information — yet again — and acknowledged that an encryption key for at least some downloaded data was also stolen. The breach also impacts other GoTo products.

    “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” writes GoTo CEO Paddy Srinivasan. “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

    Needless to say, LastPass users should immediately change all of their passwords and closely monitor their accounts and services for unauthorized access.

    It is extremely disturbing that the LastPass breach continues to get worse. Despite the situation, the company has still not disclosed important information regarding the incident, such as exactly how many customers have been impacted.

    Given how LastPass has handled this breach, it is increasingly hard to justify using the service or trusting that it can protect its customers.

  • LastPass: Hackers Stole Encrypted User Password Vaults

    LastPass: Hackers Stole Encrypted User Password Vaults

    LastPass has issued a security advisory, notifying customers that the data breach it suffered in August was far worse than thought.

    LastPass is a popular password management application. In August, the company informed customers that it had suffered a data breach, one in which “portions of source code and some proprietary LastPass technical information” was stolen. At the time, the company assured customers that no passwords were stolen or compromised.

    The company has provided an update on the situation, informing customers that the data stolen in August was used to compromise an employee’s credentials and gain access to the company’s cloud-based storage service. As a result of this secondary breach, the hacker was able to download a backup copy of customer data vaults.

    The company described the issue in its advisory:

    To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    Despite the severity of the breach, LastPass says customer passwords are still secure…at least for now. The company says encrypted fields are protected using 256-bit AES encryption, with the encryption key based on the user’s master password. Between the strong encryption and the fact that LastPass does not have access to a user’s password, theoretically, users’ password vaults should still be secure.

    Despite the assurance, LastPass says all users should immediately change their master passwords to prevent any risk of the hackers using brute force attacks to try to access the vaults or use some of the unencrypted data in phishing and scam attempts.

    The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.

    The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

    LastPass’ revelation is a disturbing one, given the popularity of the application and the important role it plays in the cybersecurity of countless individuals. One can only hope the company will take drastic steps to ensure such a breach doesn’t happen again.

  • LastPass Source Code Stolen in Data Breach

    LastPass Source Code Stolen in Data Breach

    Popular password manager LastPass has revealed that portions of its source code were stolen by hackers in a recent data breach.

    LastPass revealed the news in a blog post, emphasizing that no customer data was stolen and no password vaults were compromised. Instead, the hackers seem to have largely focused on gaining access to the company’s source code.

    We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.

    The company emphasizes that customers do not need to take any additional action at this time.

    At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.

  • LastPass: Master Passwords Not Compromised

    LastPass: Master Passwords Not Compromised

    Popular password manager LastPass says master passwords are safe, despite many users believing otherwise.

    Password managers are important elements in cybersecurity. A good password manager saves the many different passwords users collect, notifies them when one is too easy or has been compromised, and suggest strong passwords. A good password manager secures its database of passwords with a master password that must be input to access the saved ones.

    LastPass is one of the most popular of these programs. Early Tuesday, users began noticing suspicious activity, with login attempts from different locations using their master passwords.

    According to AppleInsider many of the cases involve accounts that haven’t been used in a while, accounts using old master passwords. While this would seem to indicate a hack involving the list of master passwords, specifically a hack involving an old list, some users report continued login attempts even after changing their password.

    Despite the anecdotal evidence to suggest the list of master passwords was compromised, LastPass says its service was not breached or compromised.

    Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.

    It remains to be seen if LastPass is correct, or if further investigation will reveal additional details. Either way, it is a disconcerting turn of events for a service that many people rely on to keep their online activity safe.

  • Dropbox Passwords Going Free As LastPass Cripples Free Version

    Dropbox Passwords Going Free As LastPass Cripples Free Version

    Dropbox has announced it is making Dropbox Passwords free to all users, providing a valuable password management option when it’s needed most.

    Dropbox first introduced Dropbox Passwords last year to paid users. The company is now making it available to all users, including those with a free storage plan. The service uses zero-knowledge encryption, meaning that Dropbox cannot see or decipher the stored passwords.

    Most significantly, Dropbox’s service works across all compatible devices, filling an important need in the market. LastPass is a popular password manager, allowing users to sync their passwords across devices. Last month, however, the company announced it was restricting its free tier on a platform basis. Users can choose to use it on their computers or their mobile devices, but not both without upgrading to a paid plan.

    Dropbox’s service does have a couple of restrictions to the free tier. The free plan can only be used to store 50 passwords, and will only sync across three devices. Nonetheless, those restrictions are far better than the ones LastPass imposes.