LastPass users: Your info and vault data is now in hackers’ hands (opens in new tab)

(arstechnica.com)

73 pointsjoelkesler3y ago19 comments

19 comments

There ought to be some kind of legal sanction against companies that try to hide the seriousness of data breaches.

I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.

Basically: LastPass just shared which sites you have logins for with the attacker. This could be sold or released to the entire world. They claim the usernames are encrypted fields but often the usernames can also be in the URLs saved along with the site.

steve19773y ago

I really don’t understand why they didn’t just encrypt the whole records.

yakak3y ago

The convenience of offering to re-login if your session is expired and you hit a site where you use it?

1 more reply

teamspirit3y ago

This is only tangentially related but I just noticed that lastpass reactivated an account I closed 3 years ago and began billing me two years ago. I just caught the second charge and when I confronted them, they said they can only refund within 30 days!

So check your statements and see. I'm curious to know how many more people this has happened to.

joelkeslerOP3y ago

This makes me wish 1Password still allowed self-hosted and self-synced password vaults.

pwg3y ago

A no-cloud password manager: https://www.pwsafe.org/

With a whole host of alternate, compatible, implementations:

https://www.pwsafe.org/relatedprojects.shtml

Allowing for self-hosting (and in a few instances, some 'syncing').

bjelkeman-again3y ago

What password manager does?

joelkeslerOP3y ago

I believe Keypass uses local password vaults. I don't use it personally, but I have heard many people use a combination of KeePass and Syncthing to sync their passwords across multiple devices.

Example article: https://dev.to/rusty_sys_dev/switching-to-keepass-and-syncth...

I wouldn't recommend Keypass to my non-technical family and friends, but if you love the command line it might be what you are looking for

snorremd3y ago

Bitwarden offers both a hosted and self-hosting option. Though their code is open source unlike LastPass and 1Password.

1 more reply

cemerick3y ago

Keepass2 is a piece of cake. Apps on desktop and mobile, keys stored in dropbox or whatever.

jart3y ago

This title is so manipulative and misleading. The attacker stole a mountain of AES encrypted blobs, so unless this threat actor has broken AES already, it'll probably be decades before they'll be able to peer into your secrets.

ryanjshaw3y ago

Incorrect. It turns out your "vault" is comprised of unencrypted and encrypted fields. Unencrypted fields include URLs. If the attacker publishes this data, or sells it to somebody who does, this will be Ashley Madison x100.

zacwest3y ago

And "unencrypted data, such as website URLs" which really should be enumerated in full.

avnigo3y ago

It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.

If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.

[0]: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...

brewdad3y ago

I used LassPass up until a few years ago. I've received three separate password reset emails this week for accounts I seldom use and haven't visited in months.

Someone is out there using whatever data or metadata was unencrypted.

j / k navigate · click thread line to collapse

19 comments

ryanjshaw3y ago

There ought to be some kind of legal sanction against companies that try to hide the seriousness of data breaches.

I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.

steve19773y ago

I really don’t understand why they didn’t just encrypt the whole records.

yakak3y ago

The convenience of offering to re-login if your session is expired and you hit a site where you use it?

1 more reply

teamspirit3y ago

So check your statements and see. I'm curious to know how many more people this has happened to.

joelkeslerOP3y ago

This makes me wish 1Password still allowed self-hosted and self-synced password vaults.

pwg3y ago

A no-cloud password manager: https://www.pwsafe.org/

With a whole host of alternate, compatible, implementations:

https://www.pwsafe.org/relatedprojects.shtml

Allowing for self-hosting (and in a few instances, some 'syncing').

bjelkeman-again3y ago

What password manager does?

joelkeslerOP3y ago

I believe Keypass uses local password vaults. I don't use it personally, but I have heard many people use a combination of KeePass and Syncthing to sync their passwords across multiple devices.

Example article: https://dev.to/rusty_sys_dev/switching-to-keepass-and-syncth...

I wouldn't recommend Keypass to my non-technical family and friends, but if you love the command line it might be what you are looking for

snorremd3y ago

Bitwarden offers both a hosted and self-hosting option. Though their code is open source unlike LastPass and 1Password.

1 more reply

cemerick3y ago

Keepass2 is a piece of cake. Apps on desktop and mobile, keys stored in dropbox or whatever.

jart3y ago

ryanjshaw3y ago

zacwest3y ago

And "unencrypted data, such as website URLs" which really should be enumerated in full.

avnigo3y ago

[0]: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...

brewdad3y ago

I used LassPass up until a few years ago. I've received three separate password reset emails this week for accounts I seldom use and haven't visited in months.

Someone is out there using whatever data or metadata was unencrypted.

j / k navigate · click thread line to collapse