LastPass denies claims that master passwords may have been compromised

Posted:
in General Discussion edited December 2021
LastPass members have reported multiple attempted logins using correct master passwords from various locations, but the company has alternately said that the recent attacks are a result of shared passwords gleaned from breaches of other services, or possibly warnings sent in error.

LastPass may have been hacked
LastPass may have been hacked


Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.

The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven't used the service in some time and haven't changed the password. This indicates the master password list being used may have come from an earlier hack.

Some users claim that changing their password hasn't helped, with one user claiming that they saw new login attempts from various locations with each password change. It is unclear how severe the password leak may be, or if LastPass is currently under attack.

LastPass has responded to AppleInsider's request for more information.

"LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services," LastPass spokesperson Meghan Larson told us. "It's important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."

We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we've had confirmation from readers and colleagues all over the globe about login attempts.

A heads up for my friends, LastPass password manager isn't secure at the moment. There's a certain rush to hijack all data using master passwords as we speak.

-- zodttd (@zodttd)


Overnight, LastPass provided AppleInsider with another statement on the matter.

"As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
"We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user's LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.

However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.

Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

These alerts were triggered due to LastPass's ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass' zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users' Master Password(s).

We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure."

AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple's iCloud Keychain.

LastPass is a free password manager available across desktop and mobile devices. There have been security concerns about the Android version of the app and its use of trackers.

Update 12/28 11:34 AM ET: Updated with more reports of an organized effort to penetrate LastPass repositories.

Update 12/28 12:10 PM ET: Updated with statement from LastPass.

Update 12/29 6:29 AM ET: Updated with another statement from LassPass.

Read on AppleInsider
Jswim77

Comments

  • Reply 1 of 11
    Hehe....people put their passwords lists in the cloud.....
    xyzzy-xxx
  • Reply 2 of 11
    focherfocher Posts: 687member
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    neoncatronnarunXedbyronltwokatmewfastasleepwatto_cobra
  • Reply 3 of 11
    focher said:
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    If the “thing you know” gets out somehow, which is what this article is saying, then having your passwords in the cloud becomes a serious security issue for people owning those lists. 
    muthuk_vanalingam
  • Reply 4 of 11
    Hehe....people put their passwords lists in the cloud.....
    Cannot agree more, I remember Apple's Federighi saying that health data is too sensitive to be stored in the cloud – later Apple promoted iCloud Keychain.

    My passwords reside (encrypted by a password manager) on my devices,
  • Reply 5 of 11
    XedXed Posts: 2,622member
    This has always been my issue with LastPass and all other online password manager of this nature. The same goes for browser-based vaults that sync between devices, include Apple's iCloud Keychain.

    I can't pimp 1Password enough in this regard.

    Wgkrueger said:
    focher said:
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    If the “thing you know” gets out somehow, which is what this article is saying, then having your passwords in the cloud becomes a serious security issue for people owning those lists. 
    Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.

    https://blog.1password.com/what-the-secret-key-does/
    fastasleepronn
  • Reply 6 of 11
    rwesrwes Posts: 200member
    xyzzy-xxx said:
    Hehe....people put their passwords lists in the cloud.....
    Cannot agree more, I remember Apple's Federighi saying that health data is too sensitive to be stored in the cloud – later Apple promoted iCloud Keychain.

    My passwords reside (encrypted by a password manager) on my devices,
    But.. (seriously confused) Health Data on an iDevice != iCloud Keychain data
    twokatmewwatto_cobra
  • Reply 7 of 11
    Best defense against hacked online accounts is hardware based 2fa like a yubi key 

    I learned the hard way , had my last pass account hacked , bad actor searches my last pass account for cryptocurrency related accounts and you know the rest of the story , 

    Now even if someone has the master password, or even worse the master pw and remote access they can’t authenticate without inserting and pressing the yubi key .  Much better than text code 2fa or Authenticator apps



    watto_cobra
  • Reply 8 of 11
    MplsPMplsP Posts: 3,956member
    Xed said:
    This has always been my issue with LastPass and all other online password manager of this nature. The same goes for browser-based vaults that sync between devices, include Apple's iCloud Keychain.

    I can't pimp 1Password enough in this regard.

    Wgkrueger said:
    focher said:
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    If the “thing you know” gets out somehow, which is what this article is saying, then having your passwords in the cloud becomes a serious security issue for people owning those lists. 
    Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.

    https://blog.1password.com/what-the-secret-key-does/
    Hmm…since ‘the cloud’ is the most effective way to share data across sites pretty much every health system that has an EMR is storing their data in the cloud. And iCloud keychain is in the cloud but iCloud accounts could never be hacked. oh, wait…

    I’ve been using 1password since Apple ditched keychain on mobile me years ago. A little while ago I got frustrated with some aspects and looked into switching to DashLane or LastPass. Both of them use a browser based app with no option for a local database and no standalone app. After spending some time playing with them I quickly went back to 1Password.

    Cloud-based storage is the most effective way to share the database across devices but not all security is created equal. Using a browser-based app just opens up a giant security hole. 1Password gives you the option of keeping your database local and if you do put it in the cloud, they require a unique database key generated by the app to access it in addition to your user name and password.
    watto_cobra
  • Reply 9 of 11
    XedXed Posts: 2,622member
    MplsP said:
    Xed said:
    This has always been my issue with LastPass and all other online password manager of this nature. The same goes for browser-based vaults that sync between devices, include Apple's iCloud Keychain.

    I can't pimp 1Password enough in this regard.

    Wgkrueger said:
    focher said:
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    If the “thing you know” gets out somehow, which is what this article is saying, then having your passwords in the cloud becomes a serious security issue for people owning those lists. 
    Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.

    https://blog.1password.com/what-the-secret-key-does/
    Cloud-based storage is the most effective way to share the database across devices but not all security is created equal. Using a browser-based app just opens up a giant security hole. 1Password gives you the option of keeping your database local and if you do put it in the cloud, they require a unique database key generated by the app to access it in addition to your user name and password.
    Unfortunately, that may change with 1Password 8. I've been using their beta from time-to-time (both the browser extension and macOS app); it doesn't allow for anything other than their cloud-based option via your_name.1password.com.

    I have  family account. I keep my super secret info on a private vault, and then I have several shared vaults which do go through my_name.1password.com. If they don't add this functionality I will not be moving from 1Password 7, or will have to find an alternate password manager solution all together.
  • Reply 10 of 11
    MplsPMplsP Posts: 3,956member
    Xed said:
    MplsP said:
    Xed said:
    This has always been my issue with LastPass and all other online password manager of this nature. The same goes for browser-based vaults that sync between devices, include Apple's iCloud Keychain.

    I can't pimp 1Password enough in this regard.

    Wgkrueger said:
    focher said:
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    If the “thing you know” gets out somehow, which is what this article is saying, then having your passwords in the cloud becomes a serious security issue for people owning those lists. 
    Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.

    https://blog.1password.com/what-the-secret-key-does/
    Cloud-based storage is the most effective way to share the database across devices but not all security is created equal. Using a browser-based app just opens up a giant security hole. 1Password gives you the option of keeping your database local and if you do put it in the cloud, they require a unique database key generated by the app to access it in addition to your user name and password.
    Unfortunately, that may change with 1Password 8. I've been using their beta from time-to-time (both the browser extension and macOS app); it doesn't allow for anything other than their cloud-based option via your_name.1password.com.

    I have  family account. I keep my super secret info on a private vault, and then I have several shared vaults which do go through my_name.1password.com. If they don't add this functionality I will not be moving from 1Password 7, or will have to find an alternate password manager solution all together.
    Put me in the same camp. Unfortunately, I’ve found 1Password to be getting rig progressively worse with each new version, hence my trials of dashlane and lastpass. Unfortunately they were even worse. :/
    watto_cobra
  • Reply 11 of 11
    Xed said:
    MplsP said:
    Xed said:
    This has always been my issue with LastPass and all other online password manager of this nature. The same goes for browser-based vaults that sync between devices, include Apple's iCloud Keychain.

    I can't pimp 1Password enough in this regard.

    Wgkrueger said:
    focher said:
    Hehe....people put their passwords lists in the cloud.....
    Yeah, storing encrypted data on the Internet is crazy stuff. It’s almost like every service on the Internet has to expose encrypted data in databases wrapped in security to actually have anything on the Internet.

    You win Ridiculous Comment of the Day.

    This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
    If the “thing you know” gets out somehow, which is what this article is saying, then having your passwords in the cloud becomes a serious security issue for people owning those lists. 
    Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.

    https://blog.1password.com/what-the-secret-key-does/
    Cloud-based storage is the most effective way to share the database across devices but not all security is created equal. Using a browser-based app just opens up a giant security hole. 1Password gives you the option of keeping your database local and if you do put it in the cloud, they require a unique database key generated by the app to access it in addition to your user name and password.
    Unfortunately, that may change with 1Password 8. I've been using their beta from time-to-time (both the browser extension and macOS app); it doesn't allow for anything other than their cloud-based option via your_name.1password.com.

    I have  family account. I keep my super secret info on a private vault, and then I have several shared vaults which do go through my_name.1password.com. If they don't add this functionality I will not be moving from 1Password 7, or will have to find an alternate password manager solution all together.
    I asked them about this and other changes coming to the platform, and got a very detailed response, FYI:

    Hello —,

    This is a long read but it directly addresses our security. Thankfully, we've designed 1Password so that what happened to T-Mobile isn't even possible with 1Password.

    Whether you use Dropbox, iCloud or 1Password membership severs, the way 1Password stores your data is, on a very basic level, the same. Each device you use retains a copy of your data for offline access and the server (Dropbox, iCloud or 1Password) simply acts as a location to create an off device backup and multiple device sync point.

    The difference is the Secret Key. Dropbox & iCloud servers were never designed with how 1Password (or any password manager really) uses them in mind, so compromises had to be made in order to get 1Password to work with them. For example, the data you backup to Dropbox or iCloud is only encrypted by your password. Passwords have one huge flaw, they need to be memorable and as a result, A.I. programs can be made that can guess your password pretty quickly. That means if someone were able to gain access to your Dropbox of iCloud account, they could download a copy of your 1Password vault and potentially use a password cracker to unlock your vault and view your data.

    1Password ensures this can't happen with member accounts because we use a combination of a Secret Key, Secure Remote Password protocols and custom AWS servers: https://aws.amazon.com

    AWS is used by multiple organizations world wide including iCloud (yes, that iCloud), Netflix, Facebook, Twitter and even NASA so their security and uptime reliability is as robust as it comes. However, we worked directly with AWS to configure our servers so they can interface with our clients in an even more secure manner.

    Through the use of Secure Remote Password, your account password and Secret Key are used to generate a new key, entirely separate from the one that encrypts your data. 1Password on your device sends the 1Password server a series of puzzles. Once solved, these prove to the server that you know your Master Password and Secret Key without having to share them. These puzzles are different every time the app connects to the server so they can never be replicated by an outside observer. And this is only for the transfer (upload and download) of your data, the actual encryption and decryption is done on your devices only and unlike an account password, the Secret Key can't be randomly guessed.

    Secret Keys are a unique AES-128bit code created on your device during registration. With the right quantum computer, an AES-128 code would take about 2.61*10^12 years to crack. For reference, the universe is currently about 1.38x10^10 years old, so cracking AES-128 with a quantum computer would take about 200 times longer than the universe has existed.

    "But Sony, Dropbox, iCloud, LastPass have been "hacked"."
    In each case, the encryption they used was never cracked. The same goes for T-Mobile. What happened was that the hacker got lucky and stumbled upon a valid network login or weakness that gave them access to client data or in the case of iCloud, used "social engineering" tactics to gather enough personal information (meta data) to be able to successfully impersonate individual users and gain access to their data on an account by account basis.

    Outside of your name & email address, 1Password has gone out of our way to limit the amount of unencrypted metadata we hold. We don't know your address, phone number or any other identifying information. We also cannot learn which websites you have logins for, nor do we know when you use them. This is part of our Privacy By Design approach. We cannot lose, use, or abuse data we never get in the first place. While we work very hard to make sure our systems won’t be compromised, we’ve designed 1Password so you and your data remain secure and private even if they are.

    If you have any other questions or require further assistance, please feel free to reply directly to this email.

    Best regards,

    Jason K
    Client Support Cyborg @ 1Password
    https://support.1password.com/

    I went ahead and moved my stuff from iCloud synced db to their cloud vault.
    MplsPmuthuk_vanalingam
Sign In or Register to comment.