LastPass Data Breach

[The_Chief]

I agree - a determined attack will get in. The critical failure of the LastPass breach wasn't that they were breached: it's that it took so long to discover it. Intrusion detection should be in real time... not discovering that someone got deep into the system weeks after it happened.

 

[The_Chief]

UPDATE:

After reading more about the data breach and how casual LastPass has been about it, I sent this email to LastPass Support:

"My Darling Bride and I request a refund of our renewal fee from November 19, 2022. We have both logged out of our LastPass Families accounts and uninstalled LastPass from all our devices.

Our LastPass Families subscription renewed automatically on November 19, 2022. It was not until a month later that LastPass disclosed the extent of two data breaches: including access and compromise of users' vaults and unencrypted URLs. Had we known the seriousness of the breaches; that LastPass stored users' IP data in unencrypted form; and that LastPass failed to quickly detect and isolate the initial breach in August that led to the second breach, we would never have renewed.

LastPass can argue that its suggested "best practices" should protect users, such as the 100,100 iterations of the PBKDF2 algorithm... but LastPass' default setting for that is only 5000 iterations! Because of LastPass' seemingly cavalier manner the way it handles security, and the deceptive and long-delayed communications we users have received about the gravity of this compromise, we have zero confidence in LastPass as a secure data management tool.

Thank you for processing our refund to the original method of payment. We wish you all well."


Now we'll see if they honor the request. If not, I may pursue a class action on behalf of users whose accounts automatically renewed in the time between the August 2022 breach and the December 22, 2022 disclosure.

(BTW Dashlane is serving us very well so far. The desktop browser extension is especially helpful in changing passwords, as it will enter the existing password and then generate a new, computer-randomized password using the length, and type of characters, I can set.)

ANOTHER UPDATE:

LastPass referred me to the terms and conditions, stating that the 30 days were past and they would not issue a refund. So, I've requested a class action on behalf of premium users whose accounts renewed between the August breach and the December disclosure; who are outside the refund window and would never have renewed had they been made aware of the extent of the breach.

 

[The_Chief]

It's March 2023 and LastPass has just now sent out a Security Bulletin suggesting how users might better secure their accounts. This regards the second breach on October 26, 2022, in which employee credentials stolen in August were used to access customer vaults, unencrypted URLs, and a host of proprietary data.

In part, the bulletin states that in January 2023, the Open Web Application Security Project (OWASP) increased its recommended number of Password Based Key Derivation Function (PBKDF2) iterations from 100,100 to 600,000. Even though LastPass offered users the maximum 100,100 iterations and recommended users set their password settings to that value, the default LastPass setting was only 5,000 iterations! LastPass now uses 600,000 iterations as the default: but it's too little, too late! LastPass should have always used the maximum value as default, not some pathetically low number and leave it to users to increase security.

In fact, this is probably the first time LastPass has ever rapidly increased security in response to recommendations by the online security community. After experiencing at least 8 breaches in the last decade, you'd think LastPass would already have strong security protocols. They don't. LastPass should have detected and stopped the intrusion in August in real time, while it was happening. They didn't. In fact, they didn't even notice it had happened until after the October event. Whatever security measures users had in late October is what hackers have to break.

Dashlane, on the other hand, has never been breached, and they are proactively working on passkeys to eliminate the need for usernames and passwords. Hopefully @Dannydet the era of usernames and passwords will end in the next year or two.

 

[The_Chief]

LastPass senior engineers didn't use MFA on their accounts???

GoTo, "the company behind the LastPass Password manager has revealed a second attack on user data that involved the hackers using information stolen in the first LastPass attack, information obtained from a third-party site, and a vulnerability in software installed on the computer of a LastPass engineer to once again breach the company security.

According to the company, "Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022."

The hacker made off with credentials belonging to a senior DevOps engineer to access a shared cloud-storage environment, and the security at the company couldn't distinguish between the hacker's activity and legitimate activity from the engineer.

Since the hackers needed top-level clearance, they specifically targeted the home computer of a top-level engineer and exploited a flaw in software on that computer. That allowed them to implant keylogger malware that tracked the employee's every keystroke and eventually revealed critical usernames and passwords.

The company says it has improved the home network security of employees and added additional multi-factor authentication steps to make it more difficult for hackers to breach their security."

 

[The_Chief]

EPILOGUE:

I received an email this morning, informing me of our automatic renewal with LastPass families. I could have sworn I turned off auto-renew... but I logged in (for the first time in nearly a year) to find that it was set to auto-renew. No problem... I responded by turning off auto-renew and then DELETING the account. Of course, I was prompted to tell LastPass why I was leaving them - and I didn't hold back. I let them have it, telling them about their slow response to the breech; the cavalier attitude toward security; and that the company could shut down forever and the only people who would miss it are hackers and scammers.

Then after a half-dozen warnings of "this cannot be reversed!" and "once you delete, your data is lost forever! Are you really, really sure you want to do this???", I finally got to the for-real, for-keeps, forever deletion button and dispatched LastPass with majestic heavenly force.

GOOD RIDDANCE!