<i>Hackers stole...</i><p>Often when these things happen, the reports make it sound like some amazing feat of technical engineering. But...<p><i>> LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee.</i><p>Ah, there you have it, the good ol' careless human vulnerability! I understand such breaches from ordinary companies, with employees roaming around coffee shops with their work laptops full of these keys, nicely shielded from the world with unbreakable secrets like "Password1", but I'm baffled that security focused ones would also be caught with their pants down like this. Keys stolen from an employee? How? Were they mugged? Why didn't they think this was a possibility? Their entire business revolves around them being ten times as paranoid about this sort of things as the rest of us.
LastPass gets hacked so often that I’m not surprised. I stopped using them about three years ago and I’m happy that I did.<p>I just don’t understand how they can be so consistently bad at this when they are a <i>security</i> company. I can understand why “Farmer Joes Potatoes” gets hacked, but LastPass? Bruh.
Just checked my LastPass account, I never store any passwords in there that are too important given the multiple breaches they've had. I did however notice that my HN password was in there. I've changed it to be on the safe side, but is it not about time we got 2FA on here?
LastPass is disingenuous with their security notice blog post to save their own skin: SENSITIVE INFORMATION IS LEAKED. The "threat actor" (and anyone else the info is shared with on the hacker forums) now has copies of:<p>- Customer Names / Company Names<p>- Email Address of main LastPass account<p>- Billing Address<p>- Telephone Numbers<p>- IP addresses (from where customers accessed the service)<p><i>Unencrypted fields</i> in password vault include:<p>- *Website URLs* saved in LastPass vaults<p>- Password creation time<p>- Last password modification time<p>- Last password access time (great to guess which accounts might be used more often!)<p>- Whether you added this account to favorites<p>- Whether or not the password was auto-generated (great to figure out which passwords might be more vulnerable!) ... and a lot more, which might contain a good amount of data about your usage habits as they concern specific sites (e.g. whether you enabled auto-logon)<p>- <i>Encrypted vaults</i> secured by only the master password of the time of backup. Weak master passwords are probably readily crackable with current password hashing/guessing techniques. For stronger password it is only a matter of time until hardware becomes powerful enough. See [/u/dschwarz's post on bruteforce time estimates for your password](<a href="https://www.reddit.com/r/Lastpass/comments/zt6h1t/zxcvbn_can_help_you_estimate_how_long_itll_take/" rel="nofollow">https://www.reddit.com/r/Lastpass/comments/zt6h1t/zxcvbn_can...</a>).<p>I also have a bone to pick with LastPass communication here:<p>- LastPass lied in their marketing about Zero Knowledge vaults: website URLs are UNENCRYPTED, this is sensitive information and exposes you to large-scale automated targeted phishing, doxing, social engineering and blackmail attacks.<p>- LastPass waited 5 MONTHS after the August breach to warn us. They waited the day before Christmas to announce this with obfuscating language to minimize reach of this bad news.<p>- LastPass will unlikely survive the litigation, class action lawsuits and customer exodus that will follow. This will result in decreased operational security as whole teams are fired during bankruptcy, processes deteriorate and disgruntled employees head for the door.
From previous article “ Assuming the worst, LastPass has about 33 million customers. GoTo has 66 million customers as of its most recent earnings in June.”