LastPass users warned their master passwords are compromised

related: Ask HN: How did my LastPass master password get leaked? <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29705957" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29705957</a>

LastPass has had a history of security incidents (no company can completely avoid incidents, but if security is literally a primary part of your value, you shouldn’t be having so many).<p>Even worse, they have a history of doing hand-wavy corporate non-explanations for what actually happened in these incidents. The antithesis of being responsible and respecting users in the modern day.

This is framed so negatively toward LastPass, which is unfortunate. They stopped all usage of correct passwords they believed were compromised, which is exactly what I&#x27;d want them to do in this situation. Them warning users their master passwords are compromised is a good thing! Yet it&#x27;s framed as though they&#x27;re admitting to something.<p>&quot;However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere.&quot; That&#x27;s really hard to verify. I think most users would say that rather than admit they re-used passwords (or used similar passwords that were easy to reverse engineer). Since there only seems to be 2-3 reports of this, and they&#x27;re self-reported and not cited, it doesn&#x27;t seem like LastPass was compromised.<p>I&#x27;m not saying I like LastPass (I use 1Password and find LastPass to be much worse), but I haven&#x27;t seen any indication at this point that LastPass has been compromised at all.<p>(To be clear, it&#x27;s very possible I&#x27;m wrong and this message won&#x27;t age well. But so far, it seems like LastPass is doing its job, and I&#x27;d want to see more than this before jumping on the blame-LastPass bandwagon.)

Hey, I&#x27;m the OP from yesterday&#x27;s story.<p>A few people and I are trying to chase down which software in common could have resulted in our passwords being stolen.<p>The most egregious and hard-to-understand related cases (now 3!): <a href="https:&#x2F;&#x2F;twitter.com&#x2F;Valcristerra&#x2F;status&#x2F;1475734357805572098" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;Valcristerra&#x2F;status&#x2F;1475734357805572098</a><p>&quot;Someone tried my @LastPass master password earlier yesterday [Dec 27] and then someone just tried it again a few hours ago after I changed it. What the hell is going on?&quot;<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;shift_plusone&#x2F;status&#x2F;1475959354742525956" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;shift_plusone&#x2F;status&#x2F;1475959354742525956</a><p>&quot;Exactly the same thing happened to me last night. They tried again literally minutes after I changed the password to something not used on any other form.&quot;<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;Pablohere&#x2F;status&#x2F;1475966760130125828" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;Pablohere&#x2F;status&#x2F;1475966760130125828</a><p>&quot;I had this same thing happen to me. Saw attempts yesterday, changed password last night to random generated pass from pass utility and had attempts today again from different countries.&quot;<p>---<p>I saw a few mentions of uBlock origin in yesterday&#x27;s thread. I definitely might have used it in 2017 (the last time when my compromised LastPass password was used).<p>Could people that received the &quot;Someone just used your master password to try to log in to your account from a device or location we didn&#x27;t recognize&quot; email please reply and confirm whether or not they have the uBlock origin extension installed?<p>The other alternative is for the LastPass extension itself to have been compromised (and to still be..?). There are other alternatives as well (some clipboard sniffing malware for example).<p>Let&#x27;s try to rule out uBlock if possible. Thanks!

&gt; Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.<p>Must be a compromised browser extension at this point.<p>&gt; To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [1, 2] receiving &quot;Something went wrong: A&quot; errors after clicking the &quot;Delete&quot; button.<p>Is there anything more infuriating than this type of error message?

Highly recommend 1Password with Yubikey&#x2F;TitanKey protection. This means even if somebody had your master password and private key, they&#x27;d need a Yubikey to access your 1Password account from a new device. It&#x27;s pretty much fool-proof unless you&#x27;re kidnapped and held hostage.

A user posted this comment then deleted it. Is this true? If so. JFC.<p>&gt;&gt;&gt; Take this with a grain of salt.<p>LogMeIn, the owners of LastPass, had a Chinese APT group in their servers for years. They only found out because the attackers started launching unoptimised SQL queries that started killing their database cluster. They didn’t have to report this breach, despite being based in Germany where it’s a legal requirement, because they didn’t have proof customer data was accessed. They didn’t have proof because they didn’t have any logging or auditing. Whatsoever.

Reminder to everyone that one of the private equity firms that acquired LogMeIn and took it private, Francesco Partners, holds a majority stake in NSO Group, an Israeli spyware developer.

They claim it&#x27;s credential stuffing, but there are plenty of people on the HN thread (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29705957" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29705957</a>) claiming to have used a unique password.<p>Does LastPass&#x2F;LogMeIn have a history of lying about&#x2F;downplaying security incidents? I only remember a controversial (and to my knowledge unresolved) issue at TeamViewer (where the company claimed no compromise but due to the number of reports there were doubts about that claim).

Confession: I store all my passwords in a plaintext file on my local desktop.<p>I&#x27;m sure some people will look at me very funny for doing this, but it seems to me that I have both fewer hassles logging in and fewer breaches than people using more &quot;secure&quot; methods (like handing your passwords over to LastPass&#x27;s mystery Chrome extension).<p>Think about today&#x27;s threat landscape and tell me I&#x27;m wrong. I may not be more secure in every possible situation, but I&#x27;m more secure in the situations that cause the vast majority of breaches today.

LastPass&#x27;s statement via HowToGeek: <a href="https:&#x2F;&#x2F;www.howtogeek.com&#x2F;776450&#x2F;lastpass-says-it-didnt-leak-your-master-password&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.howtogeek.com&#x2F;776450&#x2F;lastpass-says-it-didnt-leak...</a>

To those who are recommending all different password managers, I have a question: why not using Chrome (or Firefox&#x2F;Edge&#x2F;&lt;any other browser&gt;)&#x27;s built-in password manager?<p>I have been using it for a couple years and haven&#x27;t noticed any issue. Even if Google decides to screw me over and terminates my Google account, I can still access the passwords via the local copy in Chrome, so that is not really a concern.<p>(Though, don&#x27;t take this as my recommendation to use Google&#x27; password manager. I have not done enough research in the password manager landscape, which is why I am asking this question in the first place.)<p>EDIT: also include other browsers&#x27; password managers. (It appears that it is a mistake to mention anything Google on HN :&#x2F;)

Several years ago, I chose LastPass, bought it, and did all the set up. Then they were acquired by someone I didn&#x27;t trust, so I immediately switched to 1Password, and never regretted it for a second. If 1Password sold out, I&#x27;d switch again, in a second.

&gt; However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere.<p>So it’s not just bots trying passwords from other database leaks<p>The whole premise of LastPass is that they can’t even decrypt your master password. It’s pretty concerning that this is happening.<p>If hackers can get your master password, then _all_ of your passwords are at risk

Hate to hear this, but I&#x27;m glad I bailed when LogMeIn bought them years ago.

If you decide it&#x27;s time to switch, consider switching to Keepass(-compatible software), with the DB file hosted via WebDAV (which you can either self-host or have hosted by a multitude of low-cost providers).<p>This will give you nice conflict resolution if accessing (modifying) the file from multiple machines.<p>There are clients available for all platforms. I use: Keepass (Windows), Macpass&#x2F; Keeweb&#x2F; Strongbox (MacOS), StrongBox (iPad) and Keepass2Android (Android, this one&#x27;s fantastic!).

I left after the 2011 incident. Amazing, they&#x27;ve had so many since.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;LastPass#Security_issues" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;LastPass#Security_issues</a>

LastPass posted on their blog on Dec 28 that they identified a problem causing those emails to be incorrectly triggered:<p><a href="https:&#x2F;&#x2F;blog.lastpass.com&#x2F;2021&#x2F;12&#x2F;unusual-attempted-login-activity-how-lastpass-protects-you&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.lastpass.com&#x2F;2021&#x2F;12&#x2F;unusual-attempted-login-ac...</a><p>&quot;However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.&quot;

Protip: even if you don&#x27;t use LastPass any more, check if you deleted your account when leaving the service.

For what it&#x27;s worth, I haven&#x27;t received a notification of an attempt to login to my LastPass account. My LastPass password is horrendous and for sure not used elsewhere, and even if someone does gain access, I don&#x27;t store passwords to major financial or email accounts in there.

Lots of people here recommending to switch to Keepass.<p>I have both Keepass and Lastpass, but the reason I didn&#x27;t do away with Lastpass yet is basically that it seems to me that Keepass can&#x27;t do proper form-filling like Lastpass can? I&#x27;m talking about: auto filling custom configurable fields, addresses, credit cards, etc.<p>Am I missing something, some addon&#x2F;extension?<p>My current Keepass setup:<p>Keepass 2 with Keeweb for filling passwords in Firefox on PC and KeePassDX for filling passwords on Android. All Keepass DB files are synced using Syncthing, which works fine.

I use keepassxc.org in Dropbox<p>It&#x27;s encrypted on my computer by Open Source software that I can trust. I used to use LastPass, but it was clearly a sinking ship ever since it was bought by LogMeIn.

KeePass or PasswordSafe, and some means of synchronization.<p>None of these opaque, closed-source &quot;cloud&quot; password managers. Because if you don&#x27;t control your secrets, then you don&#x27;t have anything. I don&#x27;t care if it&#x27;s a zero-knowledge construction approved by Big Name Cryptography Guy or best intentioned founders since depending on a single service that could potentially hold your secrets hostage, expose them, or forget them would be insane.<p>The end.

I use LastPass - have been using it for years, and I&#x27;m pretty happy with it. I&#x27;m even happier now that they&#x27;re going to be an independent company, no longer owned by &quot;LogMeIn123&quot; lol. But incidents like this don&#x27;t bother me, because I require yubikey MFA. In fact, password breaches rarely bother me anymore, unless there&#x27;s a rare case where I have an account on a site that doesn&#x27;t allow me to use MFA.

Not good news - I use Bitwarden, not LastPass, but if you&#x27;re using a password manager make sure to use 2 factor authentication and this really wouldn&#x27;t be an issue in the first place.<p>I have my TOTP codes stored in Bitwarden for other services like Facebook etc, but I use Authy as an independent TOTP provider for Bitwarden. 1.5 factor I guess (2FA tokens in a password manager), but works a treat and is very convenient!

This is why I never liked that 1Password started moving to cloud based, subscription model.<p>I hate that they try so hard to hide the standalone version for which you just paid a fixed price. That&#x27;s the only way that I still use 1Password.<p>Yes, there&#x27;s not much redundancy or convenience without the cloud, especially if your computer&#x27;s hard drive becomes damaged, but if I lose my master password at least it&#x27;s on me.

Related question: I find it incredibly stupid that LastPass makes it so difficult to see your complete account login history. The &quot;View Account History&quot; table is beyond awful - beyond making it to filter for, example, failed login attempts, it is limited to 1 page <i>and doesn&#x27;t let you paginate</i>, at least in my browser. Am I missing something?

This has to be a security issue with LastPass, right? Something like an as-yet unidentified usage of Log4j.<p>&gt; Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.<p>This sounds to me like either a widely-compromised browser extension (LP itself?) or LP infrastructure.

I jumped ship from LastPass when they changed their subscription model so that I&#x27;d be paying for features that had previously been free. I&#x27;m now using Bitwarden for personal use and 1Password for work and I&#x27;m a fan.<p>I previously tried offline password managers but syncing the files between devices and such was a huge pain.

Algorithmic passwords. Come up with an algorithm a(website, rules) that you can remember and that generates unique passwords per website. Store the rules (length restrictions, special character restrictions, number of times the password has changed, etc) in a google doc or something. Print out your algorithm on a physical piece of paper and put it in a safe place for after you die and people need to access your accounts. People always poop on algorithmic passwords, but so far no one has hacked my brain and gotten the algorithm unlike all these other cloud-based password managers that keep getting compromised.<p>Plus, if my phone or my yubikey or whatever is stolen in a foreign country I&#x27;m not SoL because the algorithm is in my brain and the rules are public knowledge.

Just a heads up: the article mentions that people were reporting a &quot;Something went wrong: A&quot; error after trying to delete their account. I got that error but my email address no longer works to log in to LastPass, so I think the account deletion went through anyway. I haven&#x27;t used LastPass in several years, anyway, so no loss.<p>For what it&#x27;s worth, I got an unidentified login email today with an IP in Canada. I didn&#x27;t see that login attempt in my LastPass access logs, however, so I don&#x27;t know for sure if they used the correct master password. I did check, and it said that my master password was last set in 2015, so it&#x27;s possible I was impacted in an older breach.

I was considering some options to store passwords for both myself and my customers and LastPass was one of the candidates. After thinking about it, I went with Keepass and a single file that is stored on my cloud account. It&#x27;s working great to be honest and at least I can keep track of my security chain.

Why I just use Apple’s password manager system. But it also involves completely investing into the Apple ecosystem so I understand why that’s not an option for some.<p>I just enjoy how easy generating new passwords are. Still has some work to do, but they’re definitely on the right track.

Blog post about the design flaws of password managers:<p><a href="https:&#x2F;&#x2F;www.go350.com&#x2F;posts&#x2F;the-design-flaws-of-password-managers&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.go350.com&#x2F;posts&#x2F;the-design-flaws-of-password-man...</a>

This is why I insist on having a standalone password manager, and I refuse to switch to 1Password&#x27;s cloud solution. I&#x27;ll sync my master file myself and keep my master password in my head, thank you very much.

Is there anything like lastpass that has TOTP + password remote backup that has a chrome plugin and an android application? I&#x27;m getting to the point where I&#x27;d love to switch off.

Let this be your Last non-selfhosted Pass solution.

When using my password manager, I often provide only the password, not the user. In case of data breach they can not be exploited.

&gt; LastPass<p>so they basically have to change their name now, right?<p>sounds like a broken promise otherwise.

This is why I rolled my own cryptography to generate random passwords for each site I use.<p>There is a tradition here that we tell programmers they must never write cryptographic code, that they will screw it up, and so on. To which I say: Yes, I agree that writing crypto code if you don’t know what you are doing can cause problems. It should not be done unless you know what you are doing; if you think using MD5 in any cryptographic context is secure, you don’t know what you are doing and shouldn’t be writing code using crypto.<p>If one wishes to write crypto code, the first thing is to realize that it’s very important to choose an algorithm wisely. Use one which has been made by an esteemed cryptographer, has been released to the academic cryptographic community, and has not been broken by said community.<p>Never try to make your own algorithm. Unless you know the difference between differential cryptanalysis and linear cryptanalysis, you have no business making your own algorithm. Even if you do, you have no business making you own algorithm and using it in production without releasing it to the academic cryptographic community so they can analyze it and see if it’s broken in some way you didn’t see.<p>It’s not just algorithms. It’s how to use an algorithm. If you don’t understand why it’s a bad idea to use a block cipher in ECB mode, then you probably shouldn’t be writing code that uses a block cipher in live production.<p>I would not have anyone write crypto code for production use unless they have read Applied Cryptography cover to cover; while somewhat dated (it came out before AES, MD5 getting broken, SHA-3, or post-quantum crypto) it is an excellent introduction to the basics.<p>That said, I have written my own password generator. I have read Applied Cryptography. I know MD5 is broken. I know to random pad plaintext before encrypting it with RSA. I know not to use a block cipher in ECB mode. I have written cryptographic code used in production and it hasn’t ever been shown to be weak or broken; I have revised the code when purely academic attacks have been made against it: I started transitioning from AES to RadioGatún[32] back in 2007 because, while purely academic, I felt the cache timing attacks made it too insecure for me to continue using it in production code.<p>My password generator takes a master password, and it appends it to that master password the name of the site I am visiting, then runs it through a strong cryptographic hash (RadioGatún[32], for the record, which has been around for over 15 years and remains unbroken) for over 500,000 rounds, to generate a secure password. Since it’s not an online service, there is no point of failure where hackers could get in to the online site; since it’s not a browser plugin, there is no point of failure where a browser security hole or a Javascript hack can get at my master password.<p>The code is open source and available here: <a href="https:&#x2F;&#x2F;github.com&#x2F;samboy&#x2F;PassGen&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;samboy&#x2F;PassGen&#x2F;</a>

obligatory: I use passwordstore.org by Jason A. Donenfeld and its local, relatively easy to use, works with git, and free. Too niche for hackers to take interest I hope.

Get Keepass. Put it on an USB stick

A spokesman said, &quot;This is the one thing we didn&#x27;t want to happen.&quot;

dupe: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29705957" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29705957</a>