Ask HN: How did my LastPass master password get leaked?
I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened.
LastPass blocked a login attempt from Brazil (it wasn't me). According to an email I received from LastPass, this login was using the LastPass account's master password. The email doesn't look like it's a phishing attempt.
What troubles me is that the master password was stored in a local encrypted KeePassX file.
I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that's the case, I'm in a world of hurt.
But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?
I'm really confused, and scared.
Thanks for your help.
P.S. The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). That's scary too -- what's the point of a 2FA you can remove...??
---
Update:
- the email was truly not phishing -- the same information regarding the login attempt appears in my LastPass dashboard. I also talked to LastPass support over the phone, and they confirmed seeing the same information.
- There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me.
Either the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised...? Or...? Is this a LastPass issue?
528 comments
[ 2.0 ms ] story [ 176 ms ] threadI'd also guess the most plausible situation would be malware on your computer that managed to sniff your credentials in-transit/clipboard/memory/browser/keyboard and exfiltrate it to some shady folks.
Sending emails to support@lastpass.com doesn't work ("This inbox is not monitored") and I have to upgrade my account to contact their support, which I'll do right away.
EDIT: after checking, the login attempt does appear in my Account History (my original email said it didn't -- I wasn't looking in the right place)
Try a bogus attempt yourself with wrong PW, or from a cloud host/vpn/etc to verify the audit log you can access.
Assuming it does list your attempts, then yeah, it would have to be phishing/lp bug.
> Login attempt blocked
> Hello, Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.
Looks fairly classic. Might want to look at the email headers, to see if it really came from LastPass.
I get about ten of these a day. Some are scarily well-done.
Most are for banks that I don't use, but I also get a lot of attempts to grab my AppleID. My Apple (mac.com) address is an OG address, and has been making the spammer circuit for over a decade. I suspect that I actually get hundreds of spams a day, but Apple is good at nuking most of them, before they reach my inbox.
Do Chrome extensions have access to the file system too? Is there a chance my local KeePassX file has been siphoned off?
Thanks
This of course assumes that it wasn’t really you from an IP that was just misidentified as being from Brazil.
For what it’s worth, I stopped using LastPass after they sold out to LogMeIn and would recommend others stop using it as well.
I hadn't logged into that LastPass account for years, so it's definitely not me who attempted to login earlier.
Re: LastPass, is there another cloud-based tool that's generally considered as more trustworthy? Bitwarden? Thanks
Sure, managing the KeePass files by hand is certainly more cumbersome, but to me it’s worth it for the security/ peace of mind gains. I have never put my DB or key files in the cloud. And when I need to sync them up over all my devices, I gather all the DB files and use the handy ‘merge’ functionality to get them into the same state.
It sounds a bit complicated reading this back, but in reality it's pretty straightforward.
FWIW, I used to run nextcloud on a ec2 instance. Decided to just use dropbox instead. the webdav support on nextcloud was neat with keepass
Not saying Dropbox or lastpass isn’t trustworthy. Just that it’s a point of failure you can eliminate, if the lack of convenience isn’t a huge deal to you.
So yeah, take Lastpass off the list, I don’t trust them :)
The problem is... that LastPass password, the one stored in KeePass, is presumably the one that was leaked.
Which is what is spooking me -- if someone has access to my entire KeePass file, it's game over.
The LastPass account that was almost-breached today uses the "password sharing" functionality to share passwords (to certain sites) with other people in the same org.
I was just explaining that the only reason why I have a LastPass account was to share passwords. (not the master password, obviously -- I was sharing passwords to other sites)
I typically use KeePass for all of my (site) passwords and keepass stores all of this in a local encrypted file.
https://1password.community/discussion/comment/602340/#:~:te...
Left a really bad taste in my mouth. I wouldn't be using them at all if I didn't have to for a client.
Someone received a phishing email from "their bank."
They responded to the email, and got someone on the horn, immediately.
But their bank (the real one), sent them to a horrifying voice jail.
The point was that the crooks gave better customer service than the real bank.
I got an email one day that my new Barclaycard was activated. Called support, and they swore to me it was a phishing email (it was definitely from Barclay's official domain). Would not listen to me at all and kept trying to get me to hang up. I asked if I could tell them the email MessageID and they could verify the authenticity. They said no.
About 10 minutes into trying to convince them it was not a phishing email, I refresh my dashboard and there was a $600 purchase at a Long Island Walmart. That shut them up really quickly and they transferred me to their fraud department who asked me for the MessageID at the bottom of the activation email and confirmed it was real...
I asked if I could set up any additional security, and how could they activate a new credit card? Did they have my online password? Apparently no, you can just call on the phone and activate it, no authentication required. They told me I could set up a "voice password" for my account for all phone support and I did just that.
I called them back 30 minutes later, got through to support to where I could change anything about my account. Asked them if my "Voice Password" was enabled. "Yes it is." "....Okay, no one has asked me for my voice password yet, and here you are about to change my address". They still didn't really understand the seriousness, so I told them "I'm not <my name> I'm a hacker trying to steal his money." and they understood.
The worst part? I couldn't cancel that credit card until they physically sent me one to activate. No way to visit a branch and get one. It ended up getting stolen out of the mail THREE TIMES before they finally sent it with a signature required.
1. BW supports inline Android 11 password fill. I find the UX much better with this feature
2. LP is a bit buggy, particularly on Android
3. LP is slow to add new features
4. I didn't expect this, but I really enjoyed BW's UI
5. On Android, I enjoy the three quick launch buttons they provide
6. LP creates new logins in folders of it's choosing by default. Not a fan
But in general, BW it just "works" better/faster for me
That’s what got me to write and publish this: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
EDIT: "or whatever" means I couldn't remember the name of the php forum notorious for its insecurity, I thought it was something like 'bbulletin'. It was phpBB.
According to LastPass, they don't have access to the master password // presumably it's not stored on their side. Is that accurate..?
Thanks
It’s a combination of people being very bad at generating, remembering, and entering passwords plus generally being unwilling to wait minutes or even seconds to generate the hash on their local computer.
I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)
The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.
But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.
d9afca35a87a2af4168500640fcf2370
Password is 16 characters long, all lower case, no numbers, no special symbols.
Please tell me the password.
I use 64 character passwords, or if there is a length limit, always the longest possible. That’s the beauty of using a password manager :)
Aesop, my author, makes mention of two mice and they were sisters dear 1234567890123456789012345678901234567890123456789012345678901234567890
70 and little effort
Still a no-go for plain old brute forcing all a-z combinations. But, if your password is some combination of actual words, common keyboard sequences, or anything else in a password dictionary, it's cracked pretty quick/cheap.
https://stackoverflow.com/questions/10041298/how-to-recover-...
But can you show me the way how you'd go on about this? Really curious.
https://web.archive.org/web/20150629081250/https://forums.la...
Here's the archived phpBB login page. It asks for your LastPass login and password (not your forum account, your actual LastPass login and actual LastPass master password):
https://web.archive.org/web/20150717071236/https://lastpass....
Here's a past HN discussion from the time with some guesses at how such a phpBB login using the master password could, theoretically, be implemented without knowledge of the password. Note that this doesn't imply it's possible to implement it in a way that would be resistant to their web server (running phpBB!!!!) being compromised: https://news.ycombinator.com/item?id=16016171
But during the heartbleed attack when their systems were shown to be vulnerable, that was one of their arguments as to why it wasn’t so bad.
LastPass is full of clowns. There's already two examples of their cavalier approach to what should be simple security in this thread and I'm pretty sure there are more.
Just the other day a co-worker brought up this idea as an offhand remark. After bouncing it off those present, it took him all of twenty seconds to see why it might do harm and will do little good.
You'd think a password manager would employ some security minded people who could shoot down ideas that bad immediately.
Any hash upgrade mechanism can be abused by a (possibly MITM) attacker to change a user's password while leaving you and the user none the wiser that specifically this occurred. If you need to lock someone out while their phone is beeping at them over their bank account being emptied, while not even making it look like their password was changed, that sounds like a fun way.
Lastly it's virtually the same as plaintext, since any salt will be known by even just a passive attacker. A true MITM won't even have to brute-force the hash.
Conclusion: Might do harm, will do little good.
Now, the fact that they have a web-based vault access requiring entry of your master password? Pretty bad, considering you can't disable it, and it's automatically activated even when just using the browser extension (at least as of a few years back, when I asked them to fix that.)
For anyone reading this, please use the official 1Password import functionality, not this: https://support.1password.com/import-lastpass/
EDIT
I just revisited that link I shared, and I have to say, it takes some real chutzpah to turn around and accusing me of advising insecure practice when the link I shared literally talks about just that:
Due to the nature of this application, 𝘄𝗲 𝘀𝘁𝗿𝗼𝗻𝗴𝗹𝘆 𝘂𝗿𝗴𝗲 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲 𝘁𝗼 𝗱𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝘁𝗵𝗲 𝘀𝗼𝘂𝗿𝗰𝗲 𝗰𝗼𝗱𝗲, review it quickly, and compile it yourself to use this tool. However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. If you do opt to use the binary download, make sure to validate the authenticode signature like so: ...
Pumping your passwords through some random code on Github that has a "be smart" label doesn't make it a good idea.
Would be so easy to imitate you, reupload the code with an exploit. For giggles, if I was making this into a hijack I'd leave all your warnings in and even make them bigger and more obvious, confident in the knowledge that 99%+ of my stolen users wouldn't read the code or would just download the binaries sight unseen.
That is such a salient point, generally.
2) Don't read the code.
3) ???
4) Forever don't know what or when it happened.
>Would be so easy to imitate you, reupload the code with an exploit.
Put your keyboard where your fingers are: do it by tomorrow morning and post here when you're done.
Now that you know there's an official LastPass importer for 1Password, I'm curious why you're defending your version rather than updating your blog post, unlinking your original HN comment and deprecating the GitHub repo.
I believe you're genuine and just trying to help. If there's an attack, it wouldn't be you doing it – it'd be someone else replacing the binaries on an old 2017 post without you noticing. WordPress is just as insecure as phpBB. Like the other commenter said, "Just because you put a warning label on a bad practice doesn't mean it's a good practice."
The details were hazy, but in 2016, there was a way to export your passwords from LastPass and import them into 1Password, though I don't think there was a way to do so on windows (which I believe is what your importer addresses).
After LastPass vulnerability in July 2016, I switched to 1Password.
If I recall, I had to sign up for LastPass premium to pull my passwords to my phone, and then use keychain to import them to 1pass.
I don't think that solution would work for Windows users back in 2016.
As for OP, my take is you clicked a bad link triggering a zero day vulnerability in your browser, or perhaps you logged in on Lastpass via a VPN or Tor? Its pure speculation though.
In most proper frameworks, including PHP ones, the only thing responding to web requests is an entrypoint file (that gets passed the request metadata including URL) and the framework takes it from there. This means that with proper configuration, even requesting a malicious PHP file shouldn't actually execute it and instead hit the framework which will promptly respond with a 404 (of course, with PHP the danger is that in case of misconfiguration the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint, where as other languages typically don't rely on the webserver to execute the files and couldn't run a malicious file even if they tried).
But these stupid legacy applications are still around and haven't been updated to fix this design flaw, so any flaw in sanitizing uploaded files turns into a persistent RCE. I'm sure some people will pitch in and say this isn't a design flaw and you're using it wrong, and while I agree that it can probably be made secure with enough effort, why leave such a loaded footgun around when this is essentially a solved problem in all other languages?
In other languages a malicious file being uploaded to the web root will at best result in a stored XSS which can be further mitigated by having your file uploads on a separate domain, but in PHP it's fatal.
This is properly solved by frameworks having this entrypoint be in a ‘public’ folder and that also being the webroot, so only index.php and nothing else is available for a direct match (unless /../ in the url works, which would be a huge security hole).
If you would actually take a look, you would realize you are spreading FUD.
phpBB has been rewritten from scratch around 2008 with phpBB3 and hasn't had a single severe vulnerability since. That's 13 years.
I am merely giving my unprofessional opinion that phpBB(1+) has only caused harm. A significant portion of leaks seem to be attributed to it. They really could have done better, and their reputation is forever dead.
To make clear: I am sure that the current version of phpBB works just fine and isn't as disease ridden as we all know it to be. However, the fact that all of these issues have existed for so long means that perhaps we need to take a look at the software as a product and determine that its performance has not been good enough, and to expect similar performance in the future.
The other possibility that comes to mind is a man in the middle attack of your password was ever sent over the wire with zero or weak encryption, when someone was snooping, like on coffee shop wifi or even a nosy neighbor on your home wifi.
The specific password was computer generated, and I have not used it anywhere else i.e. it was only created for this LastPass account.
That's why this (probably) either means that my local password manager has been compromised (catastropic if true) or that the info I received from LastPass is not completely accurate..?
So unfortunately, not a phishing attempt!
The login was blocked because they automatically block any new IPs from logging in until you approve a link that you get via email.
I was able to remove the 2fa by clicking a link that LastPass sent to my email (confirming that I wanted to remove the 2fa).
So if anyone has your LastPass master password and has access to your email, it's game over and having the 2fa enabled on the LastPass account won't do anything.
-- Login attempt blocked Hello,
Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. ---
Like you, it told me that the attempt came from Brazil, using an IP address starting with 160. I have no idea how they would've gotten that password. Made me wonder if LastPass had some issue, but nothing was in haveibeenpwned
This is too crazy of a coincidence to be a coincidence.
This is exactly what's happening to me, and same IP prefix.
What does it mean?
---
How old of account was this? Can you contact me by email (email in my profile)?
---
Two theories:
- there is a problem with LastPass
- you and I both had the same Chrome extension installed that was actually compromised, and that extension was listening to/sending passwords typed into lastpass.com
I last used this account/master password back in 2017. Is that similar-ish to when you used your account?
Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235
LACNIC says the IP range was transferred to AFRINIC. They then say that it is owned by:
Affiliated Computing Services (Pty) Ltd descr: P. O. Box 261333 descr: Excom 2023 country: ZA
But then further note that ownership is in dispute! We need someone to look it up in the current routing tables to see where it's presently being routed to.
Help/insight from ASN? BGP? networking experts would be appreciated..! Thanks a lot
Be very wary of geo-ip results, on the modern internet they are effectively useless.
Geo-ip is a perfect analysis trap, because it seems like it's probably a good idea so people put it into the roadmap. Then they spend forever tracking down all the ways it doesn't work (I bet you have customers in whatever geo you're thinking of blocking, there's a surprising amount of netblocks that are attributed incorrectly, etc), and then the sunk cost fallacy leads them to maintaining their creaky system. Imagine what you could have done with that effort in the meantime.
Now, let's put our badguy hat on. It takes effectively zero time to tell if your target is geo-blocking (compare your port results between several geos, or cheat with censys and shodan). Being blocked? Launch your attack from IP space in another geo. Pro-tip on that: nobody blacklists cloud provider IP space because of VDI solutions. You can migrate between stolen cloud accounts faster than the provider can suspend them, especially for reconnaissance and initial payload delivery.
Edit: see also, renting time on botnets, renting physical colo, compromising residential ISP equipment, and friends.
For the IP posted above, I have 3 providers claiming it's in Sao Paulo, 3 who says it's in Joburg (this is as accurate as anyone's going to get right now) and one says it's in Chicago! If I'm trying to do something with these results programmatically, I don't have a majority or a plurality to pick as a "winner" and I have to try weighting specific providers, which is a whole new mess.
Anyway, there's a good idea brewing in RFC8805 but it'd require pretty much every AS to play along.
My home would routinely show up as from a country a thousand miles away. Friends down the street would show up several states over. Customers I know which were a state over would appear from a different country. The databases are usually right, but they're still often wrong. Often enough to cause frustrations.
[1] https://scamalytics.com/ip/isp/cooperative-investments-llc
https://i.imgur.com/C9HQw1c.png
The full non-clickable URL:
I went through and answered the "questions", and it tried to take me to the actual phishing site:https://i.imgur.com/wYt5WB3.png
https://i.imgur.com/Picaw4a.png
Screenshots of the actual phishing site
https://i.imgur.com/Bh5c2lZ.png
https://i.imgur.com/q7xnSki.png
https://i.imgur.com/GX4hWnQ.png
And its url (non-clickable):
Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:
1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...
2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...
Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯
That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!
The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.
Is it possible that I was phished 4 years ago, and they sat on the password? Sure.
But 2 other people in this thread being phished from the same exact same phishing server/group?
Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?
That's what's rather strange.
I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.
So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.
https://news.ycombinator.com/item?id=29710262
https://news.ycombinator.com/item?id=29711950
That would make "more sense" that our credentials weren't stored and unused for years, i.e. that this is possibly a new, recent breach.
[0] https://news.ycombinator.com/item?id=12171547
That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.
Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.
If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.
It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.
I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.
One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:
https://news.ycombinator.com/item?id=29710262
So... it might turn out to be a much more recent vulnerability after all.
I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.
How many extensions are you using again? :-)
“Too many” :)
EditThisCookie was last updated November 22, 2020, so it doesn't seem likely from that.
ublock origin was updated December 2, 2021, but they haven't changed devs or anything that would make me suspicious.
I have been wondering - is this because of the following lastpass bug?
https://www.zdnet.com/article/lastpass-bug-leaks-credentials...
Maybe it says someone used your master password even if they didn't? It gave the IP as Islington which is kind of correct.
If you didn't receive a "Someone just used" email (with an IP that's completely geographically off from where you are) that's a good sign, of course.
"But famous company X does this, it is really convenient for users!" was all the response I got. All I could do at the time was (internally) shake my head.
I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.
Here's what I found from a quick google re: password case:
https://www.zdnet.com/article/facebook-passwords-are-not-cas...
https://security.stackexchange.com/questions/68013/facebook-...
"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."
Disclaimer: I worked on the 2FA part of the saas pass password manager which never has a master password and always uses passwordless MFA like scanning an encrypted barcode for unlocking the browser extension.
Just deleted my last pass account!
here's the info that came with the email
Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235
How is this possible????
What is the probability that you, techknight (the other user in this thread) and me used the exact same compromised software back in ~2017 and had our master passwords stolen then? And for that person/bot (in Brazil) to try all of those master passwords now?
It's beginning to look like this is a LastPass issue, no..?
I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that
Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...
I may have had 1Password and Adblock Plus which you had/have too.
But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?
It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.
Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.
I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.
Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?
Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.
Edit: I found an old post from about 5 years ago on a vulnerability in LastPass’s extension [0]
[0] https://news.ycombinator.com/item?id=12171547
pw was only ever used here and stored offline
Or I am drawing a random line through a cloud of dots..? :-)
What other IPs are part of BLAZING_SEO_PROXY?
It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!
Also, incorrect login attempts (i.e. using the wrong password) does not send out an email.
If you do attempt to login with the correct master password from a different/new IP, then you'll get the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email.
It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!
We need to find a common thread.
Logging in with the wrong password is logged in the Account History as "Failed Login Attempt"
Logging in with the correct password (or hash? TBD) from a new IP triggers the email and that's logged in the Account History as "Login Verification Email Sent"
If you try hitting it, it will redirect you to some website which might or might not be the same to every person
It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!
- In the sidebar that shows up, "View account history" -- it's in the middle of the page vertically
Make sure to use both "Logins" and "Events" when doing searches.
The "Login Verification Email Sent" (i.e. someone attempted to login with the correct master password) show up under Events.
same with your desktop. is everything up to date?
Thanks for the comment/reminder! I'll definitely have to re-consider what I do with regards to the keepass file on my phone.
A wrong password = no email.
Correct password from different IP = exact same email saying "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"
That's the exact same email I received earlier with the Brazil IP.
Was this an old LastPass account? You didn't use this master password elsewhere, etc.?
Thanks!
Someone is tracking IP addresses now in the thread -- would you mind sharing what was your attacker's IP?
It's improbable that we were all phished years ago by the same group...
Was the LastPass extension hacked years ago (as mentioned in https://news.ycombinator.com/item?id=29707325 ) and all of our master passwords were leaked/stolen, and someone just attempted to use them?
So in this case, it's not a phishing attempt unfortunately.
Good questions to ask yourself
In my case, the LastPass master password hadn't been used since 2017. It was stored (safely, I presume or at least hope!) in a local encrypted KeePass password manager file.
I definitely could have malware on my computer that sniffed/read the KeePass file while it's temporarily unencrypted (when I open it to get a password).
I think that LastPass and 1Password are the ultimate targets for hackers.
Wouldn't surprise me if they got in. Hackers ain't Matthew Broderick, anymore.
EDIT: Deleted somewhat cynical editorializing
If the former: I haven't noticed that -- usually folks on HN seem to recommend 1Password or BitWarden.
If the latter: Password managers are important to resist credential stuffing attacks through password reuse.
While I don't like that many of them force you to upload your secrets to the cloud (LastPass, 1Password 8, etc), it's still a better security posture than having your weakest link be every site on which you've used the same password.
1. “hardware wallet” level security, with good UX. Maybe a USB/Lightning dongle, but I really wish computers/phones had built-in capability to do hardware wallets. Apple TouchBar got close (I realize it wouldn’t considered be a dedicated hardware wallet).
2. a way to automatically roll passwords periodically (with a small amount of user intervention, per requirement #1). This would require either some excellent AI or crowdsourced automations for every website.
https://github.com/drduh/YubiKey-Guide
https://attackpointsecurity.com/go-pass-yubikey-and-gpg
For a cheap alternative you can use an old smartphone, and disable all radios. People will use a Librem 5 in 20 years still for this purpose wink.
No, most of them connect over USB. The important thing is reducing the attack surface to a bare minimum with simple protocols and implementations.
I think at a minimum it would need to emulate a keyboard to type out complex passwords. Ideally it could also receive simple commands from, say, a browser extension to request filling in a specific website.
This is mutually exclusive with passwords:
A hardware wallet never reveals its private key and allows you to review and approve private key operations through a well-defined and hardened interface. Passwords are bearer tokens, and there is no such option.
Not as good as webauthn etc, but still better than copy-pasting passwords, or a browser extension that keeps passwords decrypted in memory.
Ironically, that’s what LastPass can do for many important sites. Technical details: it opens a site, clicks around its menus and does that for you, and you see all of this automation on your screen. Imagine how many non-2FA users are now experiencing automated password resets on their most valuable accounts.
I’m all for 1, as I take my physical keys with me everywhere, but random ISB solutions out there I don’t really trust any more than e.g. lastpass.
When you say same IP range, what do you mean? The IP that the login attempt happened from starts with 160.?
If 4 of us (in this thread) all had quasi-successful login attempts to our accounts, it could mean that some LastPass master passwords have been leaked...?? Or LastPass has been compromised?
Wow, this is fantastically bad.
196.19.204.79 Stated location: India WHOIS: Poland Warszawa Unit 117, Seychelles (Legacy) AFRINIC AS202769 COOP, US
160.116.206.37 Stated location: Germany WHOIS: Affiliated Computing Services, South Africa AFRINIC AS262287 Maxihost LTD, BR
168.81.122.153 Stated location: Germany WHOIS: Seychelles AFRINIC 202769 COOP, US
Someone is probably putting bogus information into the routes for these IP ranges. But what do all of these IPs have in common? According to my records, they are all related to a dodgy hosting provider in the Netherlands called Ecatel, now called Qasi Networks or IP Volume. And this is all disputed AFRINIC IP space, as per:
https://krebsonsecurity.com/2019/12/the-great-50m-african-ip...
Monday, December 27, 2021 at 12:27 PM EST
Location INDIA
IP address 196.19.204.79