74 comments

[ 3.1 ms ] story [ 132 ms ] thread
> Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.

A lot of corporate text in this blog. This seems to be the only sentence where they say that the unusual login activity was actually a software error.

(PS: I editorialised the title since the actual title is very generic says nothing)

Exactly. What a garbage post from LastPass.

What's the error?

- was the message which says 3rd party had the correct password wrong?

- was it was sent out to accounts other than those for which the 3rd party had the password?

- something else?

And even then, "some" of the alerts being "likely" triggered in error makes it sound like quite a few may have been actual security issues.
(comment deleted)
I hope they intend to provide more proof than their word...
With Bitwarden (which is better, cheaper and more open) I honestly don't see any good reason to use LastPass now given their poor track record of security incidents and naive (not to say stupid) business decisions.
I selfhost bitwarden with rust implementation called vaultwarden, it uses little to no resources and works flawlessly. Compatible with original clients, too. Never looked back.
Where do you host it? I was thinking I’d host it on my NAS and only sync when i’m on my local network. Not sure if that’ll work with the clients? My nas is also it’s too old to have a supported docker package, so that’s a bit of a hurdle there. Pretty uncomfortable with the idea of hosting it on digitalocean or similar… wondering what others do?
I do that but also allow sync when not on local network - via traefik and such as a reverse proxy. However ... I may still turn that off as I have wireguard on everything anyway, so it's super simple to turn wireguard on, sync "locally" and then turn wireguard off.
Personal k8s cluster

>Pretty uncomfortable with the idea of hosting it on digitalocean or similar

Everything is encrypted. Use strong master password and 2fa, even if your VM gets dumped and your password gets stolen there's no data they can recover. Alot of people host it on raspberry at home, if you have VPN to home it can be more secure. Also clients are synced, so you can sync while at home network - your in-browser or in-app vault will be available even if server is not reachable at the moment.

If your VM gets dumped and your password gets stolen, are you not vulnerable to a SIM swap? Asking out of paranoia.
Nobody forces you to use sms for 2fa. I'm not even sure vaultwarden supports SMS. I use https://getaegis.app with usual 2FA TOTP, also protected by password. So for someone to gain access to your vault will need:

* access to your server with bitwarden/vaultwarden (this one is tricky, someone might inject something in webui JS if it's open to public internet, so keeping it VPNed might be good idea indeed)

* access to your master password

* access to your mobile device / totp storage and password for it

I'd say it's pretty safe from random hackers, but if someone is dead set on getting your data, well https://xkcd.com/538/

I subscribe to 1Password which has a similar security model - it's a bit more expensive but I've been very happy with it and it's very polished.

(Plus their support is excellent and saved my butt once - I upgraded my personal account to a family account and made my father an admin, after which he decided to 'cancel' his account by deleting the full family account, despite a warning saying everyone's passwords would be permanently erased for the full family. I lost access to all my accounts, however thankfully the 1Password team were incredibly helpful and managed to recover our vault from a backup).

Posts like this are so frustrating. It's a whole lot of words to say nothing. There's a small mention of the alerts being triggered by a bug/error, but it is surrounded hundreds of words of deflection/spin.

Additionally, it is bothersome that absolutely zero detail on this error is given.

Given the incredible gravity of the situation (potential of having one's entire password vault compromised), I expect a better response than this

Not communicating clearly and pretending like dumb blog posts like this are an answer are both major red flags.

I don't understand the thought process behind such legal-ese talk. Do they think we are dumb and can't see through it? Putting this sort of stuff up is just saying "we don't care about you in reality but here is a post saying we do".

I think one thing that really got to me is that the post is by the VP of Engineering, which for some reason gave me an expectation of a detailed explanation of the problem, only to find none

The post sounds like it was actually written by either legal or marketing instead

So much this. Don't use any online password managers but with this response lastpass became godaddy for passwords in my book.
And when the VP of Engineering writes

> some of these security alerts...were likely triggered in error

one can conclude that they do not know that any of the alerts were triggered in error (else he would have said as much). Some of the VP's statements were likely triggered by the legal department, though I don't know that any actually were. It doesn't exactly shed light on anything.

Or more likely, there were probably some legitimate alerts that would have gone out at the same time as per normal operations, and they do not want to conflate these with the ones sent in error.
(comment deleted)
None, some, all; always, sometimes, never.

> some of these security alerts...were likely triggered in error

Our VP made no statement about the totality. Draw what conclusions you may from the equivocal register of this public-relations statement, but he is relegating his statement to those alerts which, by his own words, he cannot say to a certainty whether or not they were triggered in error. I presume that this statement is calculated to exclude all those alerts that they can know were legitimate. If you want to expand the scope of the statement, then the only implication would be that they cannot discern the legitimate from the illegitimate alerts.

The only purpose of my comment was to draw attention to the apparent equivocation, that is, the art of misleading without lying. If they can't tell right from wrong (alerts), so much the more damning.

If I were to guess, anything written by the VP of Engineering would be heavily edited by legal and marketing until the result was indistinguishable. Source: I work for a company that doesn't let anything go out without approval of Legal, Marketing, and a few other nebulous 'stakeholders'
Some (bad) companies have a VP of Engineering that has no clue about technology and with a background in another field.

But come on, Lastpass has been on a downwards slope for a very long time. They can't even make their main product as good as Bitwarden which is free.

never used them but just went to their website and concluded it's some novice programmer who has no skill and wants to make a business around software so after going through a few ideas he came up with a password manager. no idea why people (on HN) use these things.
They're a relatively well-known company, currently owned by LogMeIn, though that seems like it will be changing. It's definitely not some solo person's side project or anything. They're one of the most well-known names (whether good or bad) in the password manager category.

While they have had security trouble in the past- they're big enough that it's not surprising at all to me that many people, including those on HN, are their customers.

I would also not be surprised if they lose a chunk of tech-savvy customers over this- as they should.

Kind of a poor way to judge a product, I'd say. I'm no longer a lastpass user but if you read up on them you'll find that your initial assessment is way off.

They've had their issues but the idea of it being built by a novice programmer is very far from reality.

I use a trivial program that manages a list of passwords generated using /dev/urandom constrained to simple ascii chars and provides basic features like copying it to clipboard to avoid shoulder surfing. It took an hour to write 10 years ago. and judging software from how bullshit their website front page is has not failed me a single time in the last 20 years. my predictions of what vulns they have is always spot on. im not interested in your (HN's) definition of reality as they still think string injection attacks are fundamentally hard to solve
This may very well be a good example of strategic ambiguity. They grant themselves a broad area for future, not a limiting direction. Since nothing is presented precisely, the following reports, articles, announcements can be shaped the way the environment requires.

With this, they say nothing more than "it was not a cyber attack". It is a statement of relief for shareholders. It's not about the customers.

Assuming for a moment that what they claim is true (never attribute to malice that what can be explained by incompetence), that it is indeed a bug / password reuse, what information would you have liked them to give? It seems to me that they’re communicating they’re not hacked, looked into the issue and found nothing special.

I do agree that they’re patting themselves on the back a bit too much and also should have been a bit more humble when dismissing things as password reuse.

In general, when tech-related companies have problems like this (with potentially severe consequences), I think a post-mortem should be a minimum expectation. I just feel like the way this post frames the issue is almost like it doesn't matter that much to them. "Oops, it was just a bug, for some accounts, we think. All fixed!" just doesn't sit well with me (maybe that's a me problem...)

I would want some follow-up answers, to questions like:

- Why would a bug trigger alerts that are as severe as "someone else tried to use your unique not-used-elsewhere master password"? I understand bugs, even severe ones, happen- but can I trust that your alerts aren't going to cry wolf on my account going forward?

- Why did you originally conclude it was credential stuffing/reuse, when there are a number of people that got the alert that clearly stated they had never used their master password anywhere else? Are you monitoring user reports / social platforms / etc to respond to and address these situations?

- When you say "some" were triggered in error- does this mean some of the attempts were legitimate, or were they all due to a bug? Do you even know the answer to this question? If there are legitimate attempts on non-reused-password accounts, it appears master passwords are leaking/being captured/etc in some other way and that deserves further investigation

I just want more than a sentence or two surrounded by 10+ paragraphs of "this happened because of how good we are at keeping you safe"

so glad i switched to 1password a few months back
This is a completely unacceptable lack of detail from a security-focused software provider.

Especially given their history of issues and prior poor or misleading communication.

They really botched the entire thing.

Bunch of people report their unique password gets this message and they investigate credential stuffing? Makes no sense.

>some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.

"some"? "likely"?

They really don't sound like they've got a grip on this

> Bunch of people report their unique password gets this message and they investigate credential stuffing? Makes no sense.

You never worked in IT if you believe what your customers tell you, especially the ones that don't pay you.

There are probably a baseline of real security alerts for 3rd party credentials per day. For any given user, hers may have been from this bug or it may have been a real attack. If normally there are 200 alerts per day but while this bug was present there were 20k per day, then any given message was likely to have been from the bug, but some were probably real.
I saw the post the other day, and immediately switched to Bitwarden. I guess I was right that LastPass isn't safe enough. Bugs are inevitable but how they spin it shows they don't want to take responsibility (what was the bug??)
One of the worst-worded security communications I've seen. I'm dropping them.
Alright, I don't like the deflectionary way they talk. Reminds me of this post by Paul Graham: https://twitter.com/paulg/status/1366811342699696129

I'm going to switch to another password manager. Is there anything that is a drop in replacement for LastPass? ie has a browser extension for firefox, hosted in the cloud (I don't want to be managing a server for this), and has a mobile app. I've heard a lot about bitwarden and keepass, but they're usually accompanied by comments regarding self hosting, which I'm not interested in doing.

Bitwarden's hosted service works just fine, you can self host, but you certainly don't need to.
(comment deleted)
I'm using Enpass, which mostly works fine. However, they've recently moved to a subscription model which is unfortunate, where-as I bought the Android version a while ago which gave me a 'Premium license'.
You can use Bitwarden’s official servers without self-hosting anything at all. I did it for a couple years and it was a great experience.
https://bitwarden.com/pricing/

You use Bitwarden premium for 10$/y

Why not the free version?
I pay for premium even though I don't really use any of their premium features (and could easily host my own) because I like the Bitwarden product and want them to continue as a company (without having to sell out to someone like LogMeIn...)
This is not just for startups or blog posts, but all communication: people that aren’t confident in what they’re saying, tend to use a lot of words to disguise it. The opposite is also true.
I use 1Password. It meets all your criteria and, IMHO, has by far the best UI in both web and app interfaces. $35.88/year
>has a browser extension for firefox

you might want to reconsider this. browser extensions has historically been a common attack surface in the past[1].

[1] https://lock.cmpxchg8b.com/passmgrs.html

(comment deleted)
I switched from LastPass to 1Password and the export/import worked flawlessly. I didn't switch because of this issue, rather I use 1Password for work and thought it was just better, so I made the jump for my personal stuff.
I just switched due to their bad communication around this issue. The import through 1Password‘s website worked well, the import through the native mac application was horribly broken. Either way, beware that LastPass‘ csv export does not include attachments. You need to move them manually.
How about the built in Firefox password manager? You can (optionally) sync across devices and set it as the password store in iOS (probably Android too).
there's not a lot of quality in the LastPass product, and there hasn't been for a very long time. There are much better competing products to use instead.
Is there a reason an all-Apple user would want to use a password manager like this?
I use the Apple keychain and am perfectly happy with it. If you need team functionality you might want to look around for another solution. I ditched LastPass years ago because of crappy UX/UI.
I started with LastPass before I made the switch to MacOS ~10 years ago, and despite being all-in on Keychain, I still use LastPass as well (yes, there are times this causes pain).

The main reason for sticking with LP is that it is easier to find and display or copy a password in LP than in Keychain, which really isn’t organized for direct human use.

Typical use cases, just this week: 1) logging in to Quickbooks after a long time not using it; it is not integrated with either KPad or LP, so hunt and paste it is. 2) logging back in to Dazn on my Roku: I have the enter the password manually, unlike some services that allow me to authenticate via my mobile.

Overall, I prefer the near-seamless integration and ease of use of Keychain, but for the edge cases, LastPass has simply been easier to use. (Which is saying something itself, because LP has a poor UI 8-})

> Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity

They originally said they “determined the activity is related to credential stuffing” [1], then edited the blog post and now they are saying it was just a bug. That sounds like their original story was simply a lie.

[1] The original version of their blog post is no longer available, but Bleeping Computer quotes their PR Director: https://www.bleepingcomputer.com/news/security/lastpass-user..., below the “LastPass says it's credential stuffing” heading.

As an early LastPass adopter, I paid for about ten years of their Premium tier (it was pretty cheap early on). After they were sold the first time, it took them several years to stop billing me every year anyway, so I've still got about a decade of pre-paid Premium. No, they wouldn't refund my extra payments. Strike one.

I'm moving to something else now. Other companies might get away with "we fixed a bug, don't worry your pretty little heads." Not this application. Strike two.

If this is nothing to worry our PLH's over, I wonder what their response to a REAL security issue would be like.

Whatever it is, I want to experience it from a distance. I'm out.

i don't understand why people comfortable with running a vps bother with these cloud services.

i use pass https://www.passwordstore.org/ git sync'd (encrypted) to a $5/month vps that also runs many other things. you could even get a free one from large cloud providers.

pass has lots of clients for all kinds of platforms, works really well (how could it not? it's just a thin wrapper around git + gpg) and i don't have to worry about anything like the topic at hand.

what am i missing?

There's a longer chain of trust and research required here. I need to trust the original authors, the authors of whatever Android client I want, the authors of whatever Windows client I want, and so on. I need to figure out what options are available and why I should trust them and I need to constantly continue doing so to make sure those apps aren't sold to some other party I don't trust.

There's no simple mechanism for sharing. Many clients don't support using multiple stores. Even if they did, the UX is never one that I would be able to convince anyone other than a software engineer to use.

Single-party centralized solutions offer a simplified trust model and a common auth service makes sharing and recovery much simpler.

This set up is much more secure than online password management.
The most secure system is one that no one can access or use.
so I tried to cancel my lastpass account, I didn't find an easy way to cancel my subscription. So I deleted my account instead. Still not sure if I'll be hit with a rebill next year though

I don't know if this is becoming the norm, it seems really weird that cancelling things is becoming more difficult. I could have sworn cancelling the subscription used to be easier, it seems they've implemented more dark patterns to make this more difficult? Maybe it might be my imagination

Also I moved to 1password and it's wayyyy more polished than lastpass. Not sure why I didn't move to a different service sooner

Ongoing related thread: How did LastPass master passwords get compromised? - https://news.ycombinator.com/item?id=29735132

Recent and related:

LastPass Login Attempted Activity Blocked – More Information - https://news.ycombinator.com/item?id=29731317 - Dec 2021 (12 comments)

LastPass says no passwords were compromised following breach scare - https://news.ycombinator.com/item?id=29723319 - Dec 2021 (68 comments)

LastPass users warned their master passwords are compromised - https://news.ycombinator.com/item?id=29716715 - Dec 2021 (313 comments)

Ask HN: How did my LastPass master password get leaked? - https://news.ycombinator.com/item?id=29705957 - Dec 2021 (508 comments)

LastPass has been circling the drain for years. I wonder how many users they will lose if 1Pass releases a migration tool..
Migration exists: LastPass allows a csv export that 1Password can import easily. Just the attachments need to be move manually, as it seems.
Lastpass keeps having issues. This is the second time I heard of a security issue with them. It's not reliable at all and it sucks that our company uses them. Wish we switched to bit warden. Open source is the best when it comes to security.