18 comments

[ 3.2 ms ] story [ 56.0 ms ] thread
(comment deleted)
tl;dr - LastPass's infrastructure was completely insecure. Oops, but please keep trusting us with your passwords and hopefully pay us. By the way, if you want to stay safe, go read our Security Bulletins.
Recommended Actions: find a better place to store your passwords
It took a long time to change 100s of passwords and migrate off of LastPass, but I’m glad I did. Not sure why anyone would trust their security to them at this point.
Their “Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families” linked on this page is not available. Outage/overloaded? As a premium user, I got a popup in their app as well leading to this information page, but the actual information on suggested actions is not retrievable.

How unacceptable.

Still no details on how far those stolen vault backups went. I'd like to know which of my vault passwords over the years was included.

I've since switched to 1password and rotated every (damn) password. That was an entire weekend burned.

So glad to be done with LastPass. Anyone who thinks this won’t happen again is lying to theirselves.
> This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.

Your corporate vault, with all of your database keys, was stored and accessed from someone's personal computer?

> We assisted the DevOps Engineer with hardening the security of their home network and personal resources.

And even after this incident, you let them keep using a personal computer???

This really just reflects incredibly poorly on LastPass's internal security team. I was under considerably more robust endpoint protection policies as a random intern at a legacy Fortune 500.

Edit: I'm quoting from a separate linked blog post here: https://support.lastpass.com/help/incident-2-additional-deta...

The phrase “home computer” does not appear in the blog post. Where are you seeing this? Did they edit the post or did the URL for this story change?
Oh my !

A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.

I'm finally leaving this abusive relationship.

Hello 1password

Good ole KeePass for me.
I asked about the totp seeds in a previous thread a few months back since those were not being mentioned (though I fully expected them to have been a part of the backups that were accessed).

Looks like they were a part of it but even worse the attacker also got the decryption key (yikes!)

"Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident."