LastPass Hacked for Second Time This Year

[MacRumors]

Password management app LastPass says it is investigating a security incident after an "unauthorized party" compromised its systems on Wednesday and gained access to some customer information.

The information was stored in a third-party cloud service shared by LastPass and parent company GoTo, said LastPass CEO Karim Toubba in a blog post. Toubba said the hackers used information stolen from LastPass' systems in a separate previously disclosed incident that occurred in August of this year. Toubba added in the blog post that "customers' passwords remain safely encrypted."

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information. Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

According to a blog post dated August 22, the previous incident saw a threat actor gain access to the LastPass Development environment using a developer's compromised endpoint to steal source code and some proprietary LastPass technical information. LastPass said at the time that its systems "prevented the threat actor from accessing any customer data or encrypted password vaults."

LastPass is currently working to understand the scope of Wednesday's incident and identify what specific information has been accessed. GoTo, formerly LogMeIn, said it was also investigating the incident, although it did not explain whether GoTo users were also impacted by the hack. In the meantime, LastPass products and services remain "fully functional," said Toubba.

Article Link: LastPass Hacked for Second Time This Year

 

[ProfessionalFan]

I switched all my passwords to iCloud passwords. Not only does it work more seamlessly as an Apple ecosystem member, but it feels more secure.

 

[MacWorld78]

That's why I don't use LastPass, never put everything in one basket.

 

[djcerla]

… but this time it’s the LastTime!

 

[rgeneral]

Or is it LastHack!

 

[Sciomar]

Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?

 

[drsox]

Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?

Because I have a password manager that doesn't use cloud storage. I resisted the cloud version as I don't really need to have passwords on multiple devices.

 

[willzyx]

Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?

Because 3rd party password managers (1password, keeper, bitwarden) offer a lot more flexibility and security than Apple's built-in manager. Apple's version is good enough for basic functions, anything more and a dedicated manager is far more advanced. Everyone knows that LastPass is trash and has always been trash.

 

[Poleri]

This is why I use BitWarden for years.

 

[Abazigal]

Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?

It’s a pain to retrieve passwords when you want to key them into a non-Apple device. For example, when I went to log in to an account on my windows work laptop, I can view said password via the 1Password app on my Apple Watch. It’s also much easier to generate / change passwords in the 1Password app. iCloud Keychain really needs its own standalone manager app, rather than being hidden in the settings app.

 

[Ridge Racer]

Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?

Maybe you need some feature of 'another' password manager that the built-in one doesn't provide? Maybe you use non-Apple devices and need to sync between them. Not all third-party password managers have experienced hacks like LastPass, and so aren't necessarily 'less secure' than the built-in one.

 

[scheinderrob]

worst password manager, so glad i moved away from them

 

[TriBruin]

Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?

How can confirm that the built-in password manager is more secure? Please provide links to third party audits and security documents that compare iCloud to other password managers.

Also, just to be clear, the LastPass hack was against their customer database. Even if the hackers got a hold of password data, it is encrypted.

 

[ProfessionalFan]

worst password manager, so glad i moved away from them

To be fair I didn’t find 1password much better and as far as I know that’s their top competitor.

 

[contacos]

I never really understood what makes a password manager more secure when all they need is the master password to access any of your passwords from multiple platforms instead of „maybe“ gaining access to a single platforms password

 

[minimo3]

There are only 2 types of companies: 1. Those that have been hacked and report it, and 2. Those that have hacked and don’t know it yet.

The only safe password vault is a local airgapped one. Anything on the cloud, be it iCloud, Bitwarden, etc has probably already been compromised in some fashion

 

[scheinderrob]

To be fair I didn’t find 1password much better and as far as I know that’s their top competitor.

i use bitwarden but i heard 1pass is the best, what didn't you like about it?

 

[TriBruin]

I never really understood what makes a password manager more secure when all they need is the master password to access any of your passwords from multiple platforms instead of „maybe“ gaining access to a single platforms password

Any reputable password manager uses two items to has your password, a master password and a secret key. When you first access your passwords from any new device you need both items. The secret key is then stored and, going forward, you need just your master password.

So, even if someone got access to my master password (which is a long memorable password), they still could not access my data.

 

[montuori]

I never really understood what makes a password manager more secure when all they need is the master password [...]

A password manager discourages password reuse. In a very trivial case: each time you submit a password to a service that password is known to a third party; noting prevents a website operator from collecting those passwords in plaintext in order to try them against other services. Remembering the 600+ passwords I currently have in use -- most of which are 20+ characters -- would be impossible but I can remember my lengthy and complex 1Password secret pretty easily.

 

[sunapple]

Switched from 1password to iCloud when Apple added some extra features. Still, a dedicated service offers more. But that comes at a $ price. I’m willing to use Apple’s service which in 1/100 cases may be cumbersome for me.

 

[jonnysods]

1Password all the way (gulp, hope they don't get hacked)

 

[rpmurray]

The information was stored in a third-party cloud service shared by LastPass and parent company GoTo,

Shared information is compromised information. Big red flag here.

 

[SnappleRumors]

There are only 2 types of companies: 1. Those that have been hacked and report it, and 2. Those that have hacked and don’t know it yet.

The only safe password vault is a local airgapped one. Anything on the cloud, be it iCloud, Bitwarden, etc has probably already been compromised in some fashion

Speaking of hacking…

Cops Can Extract Data From 10,000 Different Car Models’ Infotainment Systems

As cybersecurity researchers detail a flaw that allowed them to unlock and start Honda and Nissan cars from anywhere in the world, border and immigration agencies are buying up tech to exploit weaknesses in vehicle security.

www.forbes.com

 

[grad]

Trust LastPass, 1Password, Apple, Google, whatever for all my passwords? No thanks.

 

[AdeFowler]

I used 1Password for years. The introduction of yet another subscription service was the final straw. Since then I've been using the built in password manager along with secure notes in Notes. I also downloaded a free password generator.

For my very basic needs, it's more than sufficient, and it's essentially 'free'.

Caveat: I’m using a totally Apple setup.