Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
59,230
23,152


Password management app LastPass says it is investigating a security incident after an "unauthorized party" compromised its systems on Wednesday and gained access to some customer information.

lastpass.jpg

The information was stored in a third-party cloud service shared by LastPass and parent company GoTo, said LastPass CEO Karim Toubba in a blog post. Toubba said the hackers used information stolen from LastPass' systems in a separate previously disclosed incident that occurred in August of this year. Toubba added in the blog post that "customers' passwords remain safely encrypted."
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information. Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
According to a blog post dated August 22, the previous incident saw a threat actor gain access to the LastPass Development environment using a developer's compromised endpoint to steal source code and some proprietary LastPass technical information. LastPass said at the time that its systems "prevented the threat actor from accessing any customer data or encrypted password vaults."

LastPass is currently working to understand the scope of Wednesday's incident and identify what specific information has been accessed. GoTo, formerly LogMeIn, said it was also investigating the incident, although it did not explain whether GoTo users were also impacted by the hack. In the meantime, LastPass products and services remain "fully functional," said Toubba.

Article Link: LastPass Hacked for Second Time This Year
 
Last edited:

willzyx

macrumors regular
Dec 21, 2016
159
420
Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?
Because 3rd party password managers (1password, keeper, bitwarden) offer a lot more flexibility and security than Apple's built-in manager. Apple's version is good enough for basic functions, anything more and a dedicated manager is far more advanced. Everyone knows that LastPass is trash and has always been trash.
 

Abazigal

Contributor
Jul 18, 2011
17,356
17,828
Singapore
Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?
It’s a pain to retrieve passwords when you want to key them into a non-Apple device. For example, when I went to log in to an account on my windows work laptop, I can view said password via the 1Password app on my Apple Watch. It’s also much easier to generate / change passwords in the 1Password app. iCloud Keychain really needs its own standalone manager app, rather than being hidden in the settings app.
 

Ridge Racer

macrumors member
Mar 16, 2007
41
107
Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?
Maybe you need some feature of 'another' password manager that the built-in one doesn't provide? Maybe you use non-Apple devices and need to sync between them. Not all third-party password managers have experienced hacks like LastPass, and so aren't necessarily 'less secure' than the built-in one.
 

TriBruin

macrumors 6502
Jul 28, 2008
390
836
Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?
How can confirm that the built-in password manager is more secure? Please provide links to third party audits and security documents that compare iCloud to other password managers.

Also, just to be clear, the LastPass hack was against their customer database. Even if the hackers got a hold of password data, it is encrypted.
 

minimo3

macrumors 6502a
Oct 18, 2010
718
728
There are only 2 types of companies: 1. Those that have been hacked and report it, and 2. Those that have hacked and don’t know it yet.

The only safe password vault is a local airgapped one. Anything on the cloud, be it iCloud, Bitwarden, etc has probably already been compromised in some fashion
 

TriBruin

macrumors 6502
Jul 28, 2008
390
836
I never really understood what makes a password manager more secure when all they need is the master password to access any of your passwords from multiple platforms instead of „maybe“ gaining access to a single platforms password
Any reputable password manager uses two items to has your password, a master password and a secret key. When you first access your passwords from any new device you need both items. The secret key is then stored and, going forward, you need just your master password.

So, even if someone got access to my master password (which is a long memorable password), they still could not access my data.
 

montuori

macrumors regular
Sep 14, 2004
130
272
New Orleans, LA
I never really understood what makes a password manager more secure when all they need is the master password [...]
A password manager discourages password reuse. In a very trivial case: each time you submit a password to a service that password is known to a third party; noting prevents a website operator from collecting those passwords in plaintext in order to try them against other services. Remembering the 600+ passwords I currently have in use -- most of which are 20+ characters -- would be impossible but I can remember my lengthy and complex 1Password secret pretty easily.
 

sunapple

macrumors 68020
Jul 16, 2013
2,258
3,823
The Netherlands
Switched from 1password to iCloud when Apple added some extra features. Still, a dedicated service offers more. But that comes at a $ price. I’m willing to use Apple’s service which in 1/100 cases may be cumbersome for me.
 
  • Like
Reactions: LV426

SnappleRumors

Suspended
Aug 22, 2022
394
512
There are only 2 types of companies: 1. Those that have been hacked and report it, and 2. Those that have hacked and don’t know it yet.

The only safe password vault is a local airgapped one. Anything on the cloud, be it iCloud, Bitwarden, etc has probably already been compromised in some fashion

Speaking of hacking…

 

AdeFowler

macrumors 68020
Aug 27, 2004
2,309
344
England
I used 1Password for years. The introduction of yet another subscription service was the final straw. Since then I've been using the built in password manager along with secure notes in Notes. I also downloaded a free password generator.

For my very basic needs, it's more than sufficient, and it's essentially 'free'.

Caveat: I’m using a totally Apple setup.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.