LastPass users warned their master passwords are compromised(bleepingcomputer.com) |
LastPass users warned their master passwords are compromised(bleepingcomputer.com) |
I hate that they try so hard to hide the standalone version for which you just paid a fixed price. That's the only way that I still use 1Password.
Yes, there's not much redundancy or convenience without the cloud, especially if your computer's hard drive becomes damaged, but if I lose my master password at least it's on me.
[1]: https://blog.1password.com/what-the-secret-key-does/
[2]: https://old.reddit.com/r/1Password/comments/rp8t02/security_...
> Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.
This sounds to me like either a widely-compromised browser extension (LP itself?) or LP infrastructure.
I previously tried offline password managers but syncing the files between devices and such was a huge pain.
Plus, if my phone or my yubikey or whatever is stolen in a foreign country I'm not SoL because the algorithm is in my brain and the rules are public knowledge.
That isn't going to work for most people, obviously. Most people want to be able to use their credentials from arbitrary machines. I don't have that requirement.
When I need to log into Nintendo's eShop from my Switch, I use my algorithm. How does that work for a self-hosted super long random Bitwarden password? I'm guessing I need to bring up the password on my phone or something and manually copy and compare it digit by digit into the Switch which sounds like a lot of work.
Writing passwords each time is so old now. there are plenty of good password managers either local or cloud based.
For what it's worth, I got an unidentified login email today with an IP in Canada. I didn't see that login attempt in my LastPass access logs, however, so I don't know for sure if they used the correct master password. I did check, and it said that my master password was last set in 2015, so it's possible I was impacted in an older breach.
I just enjoy how easy generating new passwords are. Still has some work to do, but they’re definitely on the right track.
https://www.go350.com/posts/the-design-flaws-of-password-man...
>Users must also devise a master password to unlock the encrypted passwords stored by the password manager. This is similar to a master key. It is generally accepted that master keyed locks are less secure than non-master keyed locks. If the master password is exposed, then confidence (in all the passwords that it unlocks) is lost.
1. In a perfect world, having a master password is worse than having independent passwords. However, realistically you can't remember that many passwords, so in practice you end up reusing passwords across sites. Using a master password in this case is a worthwhile tradeoff.
2. on most password managers, you need access to both the database (either through the web, or as a file) and the master password to compromise its contents. Even if your password was "hunter2" or something, your accounts would probably be fine.
>DPG
Deterministic password generators/managers have problems of their own. Their main draw is supposedly the lack of state to keep track of, but realistically you still need to sync stuff (eg. usernames, site identifiers, password formats, counters), so that dream is never realized.
>1. Never store passwords. Rather, generate them as needed based on user input. The need to backup, synchronize and properly encrypt passwords is removed. There is no master password that immediately unlocks all of the other passwords. There is nothing to become lost, stolen or corrupt.
I can't tell whether this is satire or not. The author dunks on other password managers for having a "master password that immediately unlocks all of the other passwords", but his program literally has the same flaw? At least with traditional password managers you need access to the database and the master password.
I know storing my TOTP passphrase along with my un:pw combo isn't as secure as keeping them in separate locations, but my threat model is just to stop someone with only my un:pw.
YMMV
If somebody focus on hacking _me_, they already have my email, so this measure is not very effective.
so they basically have to change their name now, right?
sounds like a broken promise otherwise.
There is a tradition here that we tell programmers they must never write cryptographic code, that they will screw it up, and so on. To which I say: Yes, I agree that writing crypto code if you don’t know what you are doing can cause problems. It should not be done unless you know what you are doing; if you think using MD5 in any cryptographic context is secure, you don’t know what you are doing and shouldn’t be writing code using crypto.
If one wishes to write crypto code, the first thing is to realize that it’s very important to choose an algorithm wisely. Use one which has been made by an esteemed cryptographer, has been released to the academic cryptographic community, and has not been broken by said community.
Never try to make your own algorithm. Unless you know the difference between differential cryptanalysis and linear cryptanalysis, you have no business making your own algorithm. Even if you do, you have no business making you own algorithm and using it in production without releasing it to the academic cryptographic community so they can analyze it and see if it’s broken in some way you didn’t see.
It’s not just algorithms. It’s how to use an algorithm. If you don’t understand why it’s a bad idea to use a block cipher in ECB mode, then you probably shouldn’t be writing code that uses a block cipher in live production.
I would not have anyone write crypto code for production use unless they have read Applied Cryptography cover to cover; while somewhat dated (it came out before AES, MD5 getting broken, SHA-3, or post-quantum crypto) it is an excellent introduction to the basics.
That said, I have written my own password generator. I have read Applied Cryptography. I know MD5 is broken. I know to random pad plaintext before encrypting it with RSA. I know not to use a block cipher in ECB mode. I have written cryptographic code used in production and it hasn’t ever been shown to be weak or broken; I have revised the code when purely academic attacks have been made against it: I started transitioning from AES to RadioGatún[32] back in 2007 because, while purely academic, I felt the cache timing attacks made it too insecure for me to continue using it in production code.
My password generator takes a master password, and it appends it to that master password the name of the site I am visiting, then runs it through a strong cryptographic hash (RadioGatún[32], for the record, which has been around for over 15 years and remains unbroken) for over 500,000 rounds, to generate a secure password. Since it’s not an online service, there is no point of failure where hackers could get in to the online site; since it’s not a browser plugin, there is no point of failure where a browser security hole or a Javascript hack can get at my master password.
The code is open source and available here: https://github.com/samboy/PassGen/
This is basically the same "cloud" vs "on-prem" debate. Cloud won, I think.
I installed Keepass on my windows desktop along with iCloud drive sync. I keep my Keepass database in my iCloud directory. I can now use this Keepass database on my iPhone (via Files app), on my Macbook (iCloud Drive). Any changes made are automatically synced daily.
Is that really too difficult? And yes, it does "just work".
Bonus: Any passwords stored in my iCloud Keychain are also synced to my Windows Chrome instance via Apple's 'iCloud Passwords'[1] plugin.
[1] https://chrome.google.com/webstore/detail/icloud-passwords/p...
Mainly with compromised\rogue updates, you push a malicious update to customers and then get access without needing to compromise the hosts.
Very similar to a supply-chain attack.
It's about convenience vs security, and specifically, auto-filled passwords across devices and applications. Anything that provides such a feature will be inherently less secure than an encrypted file.
If LastPass and others are to blame for anything, it would possibly be their marketing around the this tradeoff, though I think they avoid direct misrepresentation by just avoiding the issue completely.
I tried selfhosting in the past and it is painful process to set it up since I don't have an experience with it and the documentations on selfhosting are barely minimal. I tried selfhost an RSS Reader (FreshRSS) through webserver that are closed off to the public network. It is rewarding BUT frustrating experience for me beacuse of how much it needs to be functional. And don't forget the difficulty of setting up a CA for the HTTPS (SSL/TLS), it is PITA to set it up and it kept having problems. I am considering Caddy server since it generates its own CA automatically. Their documentation are not beginner-friendly and requires some prior knowledge to set it up.
It's doable. I managed to teach a 50+ year old to do it.
I still self-host.
The idea is one or more "master" password(s) that can be stored in keyboard's RAM (so you don't need to type them every time; and yet you still never need to input it into your computer at all!), then a short memorable site-specific "password" (could be as simple as the site's name) plus a prefix/postfix that adjusts the output to work around different services' fucked up password rules.
I might also make a completely offline device for this in case I need to "look up" a password without actually typing it into a computer.
I don't need to write any crypto for this, just use a well known and secure KDF / hash.
In the end I was running the conflict resolution command once every couple days.
Normally I wouldn't mind, but the only time the warning comes up saying that my db file is conflicted is when I need to enter a password in... which is the last time I want to be dealing with this.
This was Keepass with the db file on Dropbox, by the way. Not sure how Syncthing would handle it differently, but it wouldn't have anything to do with merging db files if they go out of sync.
I have written a CLI tool in Rust called keepass-diff that may help you with this: https://github.com/Narigo/keepass-diff
are you able to sync your keepass database to your windows machine? i need to add this one drawback for people to keep in mind. and also because it happened recently and made hn frontpage. apple can decide to suspend your account for one reason or another. it is very rare but can definitely happen.
Doesn't match what people claim here
Even worse, they have a history of doing hand-wavy corporate non-explanations for what actually happened in these incidents. The antithesis of being responsible and respecting users in the modern day.
You'd expect them to be one of the more targeted companies just because of the 'treasure' they hold - hence the more security breaches.
I’ve always taken the route of managing my own local Keepass DB & key files. Sure it’s more cumbersome, but it prevents me from having to decide whether or not to trust some third party vendor or not.
I know 100% that I’m in full control and I’ve never put my DB or key file in the cloud. I can sleep sound knowing that whatever password service, or file sharing service, somehow getting compromised, cannot endanger one of my most valuable assets
Furthermore, I’d argue that Firefox & chrome password managers probably have several orders of magnitude more passwords stored (and therefore much more highly targeted), yet they don’t seem to have annual security incidents. And you can’t even pay for those products.
People stealing passwords are probably doing it to eventually make money. Criminals could save themselves a ton of work by just directly hacking the banks, yet we don’t hear about highly regular complete compromises there.
Furthermore, if operating a password manager service puts a huge kick-me sign on your service, why don’t the other password managers have plenty of incidents?
"However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere." That's really hard to verify. I think most users would say that rather than admit they re-used passwords (or used similar passwords that were easy to reverse engineer). Since there only seems to be 2-3 reports of this, and they're self-reported and not cited, it doesn't seem like LastPass was compromised.
I'm not saying I like LastPass (I use 1Password and find LastPass to be much worse), but I haven't seen any indication at this point that LastPass has been compromised at all.
(To be clear, it's very possible I'm wrong and this message won't age well. But so far, it seems like LastPass is doing its job, and I'd want to see more than this before jumping on the blame-LastPass bandwagon.)
A few people and I are trying to chase down which software in common could have resulted in our passwords being stolen.
The most egregious and hard-to-understand related cases (now 3!): https://twitter.com/Valcristerra/status/1475734357805572098
"Someone tried my @LastPass master password earlier yesterday [Dec 27] and then someone just tried it again a few hours ago after I changed it. What the hell is going on?"
https://twitter.com/shift_plusone/status/1475959354742525956
"Exactly the same thing happened to me last night. They tried again literally minutes after I changed the password to something not used on any other form."
https://twitter.com/Pablohere/status/1475966760130125828
"I had this same thing happen to me. Saw attempts yesterday, changed password last night to random generated pass from pass utility and had attempts today again from different countries."
---
I saw a few mentions of uBlock origin in yesterday's thread. I definitely might have used it in 2017 (the last time when my compromised LastPass password was used).
Could people that received the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email please reply and confirm whether or not they have the uBlock origin extension installed?
The other alternative is for the LastPass extension itself to have been compromised (and to still be..?). There are other alternatives as well (some clipboard sniffing malware for example).
Let's try to rule out uBlock if possible. Thanks!
Must be a compromised browser extension at this point.
> To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [1, 2] receiving "Something went wrong: A" errors after clicking the "Delete" button.
Is there anything more infuriating than this type of error message?
>>> Take this with a grain of salt.
LogMeIn, the owners of LastPass, had a Chinese APT group in their servers for years. They only found out because the attackers started launching unoptimised SQL queries that started killing their database cluster. They didn’t have to report this breach, despite being based in Germany where it’s a legal requirement, because they didn’t have proof customer data was accessed. They didn’t have proof because they didn’t have any logging or auditing. Whatsoever.
[0] https://www.pcworld.com/article/491164/lastpass_ceo_exclusiv...
Does LastPass/LogMeIn have a history of lying about/downplaying security incidents? I only remember a controversial (and to my knowledge unresolved) issue at TeamViewer (where the company claimed no compromise but due to the number of reports there were doubts about that claim).
This could be very hard to trace since users would have to notice the correlation between visiting a certain web site (or e.g. one of many compromised sites) and getting hacked. Worse, combined with malvertising, it could be exploited from almost any web site if the user doesn't block ads.
I'm sure some people will look at me very funny for doing this, but it seems to me that I have both fewer hassles logging in and fewer breaches than people using more "secure" methods (like handing your passwords over to LastPass's mystery Chrome extension).
Think about today's threat landscape and tell me I'm wrong. I may not be more secure in every possible situation, but I'm more secure in the situations that cause the vast majority of breaches today.
I have been using it for a couple years and haven't noticed any issue. Even if Google decides to screw me over and terminates my Google account, I can still access the passwords via the local copy in Chrome, so that is not really a concern.
(Though, don't take this as my recommendation to use Google' password manager. I have not done enough research in the password manager landscape, which is why I am asking this question in the first place.)
EDIT: also include other browsers' password managers. (It appears that it is a mistake to mention anything Google on HN :/)
You should evaluate if you're comfortable using this or that password manager even if they were aquired by the most evil company you can think of. If the design is solid, it shouldn't matter since the evil company shouldn't be able to compromise anything. If it does matter, then you shouldn't be using that software no matter how much you trust the company (because regardless of trust, they're still subject to secret court orders etc.)
So it’s not just bots trying passwords from other database leaks
The whole premise of LastPass is that they can’t even decrypt your master password. It’s pretty concerning that this is happening.
If hackers can get your master password, then _all_ of your passwords are at risk
This will give you nice conflict resolution if accessing (modifying) the file from multiple machines.
There are clients available for all platforms. I use: Keepass (Windows), Macpass/ Keeweb/ Strongbox (MacOS), StrongBox (iPad) and Keepass2Android (Android, this one's fantastic!).
https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...
"However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved."
(I removed my account recently and got the same error message, everything seems to be gone now)
I have both Keepass and Lastpass, but the reason I didn't do away with Lastpass yet is basically that it seems to me that Keepass can't do proper form-filling like Lastpass can? I'm talking about: auto filling custom configurable fields, addresses, credit cards, etc.
Am I missing something, some addon/extension?
My current Keepass setup:
Keepass 2 with Keeweb for filling passwords in Firefox on PC and KeePassDX for filling passwords on Android. All Keepass DB files are synced using Syncthing, which works fine.
KeePass lets me fill in the username and password fields, and I can configure the names of the fields if KeePass can't figure it out itself. My browser remembers not-so-secret stuff such as my address, and it's very rare I'd want additional form fields managed by KeePass, beyond username and password. That said, I wouldn't be surprised if there was a plugin that does that.
It's encrypted on my computer by Open Source software that I can trust. I used to use LastPass, but it was clearly a sinking ship ever since it was bought by LogMeIn.
None of these opaque, closed-source "cloud" password managers. Because if you don't control your secrets, then you don't have anything. I don't care if it's a zero-knowledge construction approved by Big Name Cryptography Guy or best intentioned founders since depending on a single service that could potentially hold your secrets hostage, expose them, or forget them would be insane.
The end.
I have my TOTP codes stored in Bitwarden for other services like Facebook etc, but I use Authy as an independent TOTP provider for Bitwarden. 1.5 factor I guess (2FA tokens in a password manager), but works a treat and is very convenient!
My Bitwarden account is protected by 2FA (via Authy - only backup method is SMS - which has become handy at one point when my phone was pick-pocketed abroad in Amsterdam as I'm able to get a replacement SIM card from my operator) but then if you get past that (and the master password) then you've 'pwned' me.
It's a trade-off of convenience and security really - I think I'm doing a lot more than the average Joe and feel relatively secure. For the majority of my accounts (FB/Twitter/Instagram etc. etc.) if you get the password you're getting nowhere. Even then using a password manager I have a different password for every service so unless you breach my password manager you've at most made it into one account - if that doesn't have 2FA via Bitwarden.
You might struggle a bit moving away from Authy though if you ever want to as it does a lot of 'proprietary' stuff. I had to use a bit of JavaScript to extract my TOTP codes from the Chrome Web App (e.g. for Twitch) otherwise you're unable to get them out of Authy.
There are now over 20 in the original HN [1] thread. ( Excluding reports from Reddit and Twitter ) From password never used since 2017 to account newly created in the past few months. OP has full Bio, Links and Credential, others have long history on HN and karma points. I did at one point suspected a PR attack on Lastpass, ( sorry guys ) but that is somewhat unlikely.
Of course, this doesn't rule out a malware running wild.
> They stopped all usage of correct passwords they believed were compromised
Immediate question: how the heck would they know which passwords are compromised, if it wasn't a compromise on their end? From the information provided, the only thing they have is the IP & geolocation data, which isn't going to be reliable when the attacker(s) are using VPNs. For everyone whose account was protected by blocking access from odd region, how many are there whose accounts were quietly accessed and no email was shot off to warn the owner?
They are claiming that the master password was used on some other (compromised) service, but they provide zero evidence for this. And if they don't know your passwords, how on earth do they know that you've reused them on a compromised service? Can they name that service? Has anyone yet found a service every affected user has in common? I haven't seen that.
> "However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere." That's really hard to verify.
That is true, but there are so many reports now that it's really hard for me to believe they were all dumb enough to reuse their master passwords elsewhere and are also bullshitting us on HN.
> I haven't seen any indication at this point that LastPass has been compromised at all.
Neither have I, but I still believe it to be a plausible explanation. I don't think we have a "smoking gun" or a site/service/extension that is common to everyone who reported this thing happening to them.
First thing's first, and yes I am "victim blaming" when I say this: 60% of users reuse their passwords. [0,1] It's a widespread problem. Maybe that number is lower for a technical site like HN, but I have encountered technical people who do not practice what they preach.
>how the heck would they know which passwords are compromised, if it wasn't a compromise on their end?
You can check for a compromised password the same way you check if a password is valid, both without having stored the original password in plaintext. You have a list of known-compromised hashes and see if the hashed password is in that list. [2]
>For everyone whose account was protected by blocking access from odd region, how many are there whose accounts were quietly accessed and no email was shot off to warn the owner?
None based on my experience with the service. Each time you login from an unrecognized device or IP, you receive an email and have to confirm the login. It's good hygiene to check the access logs, although I've been dirty in that regard.
>They are claiming that the master password was used on some other (compromised) service, but they provide zero evidence for this. And if they don't know your passwords, how on earth do they know that you've reused them on a compromised service? Can they name that service?
No. And they probably won't ever be able to. And probably neither will anyone else. See [2].
>That is true, but there are so many reports now that it's really hard for me to believe they were all dumb enough to reuse their master passwords elsewhere and are also bullshitting us on HN.
Well I can imagine a few things going on. Like that 60% reuse number in [0], there are probably a lot of people who did reuse their master password. I'd be embarrassed myself to admit I reused a password and it got compromised (correction: I have reused passwords and have been compromised, luckily not in a damaging way). You're kind of exemplifying that point by calling someone who would do that "dumb enough".
The other group of people who really didn't reuse their passwords may have done something I did a few weeks ago - forgot I was connected with a VPN. I SSH'd into a server, saw a weird IP and freaked out. Then after 15 minutes of investigation, I realized duh I was just connected through a VPN in Europe.
>bullshitting us on HN
I'd be careful about this assumption. I have seen people bullshitting here. I won't go as far as outright denying that people haven't reused their passwords, but I am always a little skeptical of things like this (i.e. where people say one thing because they're embarrassed about being associated with the other). It has certainly heightened my senses.
>I don't think we have a "smoking gun" or a site/service/extension that is common to everyone who reported this thing happening to them.
As has been theorized elsewhere, it's very possible we're seeing early signs of the results of the log4j exploits.
I'm in wait and watch mode to see if LP really is compromised.
[0]: https://spycloud.com/password-reuse/
[1]: https://www.troyhunt.com/password-reuse-credential-stuffing-....
[2]: https://haveibeenpwned.com/Passwords A password from my late childhood to early teens shows up 150 times
https://www.mcafee.com/blogs/enterprise/cloud-security/lastp...
Unfortunately the only password solutions I would recommend at this point are 1Password for something turn key, and BitWarden if you want to self host.
Statistically speaking it's probably because everyone has ublock origin installed, rather than it getting hacked. It's used by 5M+ users on firefox and "10,000,000+" on chrome. If ublock was really compromised you'd expect widespread reports of account compromise, rather than for only one password manager.
1. If LastPass has been compromised, the scale of these attack would have been tens of thousands times higher. But it isn't. And I think it is reasonable to trust and assume Lastpass does not hold the masterpassword, as they have stated.
2. If it was browser extension, and clipboard sniffing, the scale would have been higher as well. But it is important to note there are many reports of those password have not been used for 3-4 years. They would have sat on a drove of password and decide today is the day. And yet report of these attacks, while scary, are still very very limited.
3. It is hard make a guess without everyone posting their OS, Computer, Browser, extensions, list of software, and even Router, Location, Network ( MITM ? ) etc.
4. We have tested the theory of Lastpass triggering the wrong email notification even with wrong password. So far doesn't seems to be the case here.
5. Nearly all reported cases are unique passwords. ( A few didn't specify )
6. There was a case where the whole Lastpass App and passcode was stored on an old laptop which hasn't been used for a long long time.
7. And yet there are also cases where account was only created in October / November this year. Meaning this activity is fairly recent. ( Doesn't rule out they could be two independent leaks or attack )
8. I was expecting someone working in InforSec would jump in, but I guess they are all on holiday at the moment.
9. This happened just after LogMeIn announced they will spin off Lastpass. I am thinking of the incident with Ubnt where the actual problem was internal, an employees hacking their own companies for bitcoin or something. Still I dont know how any Lastpass staff, without storing any Masterpassword could have gained access to it.
10. For now this doesn't seem like a coordinated PR attack on LastPass. If it was, seriously guys you need to do a better job with Social Media marketing. :P
Anyway It is an interesting thread to watch.
I'm happy to delete my message if this way of finding out doesn't make sense.
I haven't used LastPass since, at the latest, 2017. I had actually deleted all my passwords from my LastPass vault, but originally kept the account because of LastPass's password sharing feature, though I stopped using that as well. I believe I had the LastPass extension installed on both Chrome and Firefox, on both Mac and Ubuntu. I primarily used Chrome on Mac. I did have uBlock Origin on those setups as well, but I really doubt that's the vector, it's likely just incredibly popular with all users of Hacker News. My LastPass password was globally unique and between 15 and 20 characters long (with some symbols and digits). This password shows no matches at https://haveibeenpwned.com/Passwords . I considered sharing the password here, but just in case an old version of my vault is out there somewhere somehow I'm not going to. My understanding is that such a password would be so incredibly impractical to brute force that it's not worth considering. Unless I'm outdated/wrong on that, that means the password leaked in clear text (or hashed with a broken hashing method). As I haven't typed that password since at least 2017 and I can't imagine LastPass is storing passwords in clear text, I'm inclined to believe the password was stolen in clear text from client machines (either LastPass extension exploit or malware) in or before 2017. It's weird they were not used earlier, but as LastPass doesn't allow new IPs by default, maybe the attackers knew this and were sitting hoping an additional exploit would allow their user. But now they're just trying in the off chance someone clicks the "That's me" link in the email. This doesn't explain the more recent claims, personally I'm inclined to disregard them as unrelated noise (user confusion, reused password, etc).
(I actually found an email from LastPass dating back to 2017 where they were confirming that a vulnerability with their extension had been fixed. The subject of that email is "Security Update for LastPass Extensions" and it dates back to March 31st, 2017)
I also agree with you that the attackers may have been hoping this time that some people would click the email link by mistake.
What's most baffling to me are the 3 independent reports of people changing their passwords, and getting the "Someone just used your master password" emails again i.e. the same attackers that attacked you and me somehow also having access to these new passwords. That can be explained in some ways (those 3 people are currently infected with the same malware) but that explanation seems, to me, very unsatisfying.
The fact that lastpass support says that it means that the correct password was used doesn't mean it's true, the support staff might just be mistaken.
Counterpoints:
- LastPass officially responded to this story by saying that all of our passwords were compromised elsewhere and then someone attempted to login with those i.e credentials stuffing.
If it was a false positive email, it would have been easier to say that and a lesser reputation hit on them. Right now, they're saying "oh yeah those passwords were valid -- it's just that the attacker got them somewhere else, we weren't breached."
- The (now 3!) twitter reports mentioned in https://news.ycombinator.com/item?id=29719033 point out that someone attempted to login again after they changed their password. They received the "Someone just used your master password" email a 2nd time.
If those emails are not false positives (per LastPass), how could that have happened?
Used a VPN endpoint in a country that would surely get blocked. Attempted to login with wrong password, did not receive email. Logged in with correct passphrase, received email. Both scenarios looked the same on the login screen, so there wasn't any indication that I logged in with the correct password if I were the attacker
edit: last night they released something that says they sent some of those emails in error. I hope that is the case, but it's still not very re-assuring. I went through and changed all of my financial/critical accounts yesterday in precaution, today my bank account was locked out from brute force. Could be a coincidence, but that is the first time it's ever happened with that account
I think it exists at an intersection of (relatively) trustworthy and necessary that makes it extremely popular among the kinds of people participating in these discussions.
If you got it, assume you have malware and all your passwords you have entered have been captured.
I was in touch with a security researcher on Twitter who has access to the RedLine Stealer stolen credentials.
Neither my email nor LastPass password (the one that was compromised) were in there. The researcher looked for another email/password (of someone else affected who reported it here on HN and contacted me via email) and no result as well.
This would explain all the data I’ve seen so far, including LastPass’ reaction.
Speculation: LastPass might use this message even if someone tries an old password? Does that fit the data so far?
I just tried my old password and the error message only says to check the password -- there are no emails sent saying that someone attempted to log into my account with my password.
LastPass did change their systems, supposedly correcting for the issue that we all saw. So the test I just did also isn't really indicative of how their systems were working 2 days ago.
There are still remaining questions:
- the use of "some" and "likely" in LastPass' new announcement -- https://www.bleepingcomputer.com/news/security/lastpass-user...
- an explanation on how the false positives happened. What made the system think those attempts were using the correct master passwords?
- an assurance that no correct master passwords were used during the attack -- that they were all false positives (i.e. this attack was strictly credentials stuffing i.e. someone tried a bunch of passwords they obtained from other sources)
- finally, an explanation for the 3 independent cases where people changed their passwords and then received an email again saying someone had attempted to login using their passwords. Those emails may have been false positives as well, but we would have to know.
Just for fun, I downloaded the official LastPass chrome extension. The zip file is 32MB before unzipping, and it has 426 separate *.js files, total of 25MB of javascript. That should be a fun audit.
Edit: To be clear, nobody has said the LastPass extension is compromised, though that is one possibility.
Edit #2: Some of the larger js files do have a fair amount of the size as arrays of localized text, error messages, lists of numbers, etc. But it is still a lot of JS.
For (a totally bogus but hey) comparison, I'm shipping products which include the Linux kernel, userland (busybox plus a pile of scripts and some daemons & other utilities), "the application" (two-three hundred thousand lines of C maybe?) plus deps (including sqlite, crypto libs, etc.) and the compressed image that contains all of this easily fits in 16MB SPI NOR flash with a few megs to spare.
And how did this breached exactly happen?
i wonder if any of that is log4j ( :
In their 2019 breach, JS on arbitrary pages was able to access the contents of LastPass' own extension to obtain the last used username/password combinations. [0]
As, today, the extension now contains 25Mb of JS, making it difficult to audit, I wouldn't say that it has to be someone else's fault until proven.
[0] https://bugs.chromium.org/p/project-zero/issues/detail?id=19...
The previous thread had password never typed, copied or used for years. Unless we are talking about multiple vector, otherwise browser extension doesn't fit most of the reported scenario.
Impending company changes also raises the possibility of an insider attack.
> Is there anything more infuriating than this type of error message?
Well the other classic move by webshits is to have you stare at a spinner indefinitely.
From 2019: https://www.reddit.com/r/Lastpass/comments/afmfop/cant_delet...
From 2020: https://twitter.com/jowouters/status/1222438393981886464
There's a ton of those posts. Some in the official LastPass forum as well, and the response from LogMeIn was basically that the account was deleted.
(It's of course crappy, just saying that this behavior is nothing new and probably just something they don't care about enough to fix..)
Keeping my secrets store on someone else's computer is simply not compatible with my threat model.
Yes, they say it is encrypted, and I believe them and believe they're competent.
But competent people write vulnerable code all the time, disastrously bad hires happen (see Unifi), and companies go bad. You can't un-disclose information stored with them, only laboriously invalidate it.
The only thing I pay for is the managed hosting, but in theory it's not much different than anything else properly designed (e.g. bitwarden) aside from the obvious things, such as OSS-ness.
The only relevant CVEs are relatively mild compared to LastPass.
Give them some credit.
I had 2fa enabled on my LastPass account, but didn't have access to the phone anymore. I clicked a link, LP sent me an email, and I was able (through that email) to remove 2fa.
It doesn't make their 2fa completely useless, but it's not great.
Some of our skulls are so thick you’d need at least a $10 wrench
You can be forced to disclose your secrets but you will know they were compromised, that's encryption doing its job.
There's a world of difference in knowing.
It's a free open source app that runs on your local machine and stores your passwords locally - never uploads your passwords to a server. But it does this securely.
And you can run it on multiple machines (and phones) and transfer the passwords (the vault) without ever uploading anything to servers.
If you like to have synced database between devices with minimal risk of exposure I would recommend setting it up to use a master password AND generated key file. I do this, then sync my database to cloud/butt and just keep my key file offline and on device only.
Edit: I believe you can also use a FIDO/U2F key (yubikey, google titan, etc.) in place of a key file but 2 password lock is great even if someone guesses your master password, the database is still useless without the 2nd key.
My threat model is 100% aimed at remote attacks/hackers. I could not care less about law enforcement. I also use a hardware backed second factor.
A computer will always do a better job at generating\remembering passwords.
hardware 2FA is definitely a good idea.
Important questions might be how secure is your computer (encrypted HD, multiple users, etc), what incoming services have you enabled (ssh?), does your computer ever travel (is it a laptop, is it prone to loss or theft), and how secure is your apartment/house (is a robbery plausible).
The main thing a desktop file is, for most people who use password managers, is inconvenient. Without some kind of remote access at home, it might mean not having access to passwords when doing errands or traveling, any time when not physically at home. But with remote access, the password file access does become riskier, that does become cloud access where you’re responsible for the security of all methods of remote access (are any ports open you don’t know about?).
Having my password manager on my phone has been incredibly useful at times.
The number of times my home's been broken into: 0 (and based on news, virtually all of burglars are just looking for jewelry, wallets, and similar stuff and they won't bother trawling through your papers for passwords).
The number of times I've had devices on my network that run some hastily put together vendor firmware that was last updated six years ago: too many to count.
The number of times I've had to rush to update/patch my own computers to fix a newly disclosed remotely exploitable vuln: quite a few.
The number of times I've actually witnessed attempts at trying to exploit said remote vulns: too many to count! Sometimes mere hours after I've patched my stuff.
The number of times I've known I've had malware: at least a couple times (admittedly long ago, back when I ran Windows..).
I just don't trust keeping personal passwords on online connected computing devices. And password managers are a very lucrative target today (plus it tends to be all eggs in one basket for most people!).
I do keep passwords for employer's stuff in a password manager but not on the same device(s) I use said passwords on; even if you had malware on my work laptop, you wouldn't get my master password, nor would you be able to grab my password database. Passwords are also not stored on any third party service.
The price I pay is a relatively minor inconvenience. (I do have plans for something more convenient though!)
You can sync the encrypted files to your phone or other computers.
KeepassXC requires authorizing a plugin, and authorizing specific sites before it releases a password.
One of the reasons I haven't moved over to NeoVim is because they removed this feature, because supposedly it's not perfect or something. So sure, the NSA may be able to still be able to extract my passwords if they arrest me and take my computer, but the point is that random people won't be able to.
EDIT: Also, if you don't know, Chrome also supports passwords export/import, so it not any more vendor-lock-in than any other password managers.
I've done the same transition. I was too lazy to install a password manager and didn't care enough about my online accounts. Now I have strong passwords on all my accounts and they propagate to my Android apps automatically, without me having to do anything. I also trust Google's security.
I use passwords on my iPhone, MacBook, and Windows, so I need a manager that can provide passwords across all of those (and not just in a browser)
Because then you are locked into Chrome and some people prefer the freedom to switch browsers at any time
I, for one, wouldn't use any security-critical software where the client isn't open source.
(The server side doesn't matter for security for the same reason trust in the company shouldn't matter. No secrets should leak to the server.)
To confirm, you would have to basically get access to all the stuff that has been sold, as the malware is pretty widely sold and distributed it is effectively ad infinite data set, and constantly growing.
A previous responder checked with a security researcher who has a Redline Dataset and was not in there. Some of the annecdotes suggest it is from an old breech likely before 2020. Given the age and how these things get bought / sold / compiled into bigger datasets, there is a fair chance that researchers have the data and hopefully lastpass can dig into it to find the source.
I switched to using icloud keychain a while back, after a breach LastPass had a few years ago.
Attacker with MP + email access is pretty severe.
I wish more services used email as a 2FA instead of SMS.
Obviously it's not as nice as having a cloud service, but it's open-source and doesn't require trusting a third party, which I like.
Tons of people who are very aware and capable have been phished successfully. If you think it isn't likely, you are likely vulnerable.
"Not very likely" is just obviously not true—phishing is a very common attack, and companies like Google have adopted security keys to protect against it.
I can smash your door in, or simply break a window. The difference is you’ll definitely know I did it. But unless you in the routine of checking your lock pins for scratchmarks, you probably wouldn’t know if someone picked the locks.
- Use multiple browsers
- Sync even if <browser vendor> screws you over and terminates your account
- Store things other than passwords. Credit card numbers, PGP keys, SSH keypairs, etc
- Backup the database to my own storage
Export/import is not enough. If I use Chrome, then import to FF, then add a password in FF; now Chrome is missing some data. You need to be able to sync, not just import.
For high-value logins, I use Passwordsafe. It's annoying; the scroll behaviour is annoying, and it's Windows-only, which is sad. But it's resolutely local and un-networked, and I'm confident that my secrets are well-protected by my (complex, long, memorized) master password.
I stopped using LastPass a long time ago, but this has definitely put them on thin ice for me, I won't be recommending them going forward.
One [incident] reporter claims they changed their master password and had a breach attempt using the new password. If that is true that is extremely alarming.
There could be some malware targeting a LastPass extension or app cache somewhere, but that is groundless theory on my part.
As you mention yourself at the end, there are other plausible explanations (e.g. malware on the machines).
If it is something like a keylogger, not so much.
There's 4.3 megabytes of plain text in the KJV bible. Is LastPass' localization longer than the bible?
File count is not a good metric of complexity nor is an indicator of the quality of an application. There is a good chance a lot of that are packages that have been packaged up into the extension. Lastpass itself is not a super trivial application, either.
There's a lot of room between "super trivial" and "needlessly complex" -- it shouldn't be either.
Trusting a cloud-based third party with my passwords is a non-starter for me.
That would require them to store password hashes unsalted and using the same hash function & number of rounds as the online dumps of compromised hashes. If that's what's going on, then that would be good reason to immediately abandon said program.
Password databases are supposed to encrypted, so without the master password they also won't see see the rest of the hashes in the db to see if they reused the master password. So no, they won't know which passwords are compromised unless there are some absolute design disasters going on.
> None based on my experience with the service. Each time you login from an unrecognized device or IP, you receive an email and have to confirm the login.
Ok, that is good to hear. Still, they shouldn't have any way to really know which passwords are compromised. I guess they could have blanket-rejected all logins from unknown IPs and make the claim above (putting some PR spin on it). That'd be quite meh.
> No. And they probably won't ever be able to. And probably neither will anyone else.
Then they should not make a statement saying so, because it is bullshit until proven otherwise. If they don't know how these passwords got compromised, they should say as much. But they've determined:
"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."
If that isn't bollocks, then I'm really curious how they determined anything. And if they actually didn't determine anything, then I really don't think they should post a statement like this.
> Well I can imagine a few things going on. Like that 60% reuse number in
> duh I was just connected through a VPN in Europe.
> I have seen people bullshitting here.
All plausible theories. If it were one or two people, I'd consider "user error" a very likely explanation for this (it wouldn't be the first time someone freaks out and it turns out to be nothing). But right now, 20+ different people on HN? To be fair, many of these are green (that's a bit suspicious but I'd totally understand wanting to protect identity when admitting your passwords may have been breached) but we also have quite a few old users.
I just have a really hard time believing such a number of pebcaks all of a sudden come in swarms and lie on HN about using a random password that was written down and never used anywhere else (or such). That would be unprecedented here. One or two, again I'd consider it, but this is too many for me. I think if people here reused their passwords, got it compromised, and were embarrassed about it, they probably wouldn't announce it at all or at least they wouldn't fabricate a lie. As much as I think there are dumb and embarrassed people out there, I just don't buy that everyone here is lying.
Also, reusing any random password is not at all the same as reusing your master password. I'm sure someone will reuse that too but it's quite different level. I reuse plenty of passwords for irritating services that mandate a login but which I don't care much for. I'd assume the frequency of reuse among technical users would be far less than 60%.
> As has been theorized elsewhere, it's very possible we're seeing early signs of the results of the log4j exploits.
That sounds again plausible, except for the cases of people who got theirs compromised even though they haven't used it in years. Who do you exploit to get the master password that was last typed in 2017?
Long running malware (including malicious extensions) on the users' PCs is also plausible but again I'd be a bit disappointed to learn that it's been going on for years and nobody noticed until now?
I'm also not betting on any one theory. I really hope we do get to the bottom of this though.
Even if you don't have the precomputed hashes, you can still bruteforce using a wordlist.
>Password databases are supposed to encrypted, so without the master password they also won't see see the rest of the hashes in the db to see if they reused the master password. So no, they won't know which passwords are compromised unless there are some absolute design disasters going on.
You don't need access to the database to pull this off, just a wordlist obtained from prior dumps/leaks.
I don't believe this happened though.
It's an interesting game: Reputation is essential to their business. Admitting a breach will harm their reputation, denying it and then getting caught will harm it a lot, but denying it without being proven wrong will probably harm their reputation less (than an admission).
Personally, I'd rather trust a provider that admits a breach, provides transparency, demonstrates good incident response, and hasn't shown complete incompetence from the breach than a provider that has credible rumors of a breach and no good explanation, but I think I'm in the minority here.
Notably, TeamViewer had one of these "rumors but denying a breach and claiming credential stuffing" cases (they later admitted that they also had an earlier but unrelated intrusion that they kept secret for three years, which doesn't help). I think that if it was more than credential stuffing (that's a big if, the credential stuffing explanation is plausible), the strategy worked much better than admitting a breach.
Neither way “must” they have stored your master password.
The issue is when you want to access that paper remotely or on the go. Then it becomes a really bad method.
Not necessarily. See https://xkcd.com/936/
...and, those are the only things that really matter for an attacker. Encrypted data (assuming reasonably strong encryption) is useless without the key.
> The only thing I pay for is the managed hosting
Funny, I was happy to pay them until they removed my ability to store it myself.
edit:
> CVEs are relatively mild compared to LastPass
LP is not the relevant comparison. The relevant comparison is an encrypted store on my laptop.
Wait wait, what do we know about the scale of the attack and how?
Even if the attacker had every single LP master password, that says nothing about how much resources they're spending hammering the service.
If the attacker got a hold of the raw passwords, then the speed of compromise could be easily thousands of accounts per hour. Just set up a bunch of TOR clients and bruteforce over that, or pay $10 for a few leaked VPN account credentials.
Anyway, we still have no idea what the scale of the attack is or when exactly it started (IIRC someone reported this happening much earlier this month).
- Thanks a lot for the great summary!
- To me, the hardest to understand is now 3 reports of people changing their passwords, and then receiving a new "Someone just used your master password to try to log in" email. That's mind boggling.
Edit: Looks like some Yubikey work via nfc for mobile.
That seems like a usability nightmare. Are there plans to improve this? Hardware wallets for cryptocurrencies seem to have it solved. You can keep multiple copies of the keys around (ie. multisig wallets) for maximum security, or you can write down the private key of the device you have and store it somewhere safe. In either case you can retain the public keys so you don't need access to the device if you want to send funds to them (or in the case of authentication tokens, enroll them).
3 copies of your 2-factor, 2 different mediums (a Yubikey and recovery tokens printed on paper), at least 1 in a different location (safety deposit box, trusted family members house, etc).
The Yubikey OTPs work if Yubikey is connected to a phone via USB (Type-C). Not sure about Fido/U2f etc though.
Not sure what I can do about that.
Pass with a git repo satisfies some of those requirements, but it isn't very user friendly for non-technical users, and fine grained access controls and groups is tricky.
What's the risk of keeping the keyfile/password on your device(s) but uploading the database to the cloud? Assuming your keyfile has enough entropy (eg. 256 bits), your database is good as useless without the corresponding key file.
Do you own assessment of all of the "maybes", and come up with your own conclusion and practices. Someone else's hard drive is not to be trusted, but it is convenient.
Password management, afaik, still needs a zero-knowledge cloud-agnostic solution that is easy to set up and run. There are the big boys (1password, bitwarden, LastPass) and then there are local-only solutions; in between, where the sweet spot should be, there is only a bunch of hacks. The issue is monetization - the incentives for that side are towards centralizing.
Sometimes the devil you know, you know?
That said, if their closed-source browser extension is leaking my master password to random websites I'll cut them out of my life tomorrow.
Yubikeys do solve a lot of use cases very well but that is a downside to them. That is probably still a good tradeoff for most consumers.
You don't necessarily have to do it crypto wallet style and have the private key be exportable. Just adding a public key export (on the security token side) and a way to enroll a token by its public key (on the browser/website side) would allow you to enable 2fa without having to make a trip to the safe deposit box (either to store your backup codes, or to fetch your backup token for enrollment).
>Each token from the yubikey is not (readily) linkable to the key itself since the underlying secret is opaque and can't be exported
That's not an issue. You can derive more ECDSA public keys from a single master ECDSA public key[1]. The corresponding private keys can only be derived using the corresponding master ECDSA private key, and the generated public keys can't be linked back to the master ECDCSA public key. Bitcoin hierarchical deterministic uses this property to generate wallets that don't need regular backup (all your addresses are derived from one key) and apple's find my network uses something similar.
[1] exact mechanism is described here: https://bitcointalk.org/index.php?topic=19137.msg239768#msg2... starting at "Type-2 is a bit less obvious [...]"
Google have apparently some plans to address this problem in the medium term. Adam Langley has written vaguely on this subject before. In the short term, their priority is the trick he wrote about most recently - if your Android phone is enrolled as a Security Key with Google, and it's signed in to Google because it's an Android phone, and you use Chrome on a desktop, which is also signed into Google, the Chrome can use Bluetooth to determine if the phone is physically nearby and if so propose to authenticate your desktop Chrome to a remote web site using the Android phone. Elegant, albeit not suitable for those who fear lock-in.
I get the motivation behind it, but the mechanism I proposed in the last comment still preserves those properties? Each site would still get its own derived ECDSA public key. The master ECDSA public key would only be shown to the user and is to be kept within the browser. If a user wants to enroll a not-present security token, the browser will take the ECDSA public key and derive a public key to present to the site, so the site still can't track users using security tokens.
The relying party says "I am some.example and I want to enroll a Security Key, but, not ones which recognise these huge random-looking IDs that are already enrolled: 12345678, 34561234. I also picked this random nonsense XYZXYZXYZ. Go for it" and your browser talks to your Security Keys until it finds one that isn't already enrolled, gets that one to sign the appropriate message and sends back, "I am a web browser, I checked that you are some.example. I picked my own random nonsense XXXZZZ, and a Security Key picked public key ABCDEF, then to prove it knows the private key it signed this message for some.example mentioning XYZXYZXYZ and XXXZZZ and with bitflags it understands enough to know what it's signing. It says the resulting credentials have random-looking ID 98765431. Thanks". /s/Security Key
If the Security Key cost less than a low-end Yubikey, it has no storage. That random-looking ID is in some sense your private key for the site, but suitably encrypted, e.g. with AES in Galois/Counter Mode, so that the device needn't remember it, when a site asks keys to authenticate, it must provide the ID they're authenticating against, and so they can do AES GCM, figure out if they minted this ID, and if so recover the private key and authenticate. This is fiendishly clever, but so far as I can see renders your idea impossible.
This seems like the main blocker. Why is that required? In theory all the site needs is a public key to verify against.