Looking for comments on this security incident at LastPass

Everything that is reachable over the network is attackable….

for sure but do you believe their claim in the announcement about the zero.. blah blah?

Forgot to post this yesterday. Seems like their customer data isn't affected and if they've done it right like they claim, there's nothing an attacker could do. But still it's the 4th or 5th incident, which is too much in my opinion.

Absolutely safe. Even it was breached, passwords are encrypted AES-256 before sending to their servers. Without knowing the master key used to encrypt them, used by each users, there’s no issue.

BUT.

As @regnor says, this is the fourth/fifth time that something like this happens to LastPass, and that’s not a good things to their reputation...

I think it’s good that they communicate the issue transparently.

But this could be a problem, depending what the background is:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Is the same weakness used as in August? Did they use customer password obtained in August and the customer did not change their passwords?

And regarding the Zero Knowledge… Seems that all password are AES-256 encrypted on your machine before they are sent to the LastPass Server. So, they should not know any of your saved passwords….

This is the scary part that they keep trying to get in there.  I have LastPass but mainly use Dashlane instead for my password management and always keep things secure with randomized 40-character passwords, etc.  Also, MFA when available is always turned on.  I believe LastPass does that too.

They do seem to be secure based on their model, but you never know right nowadays.

Maybe guys give a try to Bitwarden or 1Password!

The paid version.

I have 1Password as well and tried Bitwarden.  The Dashlane I have is the paid version.

I love the fact that the spoke up, else they will end up like Uber's former CSO Joseph Sullivan :-) Maybe they could increase their security) 

Fun fact: Apple employees adopted while ago 1Password.

well it say so as i say AES-256 but not sure attackers now a days more smart and intelligent .. 

Nono mate, it’s purely mathematical :)

Using 256 and super strong password is safe, even with rainbowtables.

Hopefully the attackers have not managed to modify the part that handles the Master Password mechanism. From the announcement it does not seem like it. 

I like keeping my passwords separated, personal and professional use.
For the personal ones, I use apple password ring, so everything works and shares ok.

For personal critical passwords, like bank, I still using brain, no stored anywhere.

For the work ones, we use a net solution, Passbolt, implemented on-prem, and as a backup, local keepass installation importing the backups from Passbolt periodically, just in case the infrastructure is affected by any threat.

I think it´s very cool to store and use password vaults to make our life easier, but always have a plan b if something goes wrong, and be prepared if you get hit, to move as quick as possible with a fix!

cheers.

An update from LastPass. It does look quite bad. 

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Very bad. Won't be using them again for passwords.

Hard to see how they can survive this but.. you never know

There's an update regarding the breach. While it doesn't mention Lastpass, I thought it would still be interesting to read.

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.

https://www.goto.com/de/blog/our-response-to-a-recent-security-incident