LastPass Hacked

Lastpass.com deals are quite popular on this site. Not sure if this is the right section to post in but but this is just a post to let lastpass account holders know that there has been a security breach on their servers.
I encourage everyone who has a lastpass account to change their master password immediately.
http://money.cnn.com/2015/06/15/technology/lastpass-password…
http://time.com/3922406/cybersecurity-hacker-password-online…

Related Stores

LastPass
LastPass

Comments

  • I got an email from Lasspass… which basically said "Don't worry, we have this under control!"

    Yeah, nah. Changed my password right after that.

  • Thanks for heads up, but it might not help much if DB is copied. Save the worry and don't upload your passwords to cloud.

    • From their statement:

      In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

      Site passwords should be fine.

  • +1

    I was right all along. https://www.ozbargain.com.au/node/152613#comment-2112474
    Look at all those neg votes.

  • Hmm true.. So are there any secure alternatives to lastpass?

    • Made the move from Dashlane to KeePass with master password + key file stored on USB drive earlier this year - although cumbersome, I think it's a pretty good setup.

    • A well-trained memory and imaginative, memorable passwords. Seriously. If I can manage to remember 20-30 passwords off the top of my head, that all have alphanumerics, caps and symbols, then so can anyone.

      That which is used… etc.

      • How long are your passwords? How do you remember which password goes with which?

        Sounds like an extraordinary feat of memory which frankly I do not believe.

        • My personal passwords are between 8-15 characters; work passwords are around 7-10. Quite often in a language other than English just for added sophistication and ease of memorisation (given I don't use the other language that often). As for tying passwords to accounts, many of the more shall we say critical accounts, have passwords that are more personal/intimate that reference things of a private nature or as opposed to throw-away accounts that may have a dictionary word here or there (mixed in with some gibberish); I find that helps build a mental hierarchy attached to passwords that quickly allows you to distinguish between important and throwaway accounts.

          I will concede given I work as an IT Managed Service Provider, it's kind of routine for me to be keeping track of and typing passwords continually thus getting them memorised (I think at one point I had about 40 committed to memory), especially due to muscle memory/finger placement which should in fact be part of password creation (though remembering them without a keyboard can be a bit tricky) but once you are in the habit of manually typing them out every few days, it becomes significantly easier to remember passwords.

      • +1

        If I can manage to remember 20-30 passwords …

        Unfortunately I have about 200+ passwords in my LastPass account. I could probably remember at most 5-6 at best.

  • I went through the settings today and found that they have 2 factor authentication via a Google mobile app. Highly recommend.

  • +1

    Meh, I'm not worried.
    Lastpass specifically hash the passwords 5000 - 10,000 times depending on the setting to make brute-forcing impractical.
    The worst that came from this hack is that the password reminders were taken too, a lot of stupid people make reminders far too relevant.

  • What's more worrying than LastPass hacked (as their data is encrypted) is that they have just been acquired by LogMeIn.

    https://blog.lastpass.com/2015/10/lastpass-joins-logmein.htm…

    LogMeIn famously ruined Hamachi (light weight VPN client) after acquired them 8-9 years ago. Most places I read spelt that it's a bad news for LastPass users, and I still have 600+ days of premium subscription under my account.

  • Another interesting article I read today: Even the LastPass Will be Stolen, Deal with It!. A bit technical, however here's their recommendation for the LastPass users:

    • Use the binary version of the plugin
    • Do not store the master password
    • Activate the new Account Recovery over SMS
    • Audit your vault for malicious JS payloads
    • Don’t use “password reminder”
    • Activate 2FA
    • Add country restrictions
    • Disallow TOR logins
Login or Join to leave a comment