Jump to content

LastPass users warned their master passwords are compromised


securitybreach
 Share

Recommended Posts

securitybreach
Quote


Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

The email notifications also mention that the login attempts have been blocked because they were made from unfamiliar locations worldwide.

"Someone just used your master password to try to log in to your account from a device or location we didn't recognize," the login alerts warn.

 

"LastPass blocked this attempt, but you should take a closer look. Was this you?"

 

Reports of compromised LastPass master passwords are streaming in via multiple social media sites and online platforms, including TwitterReddit, and Hacker News (original report from Greg Sadetsky).

 

LastPass_login_attempts_notification

 

 

https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/

 

Glad I moved to the opensource Bitwarden years ago.

  • Like 2
Link to comment
Share on other sites

securitybreach
Quote

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that "LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."

"It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure," Bacso-Albaum added.

However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

While LastPass didn't share any details regarding how the threat actors behind these credential stuffing attempts, security researchers Bob Diachenko said he recently found thousands of LastPass credentials while going through Redline Stealer malware logs.

BleepingComputer was also told by LastPass customers who received such login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer found by Diachenko.

This means that, at least in the case of some of these reports, the threat actors behind the takeover attempts used some other means to steal their targets' master passwords.

Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.

To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [1, 2] receiving "Something went wrong: A" errors after clicking the "Delete" button.

 

  • Like 1
Link to comment
Share on other sites

I am not seeing a "compromise" here. What I see is failed attempts to compromise users' accounts. 

 

I get similar email notifications from Facebook and other accounts. I see them as similar to "socially engineered" attempts to "trick" users into giving up their personal information/credentials to unauthorized *******s. 

 

I note the BC article clearly reports, 

Quote

"It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party.

 

I think the important take-away here is to always use a unique (and strong) password on our password managers. Never, as in NEVER EVER use the same password on your password manager as you use on any other account. 

  • Like 2
Link to comment
Share on other sites

I have not received any email, but my password is fairly strong compared to most.

 

I'd also strongly recommend having 2FA setup for your Lastpass accounts (and any other accounts that support it). I use a couple of Yubikeys to log into mine, and it's always worked well for me.

  • Like 2
  • Agree 1
Link to comment
Share on other sites

securitybreach

Yeah, 2FA is a must. I have been using yubikeys for years now. The latest one allows me to touch it to my phone via NFC but I have a couple of older ones that are just usb. Yubikey stays in my wallet and is on me at all times.

 

A few years ago Wired offered me a subscription with a free Yubikey for $10 so I bought 5 years. At the time, the yubikeys were like 50 bucks so I figured 5 for the price of one. I ended up giving three of them away to friends but I do not think most of them used them. I still get the magazines but don't read them as I have already read anything of importance by the time it arrives. Still got two of those yubikeys.

  • Like 1
Link to comment
Share on other sites

I've thought about getting one of those yubikeys. I also am looking into one that will securely store my cryptocurrency.

 

I have a 512 Usb drive I keep all my IT tools on I carry. Pretty soon we'll look like Christmas tree ornaments.

  • Like 1
Link to comment
Share on other sites

On 12/29/2021 at 8:32 AM, Digerati said:

unauthorized *******s. 

@ Admins - your obscenity filter needs a little tweaking. The word I had there was "scum bags" (but with no space). I don't think that would offend anyone, but maybe a scum bag. 

  • Like 1
Link to comment
Share on other sites

securitybreach
2 minutes ago, Digerati said:

@ Admins - your obscenity filter needs a little tweaking. The word I had there was "scum bags" (but with no space). I don't think that would offend anyone, but maybe a scum bag. 

 

Yeah, that is an odd one to filter.

Link to comment
Share on other sites

27 minutes ago, xrobwx71 said:

I've thought about getting one of those yubikeys. I also am looking into one that will securely store my cryptocurrency.

 

They're honestly great - I first started using them as it's mandatory for my corporate work account, and afaik we've never had a successful phishing attack since they rolled out (there was some nice press coverage around this). There's a range of yubikeys, including very small ones you can permanently leave in your machine.

 

I use them for my personal devices as well - a normal USB with NFC on my keychain, plus a small USB-C one in permanently in my laptop.

 

You can still rollout decent 2FA without them, using authenticator apps etc, but personally I find them really convenient and I like the physical security aspect.

  • Agree 1
  • Thanks 1
Link to comment
Share on other sites

16 minutes ago, Digerati said:

@ Admins - your obscenity filter needs a little tweaking. The word I had there was "scum bags" (but with no space). I don't think that would offend anyone, but maybe a scum bag. 

 

I've removed this specific one.

 

The default word filter with Invision is veeerry PG. Not surprising as so many companies use Invision for their communities.

  • Like 2
Link to comment
Share on other sites

I use Splash ID's password safe. There are better ones out there, but I first started using it way WAY back in 1995 with my Palm Pilot PDA. 

 

I like it best, in part because I've been using it for so long, I can do anything I want with it blindfolded through muscle memory. ;) Also, I'm stuck with an older version and that's just fine with me. The newer versions really want users to sync with the cloud and I have no desired to do that. If I was young, still working, and needed access from any device anywhere in the world, and had my cell phone superglued to my hip, then maybe. But I don't. 

 

It doesn't just manage passwords, but just about any other information I want protected but quick access to - like credit card numbers, kid's social security numbers, software license keys, and whatever. 

 

I've tried migrating to a more modern manager a couple times, but keep going back to Splash ID. I suppose because moving over 600+ entries one at a time is too much a PITA. Export/Import left too much scrambled. Plus, back to the blindfold, the new managers just are not intuitive for me. 

 

So I stick with SplashID. It does what I want. It encrypts the database securely. It can generate random PWs of any length using just about any character - including symbols and foreign letters. Plus, it is fast. 

 

That said, I really don't care what anyone uses. Just use one. More than once I have gone on house calls, lifted up a keyboard, opened a nearby  recipe/index card box, or looked in a desk drawer and found the client's list of written down passwords - that is IF they were not on sticky note stuck to the monitor! :( 

 

I used to teach "Physical Computer Security". It is amazing how many don't even think about a bad guy "physically" breaking into their home or office to steal whatever they can quickly get their hands on. It is not uncommon for a badguy (or nosey neighbor or nephew!) to sit in your computer chair and look around to see what is within "arm's length". If it is a list of passwords, they struck the motherlode. 

 

As a side note, for this same "arm's length" reason, do NOT have your only back up drive sitting next to your computer. If not a badguy, a flood, fire, tornado, or hurricane could take everything out at once! Just something to think about. 

  • Agree 1
Link to comment
Share on other sites

58 minutes ago, Digerati said:

It is amazing how many don't even think about a bad guy "physically" breaking into their home or office to steal whatever they can quickly get their hands on. It is not uncommon for a badguy (or nosey neighbor or nephew!) to sit in your computer chair and look around to see what is within "arm's length". If it is a list of passwords, they struck the motherlode. 

 

Whilst true, I'd rather people wrote down their passwords and have each password being unique vs using the same single word password for 100% of their online activity. I think in most scenarios, a burgler breaking into your house isn't going to bother with passwords, although a family member is potentially a real threat if you have anything sensitive written down.

 

Besides - passwords always have the "bad guy with a pointy stick" weakness...

 

image.png

  • Like 1
  • Haha 1
Link to comment
Share on other sites

9 minutes ago, Will Watts said:

Whilst true, I'd rather people wrote down their passwords and have each password being unique vs using the same single word password for 100% of their online activity. 

No doubt, that is a serious offense too. That's why having a password manager that is able to generate random passwords is nice. Then you only need to remember the master PW to the manager. 

 

I admit, years ago, I had 4 - 5 passwords I used on many sites. But as more and more business sites were getting hacked :( and user credentials were being compromised - it became apparent we needed unique passwords everywhere. So now I do. 

 

So to your point about you would rather users do this or that, sadly, users must implement all those practices, and be disciplined about it. That is, at a minimum, users need to,

 

Use unique passwords everywhere. 

Use strong, impossible to guess passwords, with at least 8 characters, upper and lower case, numerals and special characters. 

Never write passwords down.

Use a good password manager with a very strong password.

Keep a secure backup of the password manager database in a secure place. 

 

And for the record, I never use, nor do I recommend using a browser's password manager. This goes back to physical security. If others have physical access to your computer, and you don't lock your computer when you step away from it, or you have it set to not require a PW to wake it (not smart), then someone may be able to sit down at your computer, fire up the browser and gain access to sensitive sites. Not good. 

  • Like 1
Link to comment
Share on other sites

securitybreach

Yeah but is it feasible to write down that many? You really only have two choices, a password manager or reusing passwords (horrible practice but unfortunately people do). I had to explain to my mom recently why using her birth year for her bank pin was a very bad idea. No telling how long she has done that.

  • Agree 1
Link to comment
Share on other sites

securitybreach

I also had to explain why she needed a pin for her phone. "Does your bank have your email on file? Then they could pick up your phone and easily reset your password and empty your account." She got the message then .

Link to comment
Share on other sites

securitybreach

Sometimes you have to give worse case scenario for people to listen. And even then, a lot of people have to lose files or get robbed before they understand or listen.

Link to comment
Share on other sites

13 minutes ago, securitybreach said:

Yeah but is it feasible to write down that many?

 

I don't know what "that many" means, but I have seen some long, hand written lists - pages long. Another client must have 200 index cards, all nicely sorted in alphabetical order.  One friend was proud of his fancy Excel spreadsheet he had made, with a prominently displayed shortcut to it named "My Passwords" on his desktop. I at least got him to rename it to something non-descript and password protect it. 

  • Haha 1
Link to comment
Share on other sites

securitybreach

I've seen a password file on a desktop years ago at work and the worse part is that it was an exec. I had to report it for the plain stupidity of it.

Link to comment
Share on other sites

On 12/30/2021 at 12:30 PM, securitybreach said:

Yeah but is it feasible to write down that many? You really only have two choices, a password manager or reusing passwords (horrible practice but unfortunately people do). I had to explain to my mom recently why using her birth year for her bank pin was a very bad idea. No telling how long she has done that.

I have them on paper. But then my life has simplified as I got older and there are fewer active passwords.

Link to comment
Share on other sites

29 minutes ago, ebrke said:

I have them on paper. But then my life has simplified as I got older and there are fewer active passwords.

Well, to me, that means more eggs in fewer baskets! 

Link to comment
Share on other sites

Will Watts
On 12/30/2021 at 5:32 PM, securitybreach said:

"Does your bank have your email on file? Then they could pick up your phone and easily reset your password and empty your account."

 

I only recently learned that in the US, it's common to access online banking with just a username and password? Supposedly a lot of banks don't have 2FA as mandatory - is that true?

Link to comment
Share on other sites

securitybreach
1 hour ago, Will Watts said:

 

I only recently learned that in the US, it's common to access online banking with just a username and password? Supposedly a lot of banks don't have 2FA as mandatory - is that true?

 

Most offer it but it's not mandatory

Link to comment
Share on other sites

Digerati

I have mixed feelings about 2FA. While I completely accept it adds a significant level of extra security, I generally don't like it - in particular if it involves waiting for an access code to be sent to me. And I dislike it even more if the only option is to send that code by text to my cell phone. There are still some people who don't have cell phones, or live in the boonies where there's no cell coverage, or just prefer to use landline phones. 

 

It might be the Luddite in me (and I don't care if it is), but I do not live on my cell phone. It is not glued to my hip. I refuse to carry it with me around my house when I'm home and being retired, I'm home most of the time. I have a home phone system that pairs with my cell phone. So I can pickup and call out on my cell from any of 5 home phone handsets located throughout the house. But it does not support sending or receiving texts through the handsets. 

 

99.99% of my "connected" time is spent in my home office (converted bedroom) and on my PC. So those 2FA methods that send that access code via email are a little better (than text messages to cell phones) - but it better come instantly to my inbox or I am going to be annoyed. 

 

USAA bank uses a pre-determined (by me) PIN for its 2FA method that we are prompted for during log in. That's okay because I can see my PIN in my password manager when I look up the PW to my USAA account. 

 

Sysnative uses a once-a-month method, where once-a-month a new code must be entered at log-in. That is fine with me too - though it reminds me how fast months fly by. :( 

 

 don't like it if I have to wait for, then enter a code every single friggin' time I want to log in to an account

 

I tolerate [barely] "captcha" methods that require me to answer how much 2 + 3 is, or to enter the 3rd word from the above sentence. But I hate looking for a dozen boats, buses or road signs. And I hate entering letters and numbers that look like they were drawn by a baby chimpanzee with a worn-out, fuzzy brush. 

 

I know the goal is to get rid of passwords completely. But that won't happen if the new system is more of a PITA - especially for old farts like me. 

 

[Rant On]

I hate to complain about a problem without having a solution. And sadly, I don't really have one here. But one BIG thing that REALLY needs to happen, that can happen now is corporate IT managers and C-Level execs need to do their jobs, aggressively enforce existing security protocols and practices, provide those responsible to do the actual work the resources (to include training) and the authority to do their jobs. And most importantly, those C-Level execs need to be held legally accountable when they fail to do their jobs!!! 

 

If you dig deep and research the hacks and breaches over the last 10 years, you will find the vast majority happened because security and IT managers failed to properly secure their networks. :( The massive Equifax breach is a perfect example. More than 147 million users most sensitive personal information was compromised. How? The bad guys exploited a known vulnerability that had a patch available months prior to the hack! Months! :angry: But the IT managers failed to apply that patch that they had in their possession! :(  Why? Total lackadaisical incompetence of the security managers and IT admins and by the C-Level execs who failed to take security seriously and give proper direction to those security and IT managers. And note too, all that very sensitive information was stored on the Equifax servers in the clear! It was not encrypted when it easily could have been. 

 

Lets not forget that not one of those 147 million users had actual user accounts at Equifax. That credit bureau (just like TransUnion and Experian) gathered all our information without our expressed permission (or choice) from our banks, credit unions, insurance companies, and other creditors. 

 

And was anyone at Equifax held accountable? Nope. 🤬 One exec spent a few days in jail, but not for the breach. No, he learned of the breach a few days before the public and unloaded $millions in Equifax stock before the news broke. So he got a slap on the wrist for "insider trading". 

 

So what was the lesson learned by other IT and security managers, and other company C-Level execs? That they can continue to be lackadaisical incompetent mangers and execs because nothing will happen to them if caught. :(

 

The Equifax breach was one of the most egregious. But it certainly is not unique. 

 

So my point is, if the big corporate, financial, health, and government network managers did their jobs, and were held accountable when they didn't, then maybe us little guys would not have to worry so much about the bad guys getting our passwords. 

 

Yes, users (all of us) still need to be wary and disciplined and "practice safe computing" - especially when it comes to being (or rather NOT being) "click-happy" on unsolicited links, downloads, attachments and popups. But still, the bad guys have learned the easy pickings, low hanging fruit is NOT with us individual users, but business, organizational, and institutional networks - networks where so-called "professionals" are being paid to protect "us" and "our" personal information on those networks. 

[Rant Off]

Link to comment
Share on other sites

securitybreach

And that is why I use a physical 2FA key with application instead of getting a SMS that can be intercepted.

Link to comment
Share on other sites

Digerati

Yeah, I used to work in a secure facility. Our facility access cards used RFID to unlock doors and our computers. It was great - unless you forgot your card at home. Not good if you commute 50 miles to work. 

 

Or worse, you lose your card - which fortunately, I never did. 

 

Cards and dongles, biometrics, etc. are great for accessing our computers, but not all sites support it. 

 

I wish there was a simple, one method works for all, solution. 

 

 

Link to comment
Share on other sites

securitybreach

Well most of the password managers and two factor apps available support the standard Universal 2nd Factor (U2F) and FIDO2 protocols. I use Authy as it is opensource but google authenticator and others support U2F and FIDO2 as well. That said, there are banks and sites that force a text message for 2FA. Luckily that is less and less nowadays. My small credit union even offers fingerprint login along with 2FA.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...