LastPass vaults leaked to hackers

[me just saying]

Time to start changing passwords if you use Lastpass.

This nightmare scenario was just confirmed to have occurred at LastPass, with hackers having obtained encrypted copies of password vaults following an attack in August. Only users’ master passwords remain as the last line of defense.

https://www.androidpolice.com/lastpass-vaults-leaked-after-all/

 

[fuzzylumpkin]

LastPass have been acting weird for a few months now. Never liked the idea of a company having a backup of my password vault anyway.

 

[mustang7757]

Looks like everyone is vulnerable to hacks , dont use them only Google and Samsung but can happen any one of them .

 

[B. Diddy]

Grrr, I changed my master password for now. Will be looking into changing to something else when I have more time to look into it, like 1Password or Bitwarden ...

 

[me just saying]

I used to use LastPass but swapped to bit warden a couple of years ago. They are very similar. That said, I have to use a manager, I just hope LastPass completely deletes accounts of users who cancel their service. Otherwise it could be a real mess for users and former users. Also, in this case, changing master password may not prevent exposure since it seems the hackers got a copy of the vault and have plenty of time to brute force accounts. May have to change all the passwords for saved accounts.

 

[fuzzylumpkin]

I used to use LastPass but swapped to bit warden a couple of years ago. They are very similar. That said, I have to use a manager, I just hope LastPass completely deletes accounts of users who cancel their service. Otherwise it could be a real mess for users and former users. Also, in this case, changing master password may not prevent exposure since it seems the hackers got a copy of the vault and have plenty of time to brute force accounts. May have to change all the passwords for saved accounts.

You are correct, changing the master password won't do anything as the master password will always be the same on the key files that were exfiltrated. People will need to change all of the passwords that were stored in their LastPass vaults.

 

[Mooncatt]

That said, I have to use a manager, I just hope LastPass completely deletes accounts of users who cancel their service.

Pretty sure they do. As to the issue at hand, here's their update from a couple days ago.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Long story short, as long as you use a strong master password and follow their default settings, it would take "millions of years" to guess it. I have taken issue with them on something else in the past, but I trust that statement on this one. From what I've seen and understand of their encryption, even a group like the NSA would have trouble breaking into a user's vault without the master password. A couple of extra points to note:

-It's recommended to change your passwords about every 6 months or so.

-They do caution of possible phishing attempts for for your master password based on data obtained from other breaches not related to this one.

So while it could be recommended to change your passwords for this, it's something you would already be doing anyway if you really cared that much about your security. If you don't, it's a risk you're already accepting. Phishing is a constant threat, which we should all be on the lookout for anyway. Thus, this is not some "sky is falling" announcement in my opinion. It's important to know, but I'm not getting super worked up about it.

 

[me just saying]

Pretty sure they do. As to the issue at hand, here's their update from a couple days ago.

I was wondering that because I actually got an email from lastpass about this even though my account was deleted.