Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Lastpass Security Breach

  • 15-06-2015 7:00pm
    #1
    Registered Users, Registered Users 2 Posts: 51,054 ✭✭✭✭


    People using it should change their master password
    We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
    We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
    Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
    If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.
    Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
    Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.
    We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.
    Joe Siegrist
    & the LastPass Team

    https://blog.lastpass.com/2015/06/lastpass-security-notice.html/


Comments

  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Bit of a stinger, but good that they were open about it.


  • Registered Users, Registered Users 2 Posts: 633 ✭✭✭Idioteque


    Not so good considering they knew about it on Friday and yet the vast majority of users are finding out about it from 3rd party websites today..or in my case, on my HTC blinkfeed :mad:

    They haven't emailed anyone yet and if you visit their homepage, you would know nothing about it either...really badly handled.


  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    Idioteque wrote: »
    Not so good considering they knew about it on Friday and yet the vast majority of users are finding out about it from 3rd party websites today..or in my case, on my HTC blinkfeed :mad:

    They haven't emailed anyone yet and if you visit their homepage, you would know nothing about it either...really badly handled.

    Have you read the site at all? It's on the bottom of the page where the news-feed normally is. They've also answered the questions about "why haven't I gotten an email" there.

    I don't see the problem, it takes time to investigate these things to see if there was an actual breach. They're very open about it, when they could have tried and covered it up or play it down.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Just received my LastPass email now:
    Dear LastPass User,

    We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

    We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

    We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.

    Regards,
    The LastPass Team


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    They've handled it about as well as they could have and there's no immediate risk at least. Still, it'll probably be the kick up the arse I need to finally go get a Yubikey.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 633 ✭✭✭Idioteque


    BoB_BoT wrote: »
    Have you read the site at all? It's on the bottom of the page where the news-feed normally is. They've also answered the questions about "why haven't I gotten an email" there.

    I don't see the problem, it takes time to investigate these things to see if there was an actual breach. They're very open about it, when they could have tried and covered it up or play it down.

    Yes I have read the site, have you? It's actually contained within the newsfeed as 1 line item - hardly calling attention to it. The homepage should have had a very obvious "customer alert" to draw peoples attention to it.
    Equally, I get the time to investigate it, but they could have easily emailed the text of the blog post at the same time as they posted it.

    Quite a lot of others have complained at the same thing, don't get how you can't see it being a problem. They obviously want to downplay it as it the core of what they do..unlike some other websites that get hacked, the impact effects their key business justification for them existing.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Idioteque wrote: »
    the impact effects their key business justification for them existing.

    It depends. I think if you're using a service like this that you should assume it's compromised and work accordingly. It shouldn't prevent you using it in theory. I use keepass and I assume that my keepass archive is fair game. If you want to take a crack it decrypting it, good luck. I made the key strong enough that unless there's a crypto flaw somewhere even a well funded nation state would have trouble.

    Honestly I just assume lastpass is NSA'd anyway and that's why I use keepass. If you were the NSA you would be *mad* not to slap them with some kind of court order forcing weakened crypto or a straight up back door.


  • Closed Accounts Posts: 720 ✭✭✭anvilfour


    Khannie wrote: »
    It depends. I think if you're using a service like this that you should assume it's compromised and work accordingly. It shouldn't prevent you using it in theory. I use keepass and I assume that my keepass archive is fair game. If you want to take a crack it decrypting it, good luck. I made the key strong enough that unless there's a crypto flaw somewhere even a well funded nation state would have trouble.

    Honestly I just assume lastpass is NSA'd anyway and that's why I use keepass. If you were the NSA you would be *mad* not to slap them with some kind of court order forcing weakened crypto or a straight up back door.

    Hi Khannie,

    I agree that using Lastpass risks handing over the hashes of all your passwords to the NSA - provided they can be subpoenaed that makes it too risky!

    Do you store your Keepass archive offline may I ask? I used to use it but I have had trouble getting it to run reliably on Linux.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I keep it offline, yep, with a copy on a server that I can SCP from in the event that I need it (and also for syncing).

    It works fine on Linux for me. I use various Lubuntu's mostly. I had to do a full install of mono (mono-complete) to get the plugins to work that allow browser integration though.


  • Registered Users, Registered Users 2 Posts: 633 ✭✭✭Idioteque


    Good point re expectations of using this type of service. I suppose to me it's a step above using the same password on every site and one more above that if you use 2stage auth.
    It has made me rethink my effort levels and begin to look at better alternatives which will invariably take more effort but be worth it in the long run.


  • Advertisement
  • Closed Accounts Posts: 3,006 ✭✭✭_Tombstone_




Advertisement