LastPass Vulnerability

[SOHOtechRob]

If you didn't see it already:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/​

 

[nlinecomputers]

Beat me to it. I was just about to post about this.

 

[Galdorf]

Wait a sec i was told by 3 websites that On Monday, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people's master passwords?.
According to CNN and 3 other news websites. But a few other computer security websites encrypted passwords were not touched but i find that hard to believe.

 

[Diggs]

And LastPass woes continue..... (I'm still not a fan of password managers.)

http://searchsecurity.techtarget.co...flaws-put-passwords-at-risk-patch-rolling-out

 

[nlinecomputers]

And LastPass woes continue..... (I'm still not a fan of password managers.)

http://searchsecurity.techtarget.co...flaws-put-passwords-at-risk-patch-rolling-out

Yeah but, it doesn't appear to be in the wild and from the description, it sounds like you'd have to have an already compromised system in order to exploit this. If that is going on you already have bigger problems.

 

[nlinecomputers]

FYI this issue has already been repaired. "For its part, LastPass has fixed the flaws quickly, pushing out an update less than 24 hours after Ormandy's tweet."

 

[nlinecomputers]

https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

 

[Diggs]

Yeah but, it doesn't appear to be in the wild and from the description, it sounds like you'd have to have an already compromised system in order to exploit this. If that is going on you already have bigger problems.

I'm not sure why you always defend these kind of issues. This is an easily found security fail, but what about the ones the "white hats" haven't found yet are they being exploited? Dude, quit defending shoddy security practices at what is supposed to be one of the most secure applications/companies.

 

[nlinecomputers]

I'm not sure why you always defend these kind of issues. This is an easily found security fail, but what about the ones the "white hats" haven't found yet are they being exploited? Dude, quit defending shoddy security practices at what is supposed to be one of the most secure applications/companies.

And what evidence do you have that is going on? By that standard, you shouldn't use a computer at all. Windows may have exploits that the white hats haven't found.

The truth is that most exploits "hackers" use are reverse engineered from patches rolled out for various products. Because people are poor at keeping Java and Flash up to date you risk getting hacked every time a new patch is released. Example openSSL had an exploit found who code was in place for two years There was no real evidence that the code had ever been exploited.

And you claim that LastPass is shoddy yet where are the reams of security breaches and password files being posted online from LastPass?

Considering that LastPass is an obvious potential target the lack of any real breaches says much for how secure the product is.

LastPass has had breaches. Last year the hash files for the master passwords were taken. But unless you picked a really bad password who has an already cracked hash file they can't make use of them. At least not immediately as it would take considerable computer power to crack the hash. And I changed my master password so the hash they got for me is useless. I've really not heard of any accounts being compromised because of that.

Yes, there can be risks using a Password manager. But I think the benefits FAR FAR outway those risks. There are products with far more risk, like TeamViewer for example. TV is very secure, but only if you change the defaults and practice good password management.

I defend it because I think it is safe. When it stops being that I will not.

 

[Drod]

I have used LastPass and find it convenient, but I used old fashioned methods of pw mgmt too.

 

[drpcfix]

I defend it because I think it is safe. When it stops being that I will not.

I don't know anything about these tools, but I do follow the guy that found an/the issue and reported it to them recently, he seems to think they have an architecture issue and people should use others. (from reading between the lines a bit, and skimming a lot of tweets)

https://twitter.com/taviso/status/758077243348230144

(I'm super basic I guess, I just use chrome to save passwords..)