[Lex Computer & Tech Group/LCTG] LastPass confirms users' password vaults were stolen by hackers

Rich Moffitt rich at richmoffitt.org
Thu Dec 29 12:29:47 PST 2022 

In my opinion the “free lunch” here isn’t so much about money as it is
convenience. The LastPass compromise affected all paid subscribers assuming
they paid for peace of mind, not just the free tier users.

Convenience can be seen both from the attacker side and the service side.
For the attacker, it’s worth going to all this effort for the “convenience”
of obtaining a huge amount of user data. For the service provider, storing
URLs and customer info behind a common encryption key is convenient for
performing certain analytics or offering certain features (like convenient
annual or monthly billing).

I’m certain all of the password manager services fall under attack
relatively frequently. As unacceptable as breaches are, they happen all the
time — and it comes down to good operational security and a bit of luck to
avoid further compromise. LastPass suffered multiple operational security
lapses leading to this compromise.

Anyway, I hope this doesn’t scare people off from using password managers.
The general public shouldn’t have to know how the sausages are made; they
just have to be informed how best to use them and what to do if they have
spoiled. In this case, I’d probably make sure multi factor authentication
is enabled for everything I care about, slowly rotate passwords starting
with the more important ones, consider using a different password
management service, cook thoroughly to at least 160°F, and enjoy.

-Rich


On Thu, Dec 29, 2022 at 12:47 PM <palbin24 at yahoo.com> wrote:

> I think this falls into the “free lunch” discussion.
> The paid subscriptions are a small price for piece of mind.
>
> Full disclosure, I use Dashlane.
>
> Peter
>
> On Dec 29, 2022, at 8:17 AM, Rich Moffitt <rich at richmoffitt.org> wrote:
>
> 
>
> The fact that LastPass infrastructure has been breached multiple times and
> are such a big target are reasons I don't feel like using them anymore. The
> vaults themselves are still encrypted, and (provided a good master
> passphrase was used) aren't likely to be cracked in a timely fashion. I'm
> actually more concerned about the plaintext URLs and other personal data
> that were scooped up as part of the breach. Some of these could include
> access tokens or personally identifiable data that could assist an attacker
> in compromising accounts without the credentials themselves.
>
> Fortunately, there are good alternatives out there: trusty old Keepass for
> DIYers, Bitwarden for people who like browser integration and either want
> to host their own or use a decent free tier service, and 1Password /
> Dashlane / etc. for people looking for other convenience features and are
> willing to pay for them.
>
> -Rich
>
> On Tue, Dec 27, 2022 at 4:51 PM Drew King (dking65 at kingconsulting.us) <
> dking65 at kingconsulting.us> wrote:
>
>> All,
>>
>> Some LastPass breach update information:
>>
>> Android Central: LastPass confirms users' password vaults were stolen by
>> hackers.
>>
>> https://www.androidcentral.com/apps-software/lastpass-user-data-security-breach-incident
>>
>> --
>> Drew King
>>
>> ===============================================
>> ::The Lexington Computer and Technology Group Mailing List::
>> Reply goes to sender only; Reply All to send to list.
>> Send to the list: LCTG at lists.toku.us      Message archives:
>> http://lists.toku.us/pipermail/lctg-toku.us/
>> To subscribe: email lctg-subscribe at toku.us  To unsubscribe: email
>> lctg-unsubscribe at toku.us
>> Future and Past meeting information: http://LCTG.toku.us
>> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
>> This message was sent to rich at richmoffitt.org.
>> Set your list options:
>> http://lists.toku.us/options.cgi/lctg-toku.us/rich@richmoffitt.org
>>
> ===============================================
> ::The Lexington Computer and Technology Group Mailing List::
> Reply goes to sender only; Reply All to send to list.
> Send to the list: LCTG at lists.toku.us      Message archives:
> http://lists.toku.us/pipermail/lctg-toku.us/
> To subscribe: email lctg-subscribe at toku.us  To unsubscribe: email
> lctg-unsubscribe at toku.us
> Future and Past meeting information: http://LCTG.toku.us
> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
>
> This message was sent to palbin24 at yahoo.com.
> Set your list options:
> http://lists.toku.us/options.cgi/lctg-toku.us/palbin24@yahoo.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.toku.us/pipermail/lctg-toku.us/attachments/20221229/c9a4752e/attachment.htm>

More information about the LCTG mailing list