Hosting & Domaining Forum

Hosting Discussion => Hosting Security and Technology => Vulnerabilities => Topic started by: zetta81 on Jun 28, 2022, 02:59 AM

Title: LastPass master passwords being compromised
Post by: zetta81 on Jun 28, 2022, 02:59 AM
Many LastPass users have reported their master passwords being compromised recently. This happened after they received email notifications that someone was trying to log into their accounts from unknown locations.

According to LastPass, this is related to credential stuffing, which is a common bot-related activity that uses data obtained from third-party breaches. However, some affected users claim that their passwords are unique to LastPass and not used elsewhere, and changing their passwords did not fix the issue. Some users even faced difficulties trying to delete or disable their accounts.

BleepingComputer has reached out to LastPass for comment but has not received any response yet. It is highly recommended that all LastPass users enable multi-factor authentication as soon as possible.
Title: Re: LastPass master passwords compromised
Post by: Sevad on Jun 28, 2022, 03:13 AM
The reason for considering high-value targets for breaching is the potential for a significant return on investment. When targeting users, the attacker is not limited to having access to only one set of login credentials per user; they could potentially have access to all of them, especially if stored with a password manager like LastPass.
Ideally, people would use a service like LastPass for convenient tasks such as shopping or reading news while keeping sensitive accounts locally or on devices they control. Information stored on a Virtual Private Server (VPS) is generally not of interest to attackers.
Title: Re: LastPass master passwords compromised
Post by: gnh73 on Jun 28, 2022, 03:29 AM
I have received notifications from some of the services I use that someone is attempting to log in from a different country. Unfortunately, I didn't see this email until a few days after it was sent. By the time I clicked on the link, it had disappeared - indicating that someone other than me had accessed my account. It was then that I realized that they had also gained access to the email address linked to the account.

As a result of this breach, I have lost access to my Gmail account. The hacker changed the password and even enabled two-factor authentication, making it impossible for me to recover my account. This is especially concerning because I use this email account to pay for some of my domains, and now I'm not sure how to do so. I'm afraid I might lose my domains.

Furthermore, this Gmail account is linked to my GitHub and Bitbucket accounts, where many of my private repositories are stored. Losing access to these repositories would be devastating for me, and I can only restore the public repositories.

Given this experience, I advise staying away from LastPass. I have lost faith in password managers and will likely try self-hosting in the future.
Title: Re: LastPass master passwords compromised
Post by: kosmon on Jun 28, 2022, 03:34 AM
As the saying goes, it's not wise to put all your eggs in one basket, and I feel the same way about storing all my passwords in one place.
 Personally, I am uncomfortable with using a service that requires me to sync my passwords to Google/Mozilla/Edge syncs or any other third-party service. The idea of consolidating all of my passwords in one location makes me incredibly uneasy.
Title: Re: LastPass master passwords compromised
Post by: SanviMalhotra on Sep 02, 2022, 03:23 AM
LogMeIn Global, the owners of LastPass, have investigated recent reports of login attempts and concluded that they are related to normal bot activity. Bots traditionally try to access accounts using email addresses and passwords that have been obtained illegally due to violations committed by third-party "non-affiliated services". The firm confirmed that there is no evidence of successful account hacking or any LastPass data being compromised.

However, users receiving these notifications claim that their passwords are unique to LastPass and not used elsewhere, which means attackers cannot obtain them from other sources. Additionally, cybersecurity expert Bob Diachenko claimed to have found thousands of LastPass login-password pairs in Redline Stealer malware logs, but victims reported that their data was not on those lists. This suggests that attackers are using other methods to attempt to breach LastPass accounts.

Some users who changed their master passwords after receiving the warning have reported receiving another notification shortly afterward that someone was attempting to log into their account again. Others have had difficulties trying to delete their accounts.

Users targeted by attackers are advised to activate multi-factor authentication to protect their accounts - this will help to safeguard their data even if their master passwords are compromised.
Title: Re: LastPass master passwords being compromised
Post by: ymna on Aug 19, 2023, 04:09 AM
LastPass, like any online service, is not immune to security threats, and it is possible for attackers to gain access to user accounts. Credential stuffing, as mentioned, is a common technique where attackers use usernames and passwords obtained from third-party breaches to gain unauthorized access to other accounts. This happens because many people reuse passwords across multiple accounts, making it easier for an attacker to gain access to various services.

However, it is important to note that LastPass encrypts user data using strong encryption algorithms, which means that even if an attacker gains access to the data, it should be protected. Additionally, LastPass encourages users to enable multi-factor authentication (MFA), which adds an extra layer of security by requiring an additional verification step, such as a code generated by an authentication app or sent via SMS.

Regarding the reported difficulties faced by some users when trying to delete or disable their accounts, it is unfortunate that they have experienced such issues. It is worth reaching out to LastPass support or keeping an eye on any updates from LastPass regarding these specific concerns.

 points to consider:

1. Strong and Unique Passwords: It is crucial to use strong, complex passwords that are not easily guessable. Consider using a mix of upper and lowercase letters, numbers, and special characters. Additionally, ensure that your passwords are unique for each online account, including LastPass.

2. Two-Factor Authentication (2FA): Enable 2FA or multi-factor authentication for LastPass and all other online accounts whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a fingerprint scan, authentication app, or hardware key.

3. Regularly Monitor Account Activity: Keep an eye on your LastPass account activity and review any notifications or alerts regarding login attempts from unfamiliar locations. If you receive such notifications, take appropriate action, such as changing your password or contacting LastPass support if needed.

4. Stay Informed about Data Breaches: Stay updated on data breaches and security incidents from various sources. By being aware of breaches, you can proactively change your passwords and take necessary precautions to protect your accounts.

5. Use Additional Security Features: LastPass provides several additional security features, such as password generators, secure notes, and password audits. Utilize these tools to enhance the security of your account.

6. Regularly Update LastPass: Ensure that you are running the latest version of LastPass software or browser extension. Updates often include security patches and improvements, so it's important to stay up to date.

7. Keep an Offline Backup: Consider keeping an offline backup of your passwords or a copy of your encrypted LastPass vault. This can provide an added layer of security in case of any unforeseen issues, such as a compromised account or temporary loss of access.