Hosting & Domaining Forum

Hosting Discussion => Hosting Security and Technology => Vulnerabilities => Topic started by: zetta81 on Jun 28, 2022, 02:59 AM

Title: LastPass master passwords compromised
Post by: zetta81 on Jun 28, 2022, 02:59 AM
BleepingComputer reported today that many LastPass users reported their master passwords being compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

LastPass apparently indicated it's credential stuffing related to fairly common bot-related activity using data obtained from third-party breaches.

However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere, and some have even changed their master passwords only to receive another alert. Others have reported issues trying to delete or disable their accounts.

BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

It goes without saying that if you are a LastPass user you should enable multi-factor authentication immediately.
Title: Re: LastPass master passwords compromised
Post by: Sevad on Jun 28, 2022, 03:13 AM
High value target with a huge return on a successful breach, that's why. You don't just have one set of credentials for each user, you have all of them...at least those stored with them.

Hopefully some people realized this potential and used the service for it's convenience with non-critical things like shopping and news, but kept especially sensitive accounts stored locally or on devices that they control. Nobody cares what's stored on your VPS...
Title: Re: LastPass master passwords compromised
Post by: gnh73 on Jun 28, 2022, 03:29 AM
There have been reports coming from some of the services I use that someone is trying to log in from a different country. I saw this email after a few days, and it was too late. When I click on the link, the link is gone, that means someone other than me has clicked on the link. That's when I realized that they also hаcked the email linked to the account.

I lost my gmail account because of this. Someone changed the password. And not only that. They even have 2FA enabled on it. So I can't recover my account. That's worse.
I am using this gmail account to pay for some of my domains. Now, I don't know how to pay for my domains. Maybe I'll lose it.

Also, this gmail account is linked to my github and bitbucket accounts. There are so many private repos in there which are very important to me. I can only restore the public repos.

So stay away from LastPass. I will never use LastPass or any other password manager again. Or maybe I will try self-hosting password manager.
Title: Re: LastPass master passwords compromised
Post by: kosmon on Jun 28, 2022, 03:34 AM
Typically as they say, don't put all eggs in one basket, gives me the same feeling here...
To put all passwords at one place! Personally I freakout by the thought of such a service, including, and not limited to, even having to sync my passwords to Google/Mozilla/Edge syncs.
Title: Re: LastPass master passwords compromised
Post by: SanviMalhotra on Sep 02, 2022, 03:23 AM
According to LastPass owner LogMeIn Global, the password manager team investigated recent reports of login attempts and concluded that the incidents are related to normal bot activity, in which bots traditionally try to access accounts using email addresses and passwords obtained from due to violations committed by third-party "non-affiliated services".
The firm assures that there is no data on the successful hаcking of accounts, as well as information that LastPass was compromised in any way.

So, many users who receive these notifications claim that their passwords are unique and used only by LastPass, and therefore cannot be obtained by attackers from other sources. Moreover, cybersecurity specialist Bob Diachenko claimed to have found thousands of LastPass login-password pairs in Redline Stealer malware logs, but victims indicate that their data is not on these lists. In other words, someone used other means to attempt to hаck accounts.

Some clients have already reported that after changing their master passwords after the warning, they soon received a notification again that somebody was trying to log into their account. Finally, some clients of the service who tried to delete accounts receive an automatic refusal to perform the action. Users of the service targeted by the attackers are advised to at least activate multi-factor authentication to protect their accounts - that is likely to protect data even if the master passwords have been compromised.