from Hacker News

LastPass: Notice of Security Incident

by marconey on 8/25/22, 7:15 PM with 130 comments

  • by autoexec on 8/25/22, 7:28 PM

    Not enough data to say what the impact of this is. Good for them disclosing it early while they investigate.

    > we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.

    One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all. KeePass is great!

  • by mancini0 on 8/25/22, 10:19 PM

    Lesspass generates reproducible unique passwords from inputs (username, domain, masterpassword). It works without an internet connection and is open source. You only need their cloud storage if you want to backup metadata about the password requirements for specific sites (i.e, no special chars allowed by foo.com, bar.com requires a capital letter and a number, etc.) This metadata can also be stored locally. The command line utility is great, they also offer Mozilla / chrome extensions and mobile apps. I bash alias the command line command to copy the password into clipboard so when I navigate to a site on my laptop, I run genp chase or genp amazon and quickly have the pw ready to go in my clipboard. The apps / extensions and even the cli uses emojis as a visual cue to let you know you typed in the correct masterpassword (since it's masked)

  • by m4jor on 8/25/22, 10:58 PM

    I wonder if this was nation-state backed hackers or just some rando.

    I'm guessing nation-state because it seems they stole some source code/R&D. I'd guess China. That's their entire MO. Further the Chinese economy by any means necessary. Why waste years and millions on R&D when you can just steal it?

    https://www.cbsnews.com/news/chinese-hackers-took-trillions-...

  • by greatgib on 8/26/22, 8:22 AM

    "engaged a leading cybersecurity and forensics firm."

    This is the current trend each time there is a breach: let's pretend/show that we are serious and waste money taking "security" consultants, that will in the end probably tell us obvious things.

    Pay more or listen to your own employees instead and eventually go hire competent engineers instead of funding bullshit jobs.

    Lastpass is supposed to be in the "cyber security" field, so it is a little bit ridiculous to say that you need external help on this subject...

  • by aborsy on 8/25/22, 7:44 PM

    Suppose that LastPass is compromised. What can an attacker do? Passwords are encrypted, with keys on users’ side.

    Short of serving customers malicious JS code or an app to steal passwords, the production environment referred in the article can be made totally public, without secrets in vaults bring revealed, no?

  • by FridgeSeal on 8/25/22, 11:05 PM

    I wonder if this is a “precursor” attack to the likes of a solar-winds style compromise?

    Get into their dev env (ideally unnoticed), exfiltrate the sensitive code you need, poke around their systems. Once you’ve got a handle on their code and have figured out what to add, do so and just begin the waiting game.

    Maybe that’s all happened, and this attack is “air cover” for the last-stage.

  • by martinky24 on 8/25/22, 9:10 PM

    https://blog.lastpass.com/2022/08/notice-of-recent-security-...

    Not good! All a password manager sells is trust. Without that they don't offer anything of value.

  • by lawgimenez on 8/26/22, 12:21 AM

    I liked how I was reading in the middle of the paragraph a "subscribe to our newsletter" popped up. It threw me off my rhythm. Clever.

  • by MikeKusold on 8/25/22, 10:34 PM

    If you're looking to move off of LastPass, and your company has a 1Password Business subscription, then you can get a free Family Account.

    All your data is kept separate from the company, and if you depart you just need to add a credit card.

    https://support.1password.com/link-family/

  • by whoisjohnkid on 8/25/22, 10:41 PM

    Hmm, even though LastPass doesn’t have access to your pass, couldn’t a malicious software update cause attacker to view your passwords when it runs since the software ultimately has access?

    This doesn’t seem to be the case in this incident though.

  • by aceazzameen on 8/26/22, 4:06 AM

    I'm so glad we switched from LastPass to Bitwarden earlier this year. It seems like every few years there's some kind of breach with LastPass.

  • by tylervigen on 8/25/22, 10:41 PM

    Incident impact and response seems adequate to me. Obviously I’d prefer no incidents, but this with the right layers of security in place to prevent out from impacting users and transparent reporting are the next best thing.

  • by xenago on 8/25/22, 7:54 PM

    Not really a big worry, thanks to zero knowledge encryption. Glad it was disclosed. Probably not a fun time over there right now lol

  • by bearjaws on 8/25/22, 7:41 PM

    This is definitely a better example of handling a breach, many others would disclose this years later (if at all) since nothing material has happened or is known to have happened.

    We're looking at you Twitter / GitHub

  • by niros_valtos on 8/25/22, 8:12 PM

    I like the way then handle the communication about the incident. There 2 ways to interpret the message: 1. Someone managed to get access to dev credentials and exfiltrated source code (the part that is explicitly mentioned). 2. Someone managed to push code on behalf of the compromised account and they responded to this change (not mentioned, but otherwise how would they know the account was compromised - each SCM has its logging limitations).

  • by jrm4 on 8/25/22, 9:58 PM

    For all of its warts, at least crypto has managed to come up with a clever little motto that correctly states the issue, in the form of "not your keys, not your crypto."

    Putting your passwords in the hands of a third party drastically increases your threat surface and no amount of hand-wavy "but it's not as convenient" will change this fact.

    Now, it may be true that the convenience factor is very strong right now, but the solution will never be "let's keep hoping real hard that the third parties are good at this." Not unless any of the third parties are willing to take on indemnification or liability.

    The proper thing to do is to figure out how we can best empower people on their own. I know it's difficult, but that doesn't fundamentally cut into the fact that "this is what SHOULD be done."

  • by larrybud on 8/25/22, 9:10 PM

    I wish they were more definitive as to if there was (or was not) any compromise of the source code repository credentials. Eg could the attacker have injected malware into the code as in the Solarwinds incident?

  • by alexeiz on 8/26/22, 6:39 AM

    I've switched to Bitwarden after the first of such incidents and never looked back. More incidents were just bound to happen to LastPass.

  • by niros_valtos on 8/26/22, 5:46 PM

  • by Aicy on 8/26/22, 3:02 PM

    Thanks for reminding me to delete my lastpass acount.

    I switched over to a self hosted bitwarden, and not only is the user experience a lot better, I've got better security confidence since my password store never leaves my home network.

  • by robertwt7 on 8/26/22, 3:29 AM

    there might not be an impact straightaway, however gaining access to source code means that it's easier for hacker to find loophole is it not?

    lastpass has to be ready for some sort of attacks I guess, it's good that they identified this early

  • by dehrmann on 8/26/22, 2:19 AM

    Didn't we decide to move off LastPasss 5 years ago?

  • by koheripbal on 8/25/22, 10:38 PM

    Access to a dev account means they might have pushed out a malicious code update.

    Huge huge potential loss here for people until they affirm this didn't happen.

  • by theshrike79 on 8/25/22, 9:45 PM

    I switched providers the last time this happened, or was it the one before that.

    Not a good look for an online password storage service.

  • by psygandhi on 8/26/22, 10:25 AM

    Self-host with Bitwarden I guess?

  • by DreamFlasher on 8/25/22, 10:03 PM

    Wouldn't have happened with Bitwarden ;)