PSA - LastPass breach!

[mark_in_denver]

Can't write much now but my understanding is the secret key is locked to your device and is combined with your password key to generate the AES 256 bit key.

Doesn't sound like it defeats brute forcing at all. All it does is add some entropy to your password key. If my password key already has good entropy, why use it?

[AnEngineer]

I think though that ...

Yes, I understand your thoughts on the matter, as you already expressed. Your opinion is different from mine.

I was going to say that's impossible because I hadn't made that point here yet. But perhaps you have a better memory that me and recall the umbrella policy thread from almost two years ago where we disagreed over the same concept. (I only found it by googling for this post.)

Bottom line, I understand your opinions on the matter. My opinions are different. ...
Claiming that what I'm doing is wrong, or too weak for practical purposes, is simply an opinion that I happen to disagree with.

Apparently you don't understand because I have not said what you are doing is too weak. The confusion is possibly because you are talking here of opinions and conclusions, but the point I'm making is on the facts that feed into it. Do you agree that passwords generated with a system have lower entropy than passwords generated randomly of the same length? If you accept that and conclude that the risk of employing such a system is fine I am not arguing against that.

[lazydavid]

Doesn't sound like it defeats brute forcing at all. All it does is add some entropy to your password key. If my password key already has good entropy, why use it?

Depends on what your definition of "defeats" is. Where X is the number of bits of entropy in your password, it is inarguable that X+128 is significantly more resistant to cracking than X, for any value of X.

They list examples of a weak password at 15 bits of entropy, average at 40 bits, and strong at 60 bits. Adding 128 bits to these, making them 143 bits, 168 bits, and 188 bits, respectively, is a dramatic improvement.

Maybe yours is more than 60. Mine is in the 130s, so I'm already good. Yes >260 bits is still significantly stronger, but we're well into the diminishing returns side of the curve at this point. It takes my password from "uncrackable" to "uncrackable".

[mark_in_denver]

Doesn't sound like it defeats brute forcing at all. All it does is add some entropy to your password key. If my password key already has good entropy, why use it?

Depends on what your definition of "defeats" is. Where X is the number of bits of entropy in your password, it is inarguable that X+128 is significantly more resistant to cracking than X, for any value of X.

They list examples of a weak password at 15 bits of entropy, average at 40 bits, and strong at 60 bits. Adding 128 bits to these, making them 143 bits, 168 bits, and 188 bits, respectively, is a dramatic improvement.

Maybe yours is more than 60. Mine is in the 130s, so I'm already good. Yes >260 bits is still significantly stronger, but we're well into the diminishing returns side of the curve at this point. It takes my password from "uncrackable" to "uncrackable".

Yup mine is already insanely uncrackable so it would make it insanely uncrackable still.

I agree it's diminishing returns at this point.
Thanks for the reply!

[HanSolo]

Do you agree that passwords generated with a system have lower entropy than passwords generated randomly of the same length?

Apparently you have declined to address the specific issues I raised. I suggest you do that before exploring this further.

[AnEngineer]

Do you agree that passwords generated with a system have lower entropy than passwords generated randomly of the same length?

Apparently you have declined to address the specific issues I raised. I suggest you do that before exploring this further.

Could you clarify which issue you think has some bearing on this question?

You asked about how having your password manager cracked, at which point there is no remaining entropy, but that's not about how much a password generated by a system compares to one generated randomly.

You also asked about pseudorandom vs random. If you use pseudo random numbers and information about your generation process leaks then it can reduce entropy. But my question was about random password generation. (BTW, so-called true random number generators exist, though I don't think they are in general relevant to password generation, though they are to many security applications.)

Do you mean your skepticism that such decreased entropy has actually allowed someone to determine a password? You argue that it impacts the risk of the lowered entropy, but it does not affect whether or not there is lower entropy.

Do you have a question that impacts whether you agree that passwords generated with a system have lower entropy than passwords generated randomly of the same length?

[HanSolo]

Could you clarify which issue you think has some bearing on this question?

All the ones I wrote about. It's not useful for me to repeat myself.

You asked about ...

I posed those questions not because I need answers, but just to point out questions that you need to consider more carefully. For example (this is just one example, you still need to consider the remaining issues), your comment "passwords generated randomly" should say "pseudo-randomly" (as they are generated by... guess what... a system). But now I'm repeating myself.

As for the additional issues previously referenced (that you have not yet fully considered), rather being even more repetitive, I'll just close with an applicable quote from someone else...

Yup mine is already insanely uncrackable so it would make it insanely uncrackable still.

I agree it's diminishing returns at this point.
Thanks for the reply!

[AnEngineer]

I posed those questions not because I need answers, but just to point out questions that you need to consider more carefully.

Then I don't see why you won't answer the question.

For example (this is just one example, you still need to consider the remaining issues), your comment "passwords generated randomly" should say "pseudo-randomly" (as they are generated by... guess what... a system).

This is incorrect. I meant to compare to random passwords. You can generate random passwords. Most (all?) password managers generate pseudo random passwords, but am deliberately not comparing against that.

[HanSolo]

Then I don't see why you won't answer the question.

I responded to your questions by pointing out issues that you still haven't addressed. I don't know how many times you want me to repeat that.

Since you refuse to do that, I can only refer you back to that.

If you have any further problems you need help with, go ahead and post them (and I suggest you be clear about what problem you're trying to solve, otherwise, probably nobody can help you). But I won't comment further on what I already commented on.

[Misenplace]

^The discussion is getting derailed. The points have been made and further back and forth appears not constructive. Let's move on and drop this interchange.

Moderator Misenplace

[mhlambert]

I haven't read through this entire thread so if this is a repeat I apologize.

Whether you move to another password manager or not, you need to change all your sensitive passwords. The hackers obtained a snapshot of your encrypted data and have unlimited time to attempt to decrypt it with dictionary and brute force attacks. Changing your master password will result in your current password data being re-encrypted but doesn't change the fact that they have a static snapshot of your data that they can attack.

Myself, I'm tentatively sticking with LastPass for now until I have time for further research. Better the devil you know than the devil you don't . I've changed my master password and my passwords for all sensitive/financial accounts so the data they have is useless even if they successfully decrypt it.

Did you further research reasons to abandon Lastpass?

Yes, the fact that some of the data compromised was not encrypted - Website URLs in particular - did it for me. For example, the fact that they can see you have a Boglehead's account might make you a higher value target. Even if they can't decrypt your password data, they know where you have accounts and could target you with phishing attacks, etc.

I've switched to Bitwarden and once again changed all my financial and related passwords. I use all generated passwords (32 characters or maximum allowed) so there is no relationship between my old and new passwords. At this point, LastPass has nothing current on my critical passwords encrypted or not.

[rebellovw]

I haven't read through this entire thread so if this is a repeat I apologize.

Whether you move to another password manager or not, you need to change all your sensitive passwords. The hackers obtained a snapshot of your encrypted data and have unlimited time to attempt to decrypt it with dictionary and brute force attacks. Changing your master password will result in your current password data being re-encrypted but doesn't change the fact that they have a static snapshot of your data that they can attack.

Myself, I'm tentatively sticking with LastPass for now until I have time for further research. Better the devil you know than the devil you don't . I've changed my master password and my passwords for all sensitive/financial accounts so the data they have is useless even if they successfully decrypt it.

Did you further research reasons to abandon Lastpass?

Yes, the fact that some of the data compromised was not encrypted - Website URLs in particular - did it for me. For example, the fact that they can see you have a Boglehead's account might make you a higher value target. Even if they can't decrypt your password data, they know where you have accounts and could target you with phishing attacks, etc.

I've switched to Bitwarden and once again changed all my financial and related passwords. I use all generated passwords (32 characters or maximum allowed) so there is no relationship between my old and new passwords. At this point, LastPass has nothing current on my critical passwords encrypted or not.

Good point - this vault has VG, Wells Fargo, Treasury direct, ...... - we've struck gold - drop that silly vault that has facebook and instagram.

[mark_in_denver]

I haven't read through this entire thread so if this is a repeat I apologize.

Whether you move to another password manager or not, you need to change all your sensitive passwords. The hackers obtained a snapshot of your encrypted data and have unlimited time to attempt to decrypt it with dictionary and brute force attacks. Changing your master password will result in your current password data being re-encrypted but doesn't change the fact that they have a static snapshot of your data that they can attack.

Myself, I'm tentatively sticking with LastPass for now until I have time for further research. Better the devil you know than the devil you don't . I've changed my master password and my passwords for all sensitive/financial accounts so the data they have is useless even if they successfully decrypt it.

Did you further research reasons to abandon Lastpass?

Yes, the fact that some of the data compromised was not encrypted - Website URLs in particular - did it for me. For example, the fact that they can see you have a Boglehead's account might make you a higher value target. Even if they can't decrypt your password data, they know where you have accounts and could target you with phishing attacks, etc.

I've switched to Bitwarden and once again changed all my financial and related passwords. I use all generated passwords (32 characters or maximum allowed) so there is no relationship between my old and new passwords. At this point, LastPass has nothing current on my critical passwords encrypted or not.

If you're going that route, you need to change your security questions too if you haven't done so.

[otinkyad]

If you're going that route, you need to change your security questions too if you haven't done so.

Along with the standard recommendation not to use your password manager for authentication codes, you really shouldn’t store answers to security questions or backup codes there, either. I suppose a nice feature would be a second master password for them, but just using another password manager that you rarely need to use seems OK. We’re just using paper for now.

We’re migrating to 1Password from various things and adding authenticators and security keys to everything we can. I noticed that I have a bunch of security answers for sites that don’t appear to use them any more, but it’s hard to know for sure. We haven’t yet changed providers over poor security, such as using security questions or not using 2FA, but we’re becoming tempted to.

[mptfan]

Along with the standard recommendation not to use your password manager for authentication codes...

Is this the standard recommendation? What is your source?

[otinkyad]

Along with the standard recommendation not to use your password manager for authentication codes...

Is this the standard recommendation? What is your source?

By standard, I meant usual, for example, in most reviews of password managers. Even in this thread, it has been mentioned repeatedly that even if your vault is decrypted, accounts with 2FA remain secure. That is not the case if your TOTP secret keys (or, as I was saying, your security answers or backup codes) are in your vault. It’s the usual trade-off between security and convenience.

[samsoes]

Along with the standard recommendation not to use your password manager for authentication codes...

Is this the standard recommendation? What is your source?

It's unclear if LP encrypted the "notes" field inversions of the vault before 2019 (which is also unclear if these older versions of vaults were compromised). The "notes" field is where answers to security questions in backup codes are typically stored. If the bad guys have your url and the answers to your security questions and/or recovery codes, eureka! Paydirt.

[BoglesBeagle]

Along with the standard recommendation not to use your password manager for authentication codes...

Is this the standard recommendation? What is your source?

It seems to me there isn’t really a resounding consensus. Here’s a 1Password blog post which makes the distinction between two-step and two-factor. If you keep TOTP in 1Password, you aren’t getting a second factor that way (but if you enabled, eg, Yubikey on 1Password, that’d be a second factor).
https://blog.1password.com/totp-for-1password-users/

Some reasonable points both ways are made in these two StackExchange threads:
https://security.stackexchange.com/ques ... -1password
https://security.stackexchange.com/ques ... rd-manager

My inclination is to think that if I trust the password manager — not in the sense of some nonexistent theoretical guarantee of uncrackability, but in the sense that cracking it is sufficiently computationally difficult that some other vector, like social engineering where someone calls a brokerage/institution to reset the login, then becomes the weakest link — TOTP also being in the same place isn’t much of an additional compromise (and if I don’t trust it, I shouldn’t even store passwords in it). I also don’t really have much of a way to assess cloud security for services that others run, so I have no real way of knowing that cloud backups in Google Authenticator or Authy are more or less likely to be breached than a 1Password vault.

A local backup, or even a printed out code in a safe as some have suggested, seems like a real improvement in security by eliminating any sort of cloud-based threat, but at the cost of somewhat more inconvenience. It seems to me that the best tradeoff here likely depends on both the value of the account and the frequency of access needed. A brokerage account with a lot of value and rare need to log in and transact = high value at risk if breached, low added inconvenience cost; something like GitHub or Bogleheads = the opposite…

Another convenience point in favor of keeping TOTP in the password manager is that if you use 1Password’s shared vaults feature on a family account, the TOTPs are also shared as part of the vault since they are part of the same entry. (I don’t mean to start a debate here about whether this is permissible or appropriate for a given site; other threads have covered the fact that some institutions create a separate login for a POA / authorized user and forbid sharing a single login in all cases. I’m only saying that, for cases where the use of the feature is appropriate from a legal/TOS perspective, this makes the feature itself more useful.)

[mptfan]

Along with the standard recommendation not to use your password manager for authentication codes...

Is this the standard recommendation? What is your source?

By standard, I meant usual, for example, in most reviews of password managers.

Can you cite to one? As the previous poster noted, I don't think there is a consensus on this point.

[Juice3]

The main risk I see here is that, with the source code, the thieves could build and distribute their own functioning copy of the LastPass client, along with whatever malicious additions they chose to include. So the actionable part would be to double-check where you are downloading your updates from.

Somehow I had gotten the idea that LastPass was already open source, but obviously that isn't the case.

The main risk would be if the thieves were able to gather enough information to identify a flaw in LastPass that will allow a more significant compromise.

People working at LastPass would also pose this risk to LastPass, if they disclosed similiar information.

[Dakotah]

Not to throw even more dirt on LastPass...but the fact that information continues to drip-drip-drip out regarding an event about 6 months ago is highly concerning.

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

https://arstechnica.com/information-tec ... ate-vault/

[fetch5482]

the fact that information continues to drip-drip-drip out regarding an event about 6 months ago is highly concerning.
https://arstechnica.com/information-tec ... ate-vault/

LastPass has not been transparent about this entire breach at all. They've timed some ugly announcements around holiday seasons to minimize the negative user sentiment hoping that people won't pay much attention during their break time.

More than the breach, at this point I find it hard to trust LastPass at all. If you're still using LastPass, I hope they don't have more things that they've not yet revealed about the breach..

[YoungSisyphus]

That’s unbelievable!

One of four employees that holds keys to their cloud infrastructure and they are running a hacked Plex entertainment server on the same PC? And they are getting keylogged?

This is supposed to be one of four of their leading developers?

I am glad I switched off them a few weeks ago, however I didn’t change PWs for ALL accounts and now that’s recommended from Ars.

AND they took six months to disclose this? Awful.

[rebellovw]

Wow.

I'll definitely be getting rid of Plex.

[bwalling]

Finally decided to give up on LastPass. 1Password apparently currently has a bug that prevents importing from LastPass.

(There is a workaround to export to CSV and then import, but that loses a lot of information I'd rather not lose).

[Blues]

I was happy with LP for several years, but I'm really glad to have moved on to Bitwarden since December.

LP is proving to be the poster child for "how it's not supposed to be done".

[rebellovw]

Their "employee" is the poster child for really giving home workers a bad name. Using company computers for non-company work. What a jerk. Because of him we have to all get rid of what was a nice product.

[ThankYouJack]

Their "employee" is the poster child for really giving home workers a bad name. Using company computers for non-company work. What a jerk. Because of him we have to all get rid of what was a nice product.

I don't think one employee should be the scapegoat as mistakes have been made throughout company and leadership should bear responsibility. It'll be interesting to see how things continue to unfold and how LastPass reacts

[jebmke]

Their "employee" is the poster child for really giving home workers a bad name. Using company computers for non-company work. What a jerk. Because of him we have to all get rid of what was a nice product.

I don't think one employee should be the scapegoat as mistakes have been made throughout company and leadership should bear responsibility. It'll be interesting to see how things continue to unfold and how LastPass reacts

Employees are often the scapegoat. I routinely had to point out that many times an issue was rooted in management (all the way up, including myself if relevant). If my managers ever blamed "the secretary" or "the clerk" they got one pass and a one on one conversation later to never do that again.

If I see what appears to be a systemic issue at a corporation today, I first look to the Board of Directors, then work my way down.

[rebellovw]

Their "employee" is the poster child for really giving home workers a bad name. Using company computers for non-company work. What a jerk. Because of him we have to all get rid of what was a nice product.

I don't think one employee should be the scapegoat as mistakes have been made throughout company and leadership should bear responsibility. It'll be interesting to see how things continue to unfold and how LastPass reacts

They had no business hosting Plex and co-mingling company access on their Plex server. They should have known better. Most companies have training (annual) on using company assets. I'm sure that Last Pass being a Security Company - had some pretty strict policies. All of these hacks seems to be piggybacked off the original hack.

[samsoes]

This is mind-blowing beyond words. I'm surprised congressional hearings haven't been launched yet. I'm sure they will once reports of thefts from cracked vaults with weak master passwords start to be reported (or phishing attempts based on plaintext URLs and plaintext Notes fields prior to 2019).

If you are still with LP, switch now! Consider Bitwarden or 1Password, both of which have been discussed extensively on this thread, and change every single application password to a unique long computer-generated one, and change anything that may have been stored in the Notes field (answers to security questions, backup codes, etc.) Start with the critical sites first: where you have money, followed by where you have debt, etc., right on down to your favorite recipe site.

What a disaster.

[jebmke]

This is mind-blowing beyond words. I'm surprised congressional hearings haven't been launched yet. I'm sure they will once reports of thefts from cracked vaults with weak master passwords start to be reported (or phishing attempts based on plaintext URLs and plaintext Notes fields prior to 2019).

If you are still with LP, switch now! Consider Bitwarden or 1Password, both of which have been discussed extensively on this thread, and change every single application password to a unique long computer-generated one, and change anything that may have been stored in the Notes field (answers to security questions, backup codes, etc.) Start with the critical sites first: where you have money, followed by where you have debt, etc., right on down to your favorite recipe site.

What a disaster.

Reports of company hacks are nearly a daily event. Why would they single out LP for a congressional hearing?

[fetch5482]

They had no business hosting Plex and co-mingling company access on their Plex server. They should have known better. Most companies have training (annual) on using company assets. I'm sure that Last Pass being a Security Company - had some pretty strict policies. All of these hacks seems to be piggybacked off the original hack.

To be honest, I'm surprised LastPass didn't have a way to block these apps from being installed on the office laptop. My employer uses device management software to explicitly block certain apps from being installed, including media servers like Plex, certain file sharing applications etc.

I'm also surprised that 4 engineers in the company had so much access. When access to such sensitive information is granted for work purposes, it usually is very selective (eg only a single account or sub account). The fact that an employee had access to nearly everyone's data is also concerning.

[rebellovw]

They had no business hosting Plex and co-mingling company access on their Plex server. They should have known better. Most companies have training (annual) on using company assets. I'm sure that Last Pass being a Security Company - had some pretty strict policies. All of these hacks seems to be piggybacked off the original hack.

To be honest, I'm surprised LastPass didn't have a way to block these apps from being installed on the office laptop. My employer uses device management software to explicitly block certain apps from being installed, including media servers like Plex, certain file sharing applications etc.

Apparently a home PC was used for Plex - which would would have been fine - except this home PC was also somehow used for work. A responsible person wouldn't have accessed work through a internet open home pc media server.

We can for sure blame the company but employees should have some common sense.

[mptfan]

I have no sympathy for anyone who is still a Lastpass customer.

[jebmke]

They had no business hosting Plex and co-mingling company access on their Plex server. They should have known better. Most companies have training (annual) on using company assets. I'm sure that Last Pass being a Security Company - had some pretty strict policies. All of these hacks seems to be piggybacked off the original hack.

To be honest, I'm surprised LastPass didn't have a way to block these apps from being installed on the office laptop. My employer uses device management software to explicitly block certain apps from being installed, including media servers like Plex, certain file sharing applications etc.

I'm retired now but in the early 2000s my company locked down all devices and the internal system. You could not install software on computers or, when they came along, smartphones. The only access allowed to the company network was via an application running on company laptops. Period, end of story. It amazes me how open many large organizations still remain.

They had one gap which they learned about later. The laptops were not encrypted so you could boot a computer with a bootable Linux distro on a USB drive and see files that were on the laptop. After that, encrypted drives became the standard.

[samsoes]

This is mind-blowing beyond words. I'm surprised congressional hearings haven't been launched yet. I'm sure they will once reports of thefts from cracked vaults with weak master passwords start to be reported (or phishing attempts based on plaintext URLs and plaintext Notes fields prior to 2019).

If you are still with LP, switch now! Consider Bitwarden or 1Password, both of which have been discussed extensively on this thread, and change every single application password to a unique long computer-generated one, and change anything that may have been stored in the Notes field (answers to security questions, backup codes, etc.) Start with the critical sites first: where you have money, followed by where you have debt, etc., right on down to your favorite recipe site.

What a disaster.

Reports of company hacks are nearly a daily event. Why would they single out LP for a congressional hearing?

Anecdotally, are there any other threads on this site which have devoted to much time, technical analysis, and recommendations to other company hacks like this one has? This is different than a breach of the Podunk Middle School servers, so to speak.

[Lastrun]

..... I'm surprised congressional hearings haven't been launched yet. .....

Reports of company hacks are nearly a daily event. Why would they single out LP for a congressional hearing?

Anecdotally, are there any other threads on this site which have devoted to much time, technical analysis, and recommendations to other company hacks like this one has? This is different than a breach of the Podunk Middle School servers, so to speak.

I am not so sure. Lots of bad hacks out there potentially worse than Lastpass. Some could be life-threatening, not just financial.

Just today: [url]https://www.nytimes.com/2023/02/27/us/p ... k.html/url] How would you like to be in the witness protection program and wake up this morning to this? Edit: I cant get the URL to post correctly. Anyhow the head line is: Hackers Breach U.S. Marshals System With Sensitive Personal Data

Anyway, I left Lastpass a month ago for Bitwarden as the pick. I just could not trust Lastpass anymore with the way they handled this. What a mess as you say.

[ThankYouJack]

How come it has taken so long (6 months) for this information to be made public?

[jebmke]

This is mind-blowing beyond words. I'm surprised congressional hearings haven't been launched yet. I'm sure they will once reports of thefts from cracked vaults with weak master passwords start to be reported (or phishing attempts based on plaintext URLs and plaintext Notes fields prior to 2019).

If you are still with LP, switch now! Consider Bitwarden or 1Password, both of which have been discussed extensively on this thread, and change every single application password to a unique long computer-generated one, and change anything that may have been stored in the Notes field (answers to security questions, backup codes, etc.) Start with the critical sites first: where you have money, followed by where you have debt, etc., right on down to your favorite recipe site.

What a disaster.

Reports of company hacks are nearly a daily event. Why would they single out LP for a congressional hearing?

Anecdotally, are there any other threads on this site which have devoted to much time, technical analysis, and recommendations to other company hacks like this one has? This is different than a breach of the Podunk Middle School servers, so to speak.

There were discussions of hacks at credit agencies.

Some of the other ones that are not financial are pretty major - since they aren't financial they would not generally get discussed here. Like the latest hack of the US Marshalls.

Somehow I doubt that the US congress would prioritize the volume of discussion on Bogleheads for scheduling congressional hearings. If they did, they would be having hearings on "Dividends, do they matter?" and the soaring prices of watches.

[rebellovw]

Since the keylogger captured the master password used to access the LP vault containing the amazon backup credentials - they could have used yubikey as I did - and that would have prevented the whole issue. The hacker would need a registered yubikey and the master password and user id.

Edit - then again the "user" would take the amazon credentials and use them - which the keylogger would pick up.
Edit 2 - why didn't they have something like bitdefender installed on their PC to detect the malware? I have it on all my home PCs/Macs.
Edit 3 - 1password and keylogging - https://blog.1password.com/watch-what-y ... e-loggers/ interesting read and a Mac would have likely helped due to its native keylogger blocking.

Just messed up completely.

[rockstar]

How come it has taken so long (6 months) for this information to be made public?

Folks are against regulations until this stuff happens. Where are the regulations that require proper disclosure? Yeah, they aren’t all that great. And companies buy insurance for this stuff.

[samsoes]

This is mind-blowing beyond words. I'm surprised congressional hearings haven't been launched yet. I'm sure they will once reports of thefts from cracked vaults with weak master passwords start to be reported (or phishing attempts based on plaintext URLs and plaintext Notes fields prior to 2019).

If you are still with LP, switch now! Consider Bitwarden or 1Password, both of which have been discussed extensively on this thread, and change every single application password to a unique long computer-generated one, and change anything that may have been stored in the Notes field (answers to security questions, backup codes, etc.) Start with the critical sites first: where you have money, followed by where you have debt, etc., right on down to your favorite recipe site.

What a disaster.

Reports of company hacks are nearly a daily event. Why would they single out LP for a congressional hearing?

Anecdotally, are there any other threads on this site which have devoted to much time, technical analysis, and recommendations to other company hacks like this one has? This is different than a breach of the Podunk Middle School servers, so to speak.

There were discussions of hacks at credit agencies.

Some of the other ones that are not financial are pretty major - since they aren't financial they would not generally get discussed here. Like the latest hack of the US Marshalls.

Somehow I doubt that the US congress would prioritize the volume of discussion on Bogleheads for scheduling congressional hearings. If they did, they would be having hearings on "Dividends, do they matter?" and the soaring prices of watches.

This will be my last post regarding this particular subtopic of investigations.

I am the OP of this thread. When I started it and raised concern, multiple posters shot me down saying that this was a "nothing burger." Check it out.

How did that work out? Ok, then.

[rebellovw]

This will be my last post regarding this particular subtopic of investigations.

I am the OP of this thread. When I started it and raised concern, multiple posters shot me down saying that this was a "nothing burger." Check it out.

How did that work out? Ok, then.

Good work on posting this. The first breach I stuck with LP as I assumed they are being transparent and under constant hacking - then it just got worse. The good that comes out of it - is that we can all look to protect ourselves from the mistakes made - keylogger protection, PM that fill the gaps etc.

[valleyrock]

This is mind-blowing beyond words. I'm surprised congressional hearings haven't been launched yet. I'm sure they will once reports of thefts from cracked vaults with weak master passwords start to be reported (or phishing attempts based on plaintext URLs and plaintext Notes fields prior to 2019).

If you are still with LP, switch now! Consider Bitwarden or 1Password, both of which have been discussed extensively on this thread, and change every single application password to a unique long computer-generated one, and change anything that may have been stored in the Notes field (answers to security questions, backup codes, etc.) Start with the critical sites first: where you have money, followed by where you have debt, etc., right on down to your favorite recipe site.

What a disaster.

The big problem I have is SSNs in some of the Notes fields. Also, some of my Notes fields include password/access information for the credit bureaus, and I'm not sure if those can be changed. Anytime you say "boo" to Experion, Transunion or Equifax, things get squirrelly and it can take a long time and many phone calls to unravel issues. This is very worrying.

Lastpass refuses to say whether Notes fields were encrypted in all of the stolen backups. They have a party line referring to current Notes fields as being encrypted, but their help desk people have no idea about old backups, and queries to Lastpass executives go unanswerered.

I'm kicking myself for not changing back when LastPass' owner sold to LetMeIn, which apparently is run by computer and security neophytes who don't have much of a clue about what they don't know.

[Peculiar_Investor]

Just today:

Code: Select all

[url]https://www.nytimes.com/2023/02/27/us/politics/us-marshals-ransomware-hack.html/url]

How would you like to be in the witness protection program and wake up this morning to this? Edit: I cant get the URL to post correctly. Anyhow the head line is: Hackers Breach U.S. Marshals System With Sensitive Personal Data

I have put [code] tags around your material so that everything that follows works.
You could change

Code: Select all

[url]https://www.nytimes.com/2023/02/27/us/politics/us-marshals-ransomware-hack.html/url]

to either

Code: Select all

[url]https://www.nytimes.com/2023/02/27/us/politics/us-marshals-ransomware-hack.html[/url]

which produces:

https://www.nytimes.com/2023/02/27/us/p ... -hack.html

Better still, you could change it to:

Code: Select all

[url=https://www.nytimes.com/2023/02/27/us/politics/us-marshals-ransomware-hack.html]Hackers Breach U.S. Marshals System With Sensitive Personal Data - The New York Times[/url]

gives:

Hackers Breach U.S. Marshals System With Sensitive Personal Data - The New York Times

[Blues]

The big problem I have is SSNs in some of the Notes fields. Also, some of my Notes fields include password/access information for the credit bureaus, and I'm not sure if those can be changed. Anytime you say "boo" to Experion, Transunion or Equifax, things get squirrelly and it can take a long time and many phone calls to unravel issues. This is very worrying.

On the bright side, the ne'er-do-wells will have just as daunting a time getting anywhere with the credit agencies.

[valleyrock]

The big problem I have is SSNs in some of the Notes fields. Also, some of my Notes fields include password/access information for the credit bureaus, and I'm not sure if those can be changed. Anytime you say "boo" to Experion, Transunion or Equifax, things get squirrelly and it can take a long time and many phone calls to unravel issues. This is very worrying.

On the bright side, the ne'er-do-wells will have just as daunting a time getting anywhere with the credit agencies.

Good point. When one of the agencies asks me to confirm which bank I did business with 40 years ago, and I get it wrong, it puts me into squirrel cage mode for days. The ne'er-do-wells are bound to move to more low-hanging fruit from there.

I did some looking and it seems one can change passwords, etc. for the credit agencies. Just don't hit a wrong key.

We need a support group for LastPass members who haven't switched over yet to another password manager. (I'm leaning toward 1Password.)
We take a Saturday morning, turn off the phones, lock the door, get a nice cup of coffee, and follow the procedure. It looks like a major pain, but it can't be that bad. Afterwards, we meet on Zoom for a couple of libations. Recording is not allowed, and swearing is encouraged. Boglehead lazies, unite!

[Tyler9000]

After the news today about yet another serious LastPass breach announced way too late, I finally bit the bullet and switched to 1Password. The process was extremely easy. 1Password was able to import all of my info using only my LastPass login, and after a few minutes of organizing the accounts I was up and running. So if anyone else is considering the switch, it's really not hard at all.

[CFM300]

From the LastPass blog, dated 3/1/2023:

Security Incident Update and Recommended Actions

This update is structured as follows:

- What happened and what actions did we take?
- What data was accessed?
- What actions should you take to protect yourself or your business?
- What we have done to secure LastPass
- What you can expect from us