Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LastPass user data compromised

maflynn

maflynn

macrumors Haswell
Original poster
May 3, 2009
73,698
43,767
LastPass users: Your info and vault data is now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.
Click to expand...

The hits keep on coming for lastpass. The August hacking was worse then previously reported
Notice of Recent Security Incident

I've said this on a prior to the August hacking, in that LastPass' track record is so poor that it would be incredibly foolish to keep your data with them. They downplayed the issue in August and September but it looks like these "bad actors" have people's encrypted and unencrypted data.
 
  • Sad
  • Angry
Reactions: rhett7660, KaliYoni and russell_314
maflynn said:
LastPass users: Your info and vault data is now in hackers’ hands



The hits keep on coming for lastpass. The August hacking was worse then previously reported
Notice of Recent Security Incident

I've said this on a prior to the August hacking, in that LastPass' track record is so poor that it would be incredibly foolish to keep your data with them. They downplayed the issue in August and September but it looks like these "bad actors" have people's encrypted and unencrypted data.
Click to expand...
That's scary! I would never use LastPass after they had multiple data breaches and how they handled them. I've always worried a little about password managers because you're keeping all of your eggs in one basket. I use 1Password but I still worry a little bit.
 
  • Like
Reactions: PhoenixDown
maflynn said:
LastPass users: Your info and vault data is now in hackers’ hands



The hits keep on coming for lastpass. The August hacking was worse then previously reported
Notice of Recent Security Incident

I've said this on a prior to the August hacking, in that LastPass' track record is so poor that it would be incredibly foolish to keep your data with them. They downplayed the issue in August and September but it looks like these "bad actors" have people's encrypted and unencrypted data.
Click to expand...

It never occurred to me that giving all your personal log-in information to a big company getting targeted by all the hackers in the world all the time, because the whole world knows all log-in info is kept there, is a risky thing to do!
 
Last edited:
  • Like
Reactions: telecomm, jdb8167, maflynn and 1 other person
And that’s why i won’t use 1password‘s cloud service, even though they’re doing everything they can to force stand-alone users to move to it ( and it’s subscription model). I’m already looking for alternatives.
 
  • Like
Reactions: msackey and Blaine
ginkobiloba said:
1password‘s cloud service,
Click to expand...
Cloud based solutions, regardless of who you go to carry a measure of risk. I use bitwarden and my details are on the cloud but they audit their systems, the software is open source and if push comes to shove, you can self host. I have a measure of confidence. If I host on my own server, is that any safer? Apple's iCloud with their keychain offers a measure of confidence. I also have a measure of confidence with 1Password.

My problem with last pass is that this isn't the first time its happened. They seem to continually downplay the issues, but it keeps happening.
 
  • Like
Reactions: rhett7660, PhoenixDown and adrianlondon
ginkobiloba said:
And that’s why i won’t use 1password‘s cloud service, even though they’re doing everything they can to force stand-alone users to move to it ( and its subscription model). I’m already looking for alternatives.
Click to expand...
1Password data is however encrypted with two keys that only the end user knows so wether or not their data center is breached is not necessarily a problem.
 
  • Like
Reactions: kitKAC and chabig
As I understand it, 1Password has a much stronger system.

And LastPass is also light years behind in terms of UX and UI.
 
maflynn said:
Cloud based solutions, regardless of who you go to carry a measure of risk. I use bitwarden and my details are on the cloud but they audit their systems, the software is open source and if push comes to shove, you can self host. I have a measure of confidence. If I host on my own server, is that any safer? Apple's iCloud with their keychain offers a measure of confidence. I also have a measure of confidence with 1Password.

My problem with last pass is that this isn't the first time its happened. They seem to continually downplay the issues, but it keeps happening.
Click to expand...
Open source doesn't in itself make things more secure. If anything, it allows users to look through source code to find vulnerabilities.

LastPass will probably up its game. I'm sure a lot of people will cancel their subscriptions over this. Fewer subscribers and beefing up their security will make it even more secure. The likelihood of a threat actor getting usernames and passwords without the master password is pretty remote. A brute force attack on 256-bit AES would take >1 billion billion years with most supercomputers. Is it possible? Yes, anything is possible. Is it likely? Highly unlikely that they will get raw data. Despite this, I changed ALL of my website passwords after resetting my master password and upping my PBKDF2 to 310,000 as recommended by OWASP.
 
southerndoc said:
Open source doesn't in itself make things more secure. If anything, it allows users to look through source code to find vulnerabilities.
Click to expand...
I'm of the opinion is that more eyes on the source code, allow the closure of those vulnerability. The conventional wisdom in the security sector is secretive policies are more risky then peer review policies.
 
circatee said:
Well, am certainly glad that I switched to 1Password, from LastPass, when I did.
Click to expand...
While the latest upgrade, and changes that Agilebits made has turned off some users. I think 1PAssword is a solid product and the risk is lower then LastPass. I will say like BitWarden the risk is still there but if companies do their due diligence and make security their priority unlike what lastpass has been doing, then I think its an acceptable risk

For current and prior lastpass users - I think its in their best interest to start changing their passwords, particularly for their credit cards and banks. Just to be safe.
 
  • Like
Reactions: VineRider
For anybody interested, this is another good overview of this latest breach plus some suggested actions:

LastPass Shares Details of Security Breach - TidBITS

Password management service LastPass announced that attackers stole unencrypted customer account data and encrypted usernames and passwords. This is a terrible, horrible, no good, very bad thing for LastPass, though LastPass users shouldn’t be at significant risk—as long as they heeded the...
tidbits.com tidbits.com
 
  • Like
Reactions: VineRider
ericwn said:
1Password data is however encrypted with two keys that only the end user knows so wether or not their data center is breached is not necessarily a problem.
Click to expand...

I’m a 1Password user so it surprised me to hear that the data is encrypted by two keys. I only have one. Or am I not understanding? Or is what you say only applicable to those who use 1Password’s cloud server?

I use 1Password7 and my vault is not on 1Password servers but on other cloud servers.
 
KaliYoni said:
For anybody interested, this is another good overview of this latest breach plus some suggested actions:

LastPass Shares Details of Security Breach - TidBITS

Password management service LastPass announced that attackers stole unencrypted customer account data and encrypted usernames and passwords. This is a terrible, horrible, no good, very bad thing for LastPass, though LastPass users shouldn’t be at significant risk—as long as they heeded the...
tidbits.com tidbits.com
Click to expand...
Good article. Thanks for sharing this….
 
msackey said:
I’m a 1Password user so it surprised me to hear that the data is encrypted by two keys. I only have one. Or am I not understanding? Or is what you say only applicable to those who use 1Password’s cloud server?

I use 1Password7 and my vault is not on 1Password servers but on other cloud servers.
Click to expand...
Do you have a secret key in addition to your master password? Those are used to create the encryption keys.
 
  • Like
Reactions: ericwn
msackey said:
I’m a 1Password user so it surprised me to hear that the data is encrypted by two keys. I only have one. Or am I not understanding? Or is what you say only applicable to those who use 1Password’s cloud server?

I use 1Password7 and my vault is not on 1Password servers but on other cloud servers.
Click to expand...
Not sure how their legacy systems work but any user with a cloud subscription has their data secured by their account pw and their unique secret key.
 
  • Like
Reactions: kitKAC, msackey, VineRider and 1 other person
anshuvorty said:
In addition, you can enable 2-factor authentication with 1Password to make it even more secure...
Click to expand...

Yeah that sounds like those who use the 1Password cloud service, which is practically anyone who has a subscription. I don’t have one. I have a one time license for up to 1Password 7.x
 
I've never used a software "app" to control passwords.

Instead, I created a simple database (using the free "iData").
Currently at over 130 entries.

On my MacBook Pro, I created a small encrypted disk image that requires a password to open.
I store my password database in the disk image.

When I need to check a password (and it seems that as I get older, I'm checking it a LOT), I just mount the disk image with the password. Then "it's all there".

When done, just dismount the disk image again.
 
  • Like
Reactions: rhett7660
I don't mind using a cloud password manager for convenience, since most of the logins are just not important to me, just a necessity.
And the few that are important are all MFA protected. (just don't store 1 time keys with that same provider ;) )
But that is obviously a decision everyone has to make for themselves.


I've always wanted to try out 1password, but was always too lazy, because when you switch provider you should also change all the important passwords afterwards, since your data will likely still remain at the other provider, even if you delete your account. It is very unlikely that you will also get removed from their backups, for example.

But after this hack, i would have changed the passwords anyway, so this was a perfect opportunity.
And i have to say: thank god it happened! 1password integration on both iOS and MacOS is so much better.

Migration was also very easy... just export on LastPass and import on 1password.
 
HDFan asked:
"How do you get your passwords on an iPhone, iPad?"

I don't own any iOS devices.
In fact, I'm one of the few people you'll ever meet who has never owned a smartphone of any kind, and never will.
Look at the avatar, that should tell you about me...
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back