nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Additional details about the security incident requested

markfourteensixtytwo

If it's true that the hackers took every vault, like that other thread says, how are you people so **bleep**ing bad at your jobs? Lives will be ruined over this. Do you care at all? What are you even doing this week?

The URLs are unencrypted. People will be blackmailed, doxed, etc. because of that. Do you care at all? Or do your dumb owners only care about profit margins?

I hope this company goes bankrupt. You're the most popular password manager and you just ruined the lives of at least 35 million people.

Do any of you see these forum posts? Do you see the outrage on social media? If people commit suicide due to the embarrassing personal info released by this breach, what will you do?

Also, why are you lying to customers? Two customers were told by LP support personal/family vaults weren't stolen, just enterprise accounts. Which is the truth? Why are you lying to people?

Find more posts tagged with

Accepted answers

ash.canon

Hi, all.

I understand your concerns, and will try to simplify some of the FAQ answers here.

As long as your account password uses the recommended complexity as outlined in this article, and you do not reuse the LastPass password anywhere else, then it would be very difficult for the threat actor to guess the key to decrypt your vault data.

The data that was accessed and not fully encrypted was a backup of user's personal information such ascompany names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. Therefore, it is important to be aware of any phishing attempts by malicious actors attempting to gain personal information and credit card details.

We will continue to update the LastPass blog post if new information becomes available.

All comments

Paul DeCrette

It's a bit shocking they are not handling communication with us better, offering incentives to stay, etc. At a minimum, this is hours of my life as I have to log into hundreds of sites to change passwords.

markfourteensixtytwo

I hope they go bankrupt. Hope the people involved never get good jobs again and have to live paycheck to paycheck.

norbeck

>If you're going to blame customers for trusting a company that promotes itself as safe and secure, sorry, but go **bleep** yourself.

Exactly. And this is also precisely what their 12/22 blog post implies, which is part of why I’m not taking that BS from them or anyone else. It was THEIR responsibility, and theirs ALONE, to protect our data, regardless of what it was. That includes making sure customers set appropriately secure master passwords, encrypting URLs, and setting the iterations to the modern standard for ALL customers, not just the new ones.

markfourteensixtytwo

Yeah I don't think they realize people can file personal lawsuits if it's proven their blackmail/dox is due to this breach and it leads to damages. They're acting like website URLs being unencrypted is no big deal, while also trying to not mention it because it is a bit of a big deal. Most customers probably don't know not everything inside the vault is encrypted. The way their lying marketing goes, it implies the vault is totally encrypted and nobody could ever hack into your vault because LastPass doesn't have the key. Both of those things are false.

They're downplaying the breach and making people spend time on Christmas worrying and rotating their passwords. How is this company run like some scam company that tricks you into using a desktop access client to get into your bank account?

markfourteensixtytwo

Is everybody affected? What are you doing to stop the hackers from spreading the stolen data?

People are being told the breach happened on September 22nd and everybody is affected. Some are being told it's only enterprise customer vaults that are affected. What's the truth?

We understand how the vault works. Most people are angry at the vagueness of LP's statements. Breaches happen, and LP detected an intrusion 4 days or so into the incident, which is great. How weren't you able to contain it after that? You gave a premature "mission accomplished" message to everybody on the 15th of September, and then it turns out vaults were stolen after that?

"We will continue to update theLastPass blog postif new information becomes available" It's been 3 months since this started. You're just finding out new info? The statement being released just before Christmas seems like you were sitting on that for a while. Are you truly discoveringnew stuff, or are you planning to release the severity of the breach in increments to soften the blow?

ron.weasley

That's a bit strong, mate?!? They are just people like you and me trying to do their best. OK they may have made some duff decisions but I don't wish ill of them. It's not like they got hacked deliberately.

It is very obvious that putting all of your passwords and valuable info in one place is an "all eggs in your basket" situation, and that this inevitably carries some risk. And therefore choosing a VERY complex password is essential. Provided you did that, then I suggest people have little to worry about. And if they did not, then people have to take some personal responsibility here IMO.

Ok the unencrypted URLs thing is out of order, but more fool me for not realising sooner - this info was out there. And tbh even this I think is overplayed. I imagine the number of people for whom this is a genuine problem, is very small. I get phishing attempts for people claiming to be my bank, quite often anyway. And I don't visit Ashley Madison or anything else I'd be embarrassed about. And if I did, I certainly would not have put the login details in LastPass. Plus, your ISP, your work, your VPN provider - and perhaps others - already know which sites you visit.

georgefescos

LastPass should clarify exactly what data was unencrypted.

Ash said: "The data that was accessed and not fully encrypted was a backup of user's personal information such ascompany names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. "

But the LastPass Blog post says: "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

What is meant by website URLs?

markfourteensixtytwo

The fact that maybe 50,000 people at most have read about this breach occurring if I go by what I've seen on Twitter, and even less are LP users, is concerning. I don't think LP will go out of business for the sole fact that people are apathetic.

markfourteensixtytwo

They contracted Mandiant right after the August incident. There are things they can do, like prevent it from being sold on forums, etc.

The Optus breach happened this year, and they released about 10,000 customer records and then backed down due to the heat on them, saying they deleted the stolen files (How true that is I'm not sure). I'm hoping that would be the case here too. Enough legitimate companies use LastPass for this to be treated very seriously, and for the "threat actor" to be sought after a lot more than most hackers.

norbeck

They may not have got themselves hacked deliberately, but a good bit of their negligence seems very deliberate. They’ve known for YEARS that not encrypting URLs was a serious flaw in their system, and chose to do…NOTHING. And they were also told that they needed to up their iterations YEARS ago and still did… NOTHING.

Oh, and to your comment about people not setting complex enough passwords—sorry, but that’s on them, too. They did nothing to make sure that users were notified that passwords weren’t long/strong enough when they absolutely could and should have, as plenty of the experts who’ve chimed in since this breach have noted.

I think the anger and frustration directed at this company is entirely justified considering they knew their system was not up to snuff for ages and did bugger all about it. Maybe they didn’t deliberately get themselves hacked…but they very much did deliberately not take active steps to prevent it, which is **bleep** near the same thing.

markfourteensixtytwo

This is why I'm shocked there's been virtually no evidence of hacking caused by this breach. LP left a lot there to be used, and we're not seeing any horror stories even 3 months after this breach.

norbeck

Three months doesn’t seem like a lot of time to me with something this big. And depending on how the data is being used, a lot of users may not have made a connection between phishing attempts or password problems and this breach—especially when LP is failing to take direct responsibility for their negligence by trying to imply that everything is still just fine and no one has any cause to worry. Most LP users don’t read this forum and won’t look for more detailed info, and therefore won’t be any the wiser.

markfourteensixtytwo

They detected an intrusion about 4 days into the occurrence. That's very good compared to most response times, sometimes breaches are only known about once the data has been sold or released freely. The major failing is that they didn't contain it after saying they did.

katcherw

The unencrypted URLs is a major issue for me, and what is causing me to finally leave LastPass. The list of my URLs might now be posted publicly on some shady web site, being replicated for an eternal presence on the net, accessible by employers, friends, enemies, family, political opponents, etc. This can reveal things like political activity, religious beliefs, sexual orientation, where my financial transactions are held, medical conditions, etc. This isn't hypothetical anymore, it doesn't depend how strong my password is or my MFA protections or anything. Hackers have that information now. And they have it because LastPass failed to protect it.

If LastPass explained to me what was encrypted and what was not, I might agree and take that calculated risk. I might also be careful what I put in my vault. But they didn't explain that. They told me they have "zero-knowledge", which I naively took at face value.

This is directly from the LastPass website, still up there:

"At LastPass security is our number one priority. With local-only encryption, your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."

When they say my data is encrypted, I assumed all my data, not just the data that they don't need. This statement is so misleading that I would call it a lie.

Yes, now I know that information was "out there". But I never considered scouring the internet for new commentary by security experts that may have come out since I signed up. I also never bothered to examine the raw data my computer was sending to LastPass to double-check that it was all encrypted. I trusted them. I can forgive them for the actual breach. After all, I don't know the details about how sophisticated the intruder is or what the actual security lapses are. Maybe it can happen to anybody. But I paid them to protect my data - all of it - and they failed.

markfourteensixtytwo

"And I don't visit Ashley Madison or anything else I'd be embarrassed about. And if I did, I certainly would not have put the login details in LastPass."

If you're going to blame customers for trusting a company that promotes itself as safe and secure, sorry, but go **bleep** yourself.

john.muraro

What you wrote:

"The data that was accessed and not fully encrypted was a backup of user's personal information such ascompany names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service."

What the blog post says, that you, clearly deliberately, left out:

"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs,.."

Basically, you ignored / tried to BS your way past the point that@"TD1989" was making: That the "threat actor" has the roadmap of URLs in unencrypted form for each user, along with their email address, phone number, and IP address. To his point, that means your customers are now open targets for doxing and blackmail if they have any politically incorrect sites in their profile.

So, just STOP it. Stop trying to obfuscate just how bad this is. You're making people angrier and lawsuits (not just that clown class action suit, but individual actions) far more likely by minimizing this.

norbeck

>What are you doing to stop the hackers from spreading the stolen data?

There’s literally nothing they can do to stop the hackers from doing whatever they want with our data now that they have it. And they know it, which is why they’re taking the chicken **bleep** way out and aren’t talking about it.

norbeck

That requires them to take actual action against a potential thread, which they have never done in their entire existence. Hope springs eternal, but I’m not holding my breath.

norbeck

> The major failing is that they didn't contain it after saying they did.

I’d argue, quite strongly, that the major failing is their unwillingness to take adequate steps to address security flaws they were told about YEARS ago, like unencrypted URLs, forcing strong master passwords, and inadequate iterations, all of which would have left all of us in a much better position than we’re in right now.

Being great at detecting that someone managed to open the barn door doesn’t change the fact that the horse is long gone, and you’ve failed at your ONE job, which was to keep it safely inside.

norbeck

> What is meant by website URLs?

It means the URL field in your password records was unencrypted. The hackers know every site you’ve been to and can not only prioritize cracking passwords accordingly, they have perfect info to initiate phishing attempts against LP users.

Oh, and they have your address and phone number, and can map all your physical movements based on those IP addresses. But hey, they tell us, no big deal…

ash.canon

Hi, all.

I understand your concerns, and will try to simplify some of the FAQ answers here.

As long as your account password uses the recommended complexity as outlined in this article, and you do not reuse the LastPass password anywhere else, then it would be very difficult for the threat actor to guess the key to decrypt your vault data.

The data that was accessed and not fully encrypted was a backup of user's personal information such ascompany names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. Therefore, it is important to be aware of any phishing attempts by malicious actors attempting to gain personal information and credit card details.

We will continue to update the LastPass blog post if new information becomes available.

norbeck

>I don't think LP will go out of business for the sole fact that people are apathetic.

You can only be apathetic for so long when you start finding you can’t log into your financial accounts, and your money is gone, which may be exactly what happens to a lot of folks who aren’t paying attention—or who are not naturally suspicious enough to read a load of obfuscation like that blog post and dig deeper into what it means.