LastPass Vault Breached via Employee's Home Computer, Giving Keys to the Kingdom to Hackers

pjmedia.com ^ | February 28, 2023 | Greg Byrnes

[TChad]

Millions of LastPass users may be at risk after a major breach of the home computer of one of their top employees. This employee was only one of four people in the company with access to their corporate vault. The breach may have come through a home Plex media account, according to Ars Technica, and appears to have been perpetrated by the same hackers who breached LastPass security on a smaller scale last August. At about the same time, Plex’s security was also breached.

[TChad]

If you use LastPass, it might be time to move on to a different password manager. This is not the first time LastPass has been hacked.

The "Plex" program may also have been affected.

[1Old Pro]

LASTPASS, It will be the last time you use your password before hackers steal your identity.

[dfwgator]

LastPass = Dead Company Walking

[Red Badger]

Ping!..............

[Harpotoo]

Put your health data, banking data and passwords etc on the internet LOL:-)
What a bunch of maroons:-)

[Skwor]

No Plex was not as I read it, Plex had a breach but that was handled last year quickly and everyone warned to log off and change their passwords.

The breach involved salt and peppered data but the account key could have been used which is why the wanted everyone to log out of accounts.

As I read it they used his Plex account to compromise his LastPass Kingdom key access. Basically the guy is a moron and for the record LastPass has had a history of being miserable with security, they have no business being in the business.

[ImJustAnotherOkie]

I’ve been using Dashlane for years. I hope they are investigating their security at this moment.

[Mogger]

Why would anybody put their passwords information anywhere off their property?

It's just asking for trouble.

Online password managers? Nuts.

Just as crazy as storing your data in "the cloud", which = some server somewhere, you have no idea where.

[siamesecats]

read this

[dfwgator]

[The Duke]

I just use the encryption built into the ‘vim’ editor for Windows/Linux and store all that type of info on my local computer (with a backup stored elsewhere, of course).

[TChad]

Online password managers? Nuts.

I agree.

I have never trusted password managers, online or not. I have my own password-generating routine.

[Steely Tom]

Any password manager is going to be a high-priority target for attackers.

[ggrrrrr23456]

"Keys to the kingdom" is a little bit overblown... From the LastPass website: The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.

[rarestia]

KeePass. Free and totally local to you. I keep my database on an encrypted thumb drive and you have to have my Yubikey to open it.

Please use a password manager using the same password for everything makes you an easy target.

[Woodman]

As I understand it, the data is all encrypted and can not be accessed without your Master Password which is only stored as an encrypted value. They might be able to get some PII on the customer base, but I think that is about it.

[redfreedom]

Agreed. I have my own password generator and protection scheme. Nothing is stored off our property or in a cloud. And passwords are not stored on any of our computers.

[TChad]

Please use a password manager using the same password for everything makes you an easy target.

No one suggested "using the same password for everything."

[rarestia]

Given that most folks have more than just a few logins, and complex passwords constitute alphanumerics and symbols, and our memory gets less sharp as we get older, I’m going to assume that most individuals not using a password manager are reusing the same passwords at least once.