I hear you. I'm not thrilled about this latest news either. The latest update on the incident makes me feel like I have more questions than answers. The way the statements were made, it has me beleiving the copies can be accessed by bruteforce guessing the master password. At no point do they mention, if you have two factor enabled, then you have nothing to worry about. Why did I buy and implement a Yubikey? Only to fool myself into thinking it's more secured? They only touched on additional security for business customers with a certain feature. This tells me two factor is actually zero factor regarding this incident? 2 factor is a complete joke if it only applies to the current live dataset and not the backups that were stolen. Why is it not mentioned at all? I called support to ask about this and they were only repeating their standard statements on security and nothing specific to this incident. I felt like my question was not really understood or was purposely being side stepped. Either way, it was disturbing. This was their xmas gift to us. Let us go into the holidays worrying about our passwords. Nice!

Hi,

I don’t feel comfortable about this part of their statement either, maybe I’m reading incorrectly but it seems not all of the stuff protected behind the master password in the vault is protected, or at least some fields and not others were compromised during the ‘backup theft’

This statement:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data….’


Reading this seems to infer that some data was stolen that
was stored in an encrypted store in Lastpass’ own format that contains unencrypted data within certain fields.

What is the complete list of these fields ie which fields and document types are unencrypted and were compromised?

Are you stating the only fields that were NOT compromised
were the usernames, password fields etc. can you please provide a complete list?

This likely meant that SOME part of our master password protected data was taken.

Please clarify.

DBS.

Yeah, getting a detailed list of all unencrypted fields will be crucial, I mean everything should be encrypted in the first place, given that there is no accounting for what field a user may or may not decide to use to store sensitive information, but if you positively are going to have unencrypted user data, the least you can do is give out a list of those fields.

+1

I also use Yubikey and would like to receive an official reply from LastPass about some questions:

1. For users who only uses Yubikey as MFA to login, it is still possible for the hacker gaining access to the decrypted data? If yes, are we safer or does it make no difference?
2. Does anything else change from what was said in the article for users in this scenario?

Not a LastPass dev, but given that according to LastPass the master password remains as a fallback, it is very safe to say accounts that use Yubikey as MFA are just as vulnerable if not more so (you now have an additional way to reach the same outcome).

 

It's the same thing as using Yubikey as 2FA for lastpass, even without knowing the implementation just knowing that you can disable 2FA without having access to the 2FA tells you that only the master password is actually needed.

somebody has stolen all my passwords (new ones and very old ones). i used always lastpass. the hacker did send me a list of my passwords and email direccions of my friends. he like to have 1500 us dollars for not to public my pics.  somebody try to get in my outlook account every hour.    i had a contact in twitter and he was sending tweets every 3 minutes and about 569 tweets every day. im not sure but this contact was very new.  i did change my router, did change all passwords. maybe somebody is selling my data in darknet or something.  strange is that passwords he did sent to me are very old ones but some are new.

somebody has stolen all my passwords and he is using them.  had all my passwords in lastpass

enable logged in notification was off

remove notifications on active was on. 

somebody did send me all my passwords what i have been using. and email of my contacts. somebody opened google pay account for me in indonesia and with my yahoo account tried to order in aliexpress. had to change my router. could not get in my router for change of password. did try to put router like a fabrik but no way to do it. 

i still have attacks to my outlook account  every 2 hours. somebody try to get in my account but cannot.