cancel
Showing results for 
Search instead for 
Did you mean: 
Jaym3
New Contributor

Update on Recent Security Incident

I assume you have all seen the email update regarding the LastPass security breach. Now that they have disclosed that a backup of customer vault data and LastPass source code were taken, , , , how many of you feel confident trusting your corporate security to a company that placed your extremely sensitive data in a cloud-based container rather than their own on prem storage? At that point they are now entrusting your data to a third-party provider that you have no knowledge of. I have been frustrated for years with the poor quality of Last Pass support when my users have had issues. The last issue involved a user updating a field in one record and later finding that the data in that field had replaced data in 100s of records. Last Pass stated that they could not get this data badk. Makes me wonder why they even have those backups if they cannot get data back from them. I guess the integrity of data isn't protected any more than access to LastPass customer vault data. I am trying to find an alternative to this leaky sieve of a solution. Do any of you have any suggestions?

 

Signed,

Frustrated Customer

Tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
AshC
GoTo Moderator

Re: Update on Recent Security Incident

Hi, all. 

I appreciate your patience while we finalized the latest blog update and I will try to simplify the details here.  

 

Encrypted data includes all user names, passwords, and any associated notes within the Vault.

Unencrypted data included basic customer account information and related metadata including company names, end-user names, website URLs, billing addresses, email address, telephone numbers and IP addresses from which customers were accessing the LastPass service.

 

At this time, there are no specific actions that you need to take in response to this potential access as your sensitive information remains encrypted within your vault. However, as always, we recommend staying vigilant and adhering to security best practices, which include potential phishing attempts from bad actors pretending to represent websites that you maintain active accounts with. 

 

@esax06  I'm sorry to hear about your recent identity theft.  While we do have a security feature activated automatically for email ID verification when a new device or IP address is recognized, it is possible to disable this feature in the Vault's Advanced Settings.  Do you know if this security feature was triggered at all in the past 2 weeks? 


Ash is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!

View solution in original post

10 REPLIES 10
raffi-t
New Contributor

Re: Update on Recent Security Incident

I hear you. I'm not thrilled about this latest news either. The latest update on the incident makes me feel like I have more questions than answers. The way the statements were made, it has me beleiving the copies can be accessed by bruteforce guessing the master password. At no point do they mention, if you have two factor enabled, then you have nothing to worry about. Why did I buy and implement a Yubikey? Only to fool myself into thinking it's more secured? They only touched on additional security for business customers with a certain feature. This tells me two factor is actually zero factor regarding this incident? 2 factor is a complete joke if it only applies to the current live dataset and not the backups that were stolen. Why is it not mentioned at all? I called support to ask about this and they were only repeating their standard statements on security and nothing specific to this incident. I felt like my question was not really understood or was purposely being side stepped. Either way, it was disturbing. This was their xmas gift to us. Let us go into the holidays worrying about our passwords. Nice!

DBS8
New Contributor

Re: Update on Recent Security Incident

Hi,

I don’t feel comfortable about this part of their statement either, maybe I’m reading incorrectly but it seems not all of the stuff protected behind the master password in the vault is protected, or at least some fields and not others were compromised during the ‘backup theft’

This statement:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data….’


Reading this seems to infer that some data was stolen that
was stored in an encrypted store in Lastpass’ own format that contains unencrypted data within certain fields.

What is the complete list of these fields ie which fields and document types are unencrypted and were compromised?

Are you stating the only fields that were NOT compromised
were the usernames, password fields etc. can you please provide a complete list?

This likely meant that SOME part of our master password protected data was taken.

Please clarify.

DBS.

Micael
New Contributor

Re: Update on Recent Security Incident

Yeah, getting a detailed list of all unencrypted fields will be crucial, I mean everything should be encrypted in the first place, given that there is no accounting for what field a user may or may not decide to use to store sensitive information, but if you positively are going to have unencrypted user data, the least you can do is give out a list of those fields.

amgoes
New Contributor

Re: Update on Recent Security Incident

+1

I also use Yubikey and would like to receive an official reply from LastPass about some questions:

1. For users who only uses Yubikey as MFA to login, it is still possible for the hacker gaining access to the decrypted data? If yes, are we safer or does it make no difference?
2. Does anything else change from what was said in the article for users in this scenario?

Micael
New Contributor

Re: Update on Recent Security Incident

Not a LastPass dev, but given that according to LastPass the master password remains as a fallback, it is very safe to say accounts that use Yubikey as MFA are just as vulnerable if not more so (you now have an additional way to reach the same outcome).

 

It's the same thing as using Yubikey as 2FA for lastpass, even without knowing the implementation just knowing that you can disable 2FA without having access to the 2FA tells you that only the master password is actually needed.

esax06
Active Contributor

Re: Update on Recent Security Incident

somebody has stolen all my passwords (new ones and very old ones). i used always lastpass. the hacker did send me a list of my passwords and email direccions of my friends. he like to have 1500 us dollars for not to public my pics.  somebody try to get in my outlook account every hour.    i had a contact in twitter and he was sending tweets every 3 minutes and about 569 tweets every day. im not sure but this contact was very new.  i did change my router, did change all passwords. maybe somebody is selling my data in darknet or something.  strange is that passwords he did sent to me are very old ones but some are new.

esax06
Active Contributor

Re: Update on Recent Security Incident

somebody has stolen all my passwords and he is using them.  had all my passwords in lastpass

AshC
GoTo Moderator

Re: Update on Recent Security Incident

Hi, all. 

I appreciate your patience while we finalized the latest blog update and I will try to simplify the details here.  

 

Encrypted data includes all user names, passwords, and any associated notes within the Vault.

Unencrypted data included basic customer account information and related metadata including company names, end-user names, website URLs, billing addresses, email address, telephone numbers and IP addresses from which customers were accessing the LastPass service.

 

At this time, there are no specific actions that you need to take in response to this potential access as your sensitive information remains encrypted within your vault. However, as always, we recommend staying vigilant and adhering to security best practices, which include potential phishing attempts from bad actors pretending to represent websites that you maintain active accounts with. 

 

@esax06  I'm sorry to hear about your recent identity theft.  While we do have a security feature activated automatically for email ID verification when a new device or IP address is recognized, it is possible to disable this feature in the Vault's Advanced Settings.  Do you know if this security feature was triggered at all in the past 2 weeks? 


Ash is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
esax06
Active Contributor

Re: Update on Recent Security Incident

enable logged in notification was off

remove notifications on active was on. Imagen de WhatsApp 2023-01-13 a las 23.09.46.jpgImagen de WhatsApp 2023-01-13 a las 23.09.4655.jpg

somebody did send me all my passwords what i have been using. and email of my contacts. somebody opened google pay account for me in indonesia and with my yahoo account tried to order in aliexpress. had to change my router. could not get in my router for change of password. did try to put router like a fabrik but no way to do it. Captura de pantalla 2023-01-13 231944.jpg

i still have attacks to my outlook account  every 2 hours. somebody try to get in my account but cannot.