Submitted 8 months ago by L4s@lemmy.world [bot] to technology@lemmy.world
https://www.theverge.com/2023/9/7/23862658/lastpass-security-breach-crypto-heists-hackers
More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
Nearly every victim was a LastPass user.
But every victim was a cryptocurrency user.
I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest
I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.
If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA.
This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.
This doesn’t say anything about crypto.
It says everything about the users themselves.
Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice
Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.
I wouldn’t sleep well knowing my passwords where on there at any given time.
You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there’s no back door somewhere to some degree.
So just change whatever passwords you had saved to LastPass. That would mitigate any issues, right?
It’s e2e and the code to do so is opensource, and you can always host Vaultwarden yourself.
same here. nuked my lastpass account and switched everything over to bitwarden. their paid offering was worse from the competition and now i’m very glad i moved from them
Was it a huge pain in the ass moving over or fairly painless? I need to do this.
These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.
The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.
I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.
All my apes are now gone!
Shit coin is far superior than poop coin. All the apes have shit coin. You never lose the password to shit coin, there’s always more shit coin passwords.
How were the wallets cracked? Cracked the master password?
instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable
I personally use KeepassXD on my phone, although it hasn’t had a security audit. There is also KeepassXC for desktop, which has had an audit
But who is running the bitwarden server? Bitwarden the private company.
I self host vault warden, but it’s really not something everyone can do.
Vaultwarden is incredible, and one of the few things I’ve seen that runs easily on freebsd.
Or should, for that matter
I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.
That’s pretty much what Bitwarden does at its core. It will only synchronize the encrypted password vault and each client keeps an offline copy of it.
Bitwarden, the host, is a private entity
How does bitwarden encrypt their passwords? Im just realising that since it works on both my laptop and phone with no configuration it can’t be overly nuanced
It’s encrypted on the client and bitwarden themselves can’t decrypt it (we assume, but there have been audits that seemed to confirm that).
If you want to you can just run your own server then they can’t see the traffic at all.
Private entities are more reliable for personal data than companies whose stocks have gone public.
It’s a crypto donation software
Pro Tip: You don’t need to give a private company all of your passwords. That literally defeats the purpose of having passwords.
A-fucking-men… but I was always given shit for saying this.
Anything can be hacked or stolen, I don’t trust any company to secure my information. :/
I keep thinking of the people who make their passwords garbled random text impossible to memorize but then they trust an online service to keep it safe and private. When breaches happen, maybe even a post-it note at home would have been more secure.
Except you’re giving your passwords in an encrypted format. So if the company is trustworthy, it’s safe to let them store your passwords because it’s encrypted in such a way that even the company who own the password manager couldn’t access your passwords even if they wanted to.
(Note the caveat of “IF the company is trustworthy”, which rules out Lastpass)
Now there are legitimate arguments against storing passwords in the cloud via a password manager… so in that case, you may wish to use a local password manager (like Keepass) instead.
This. This. This.
I vote for you to be chair person of the board for common sense.
Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.
I’m using Syncthing to synchronize across devices which arguably too some fiddling to set up but I only had to fiddle once and haven’t touched the configuration since; it just works automagically in the background.
Keepassxc and syncthing? Are you a clone of myself? :D
Same setup, working as a charm
It’s a pretty common setup to be clear, easy setup, works like a charm.
Just keep in mind that it’s not a backup solution, my Homeserver does that for me.
I use KeepPass, what’s the difference?
Nothing major as far as I can tell. Here’s an overview via SuperUser. KeePassXC might be a better option for some use cases if you’re mostly not on Windows as it does not require .NET. Note that “KeePassXC does not support plugins at the moment and probably never will”, but it does have built-in support for some things you might want a plugin for in KeePass2.
Firefox’s password manager is probably just as good.
“Probably”? It’s the best! I never have to worry about memorizing 500 different passwords cause Firefox automatically syncs my passwords across every device I use without me even having to think about it.
It’s great.
Google only just recently introduced encrypted passwords… Before they were stored in plain text on your computer… Tho I’m not even sure how that encryption even works.
So… It may not have leaked yet (or maybe it has but Google suppresses everything, who knows) but I wouldn’t trust it to keep something safe.
I’d be worried about losing access to the entirety of your passwords if Google up and decides that one day your account is suspended. There’s been a few reports historically where someone gets their Gmail account suspended for some mistaken reason and all their associated access gets pulled (e.g. from drive, sheets, etc)
…so far.
For those that don’t mind self-hosting, which can be as easy as just running syncthing or resilio sync on your NAS, I can really recommend keepass.
Me with interest, but no technical knowledge reading your comment:
which can be as easy as
:-)
running syncthing or resilio sync on your NAS
:-(
I didn’t understand any of those words
As a non-Google user, Lemmy is only “Chrome bad”. They’re “Android is the only way”
Well chrome = bad. Just look at all the anti-competition things they are implementing just because they are the leaders on the market.
Now they are blocking cookies, it’s great isn’t it? NO! now they are targeting you through your browser history while blocking competing cookies.
Manifest V3 introduced by Google, that’s amazing, now ad blockers won’t be able to update their list individually. It’s amazing isn’t it? Being able to hinder the adblockers when your revenues comes from ads.
Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.
I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.
Use KeePass.
My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures
KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.
Absolutely, Keepass is a great alternative to cloud managed password managers.
You are also vulnerable to keyloggers or clipboard captures
Keepass (and most password managers) are vulnerable to this as well.
Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.
Use a local password manager. KeePass is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.
Why not use KeePass then? It’s entirely local and you don’t have to risk running your own encryption solution.
All it takes is a malicious program accessing your clipboard or running commands to find your password file while your machine is booted and decrypted.
That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.
migrated my shit out of lastpass like 10 years ago or whenever it was bought by logmein. douches.
This is the best summary I could come up with:
Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service.
Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.
These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.
We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.
Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:
“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
The original article contains 363 words, the summary contains 196 words. Saved 46%. I’m a bot and I’m open source!
I don’t understand saving your passwords to the cloud in the first place
It is like storing all the passwords in one convenient place that can be accessed from any location on the planet, making it the most convenient and juicy target for hackers.
Even encrypted, it just doesn’t make sense.
I mean, they’ve had more than long enough to change passwords.
Nobody is after your password for the Moravian rug weaving forum but in this day and age it’s on you, if you know there’s a breach and you don’t change your banking / crypto passwords.
Anybody serious about security wouldn’t store vital passwords online in the first place. The convenience isn’t worth it when whatever company is used gets hacked because an intern got phished.
All that promotion/awards tagging as best password manager for nothing. Glad I picked up KeyPassXC and KeyPassDX and sync between my phone and PC with gdrive
After years as a family plan subscriber, I moved my personal (1k+) passwords off of LP after the last – and most egregious – breach. I have quite a bit self hosted in my environment but Proton Pass interests me as I can get my wife and son in it easily as we already have the family plan. Lemmy is loaded with tech savy, so my question is; same devil different form? I’ve tried BW but it wasn’t condusive to the whole familys use (at least not a few years ago).
Is there any reason to use a password manager over just an excel spreadsheet?
The seeds are passphrases anyway. Just memorize them. Passphrases are so that they are easier to memorize.
So what makes lastpass untrustworthy and do we think competitors like 1pass are any different?
The only password manager I trust to connect to the internet is the Firefox manager, Keypass for the important stuff.
Ado@lemmy.world 8 months ago
Bitwarden or keepass ftw
CMGX78@lemmy.world 8 months ago
I dumped LastPass for Bitwarden a few years ago. So glad I did.
PhatInferno@midwest.social 8 months ago
Same! Thinking i coulda been a victim in this attack is scary!
iHUNTcriminals@lemm.ee 8 months ago
Selfhosted for extra win!?
OberonSwanson@sh.itjust.works 8 months ago
Any recommendations on how-to?
Ado@lemmy.world 8 months ago
Self-hosted with yubikey 2fa. Even Santa Claus can’t see my info 😎
ramble81@lemm.ee 8 months ago
So what makes Bitwarden better than LastPass if you’re using Bitwarden’s hosted option (I know you can keep it locally).
PM_Your_Nudes_Please@lemmy.world 8 months ago
From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.
For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.
It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.
DrCake@lemmy.world 8 months ago
I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.
Lucidlethargy@sh.itjust.works 8 months ago
There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.
Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.
PlexSheep@feddit.de 8 months ago
Your head cannot be securely backed up, and you are not resistant to major thread actors (torture, and so on)
Ozymati@lemmy.nz 8 months ago
2fA is an important element too.
Ado@lemmy.world 8 months ago
How would someone steal my password and my physical yubikey for 2fa?