Yea I'll probably keep an eye out for the employee lay offs as a sign
The risk of moving to other competitors with their own security holes and human habits/ and training which we dont know about. Lastpass now has their eye open to human error, training and security holes. Yea they "lost everything" which is also something to care about too
Other competitors are probably laughing at Lastpass as they draw in migrators, but aren't doing anything about security holes and their own issues.
Bit warden and 1password have been really transparent about their actions and methodologies. So let's not dog whistle the competition when they clearly are better than LastPass by a mile
Goto, formerly LogMein, [owns lastpass.](https://en.wikipedia.org/wiki/LastPass) However, Goto was bought by a division of [Elliot Investment Management,](https://en.wikipedia.org/wiki/Elliott_Investment_Management) which had a revenue of around $115 million in 2020 according to wikipedia.
With that kind of money involved, and the relatively low cost of running lastpass - the heavy lifting in terms of programming has been done for years - I don't see lastpass filing for bankruptcy unless its parent companies decide to let it go.
It's gonna be harder for enterprise and business to switch. And that's probably a large chunk of their revenue.
From what I heard from other password managers that work the enterprise and business space, when you approach a business they either don't have anything or they have LastPass.
This is where we are. We've hundreds of users and we did a quick calculation that it would be something like 10hrs per user to migrate (the user + IT support). That's a lot and given "nothing's gone wrong yet" it's hard to justify, especially since 1Password is quite a bit more expensive, too.
I agrée that it has to be are really hard decision for an organization to have to make as the costs are huge.
Having said that, you should have not been put into this situation. You are basically forced to stay.
As a single user it was an easy decision as since I had to change all my 2FA and passwords, it was no loss to me. Although, I should have not been put into this situation to begin with. It was not fun and I paid for convenience and this was not convenient at all.
Don't get me wrong because I'm bailing, but most people don't have a clue, in no small part from the way they've understated the situation in their emails.
The hackers have your encrypted vault and can brute force the password offline. Account holder data was unecrypted and they have that. Other url info was also unecrypted.
How serious? If your master password was less than 12 characters, very.
Understand this: the GDPR will tear them appart. It’s coming. One GDPR principle is 72h notice to clients of a leak. That alone fucks them. And I am certain there is even more to it than those 72h notice.
I'm sure there are lots of people who don't know about it, or just ignore it as 'another data breach', so they might stick around. They need their enterprise customers though, I understand as a business it would be tough to migrate 100's - 1000's of users to another platform, but it would look bad if you stayed, so you can't win really...I guess LP Customer Success team will be doing some good deals for large customers renewing their contracts.
Companies like mine are still paying. Enterprise costs a pretty penny.
We are looking into switching but for as shit as LastPass’s security has been, they actually had a very good enterprise setup. The alternatives, which are great for personal use, come up short for enterprise needs.
I hope the alternatives add more business features but sometimes it is too big a paradigm shift. Until then, there are businesses like us paying a few grand per year minimum which will help keep the lights on.
People need to vote with their wallets and cancel the subscription. I dumped this thing and went to iCloud Keychain which is more convenient to use and probably more secure.
I'm not familiar with it, but this story makes it sound like there's only one PIN you need to enter to unlock the phone, and after that you have access to everything. That's arguably less secure than a regular password manager with credentials you have to enter after unlocking the phone, and an automatic timeout.
But I'm not sure they're talking about the same thing as you (iCloud keychain). It seems odd that unlocking the victim's phone gave access to so much. Is that normal?
https://www.msn.com/en-in/money/technology/a-woman-who-got-locked-out-of-her-apple-account-minutes-after-her-iphone-was-stolen-and-had-10000-taken-from-her-bank-account-says-apple-was-not-helpful-at-all/ar-AA17Xv4X
That’s not how the keychain works. These people have easy to steal pins on their phones and for some reason needed to enter them at the worst possible time. I hardly ever need to enter my pin due to Face ID.
I switched to iCloud Keychain, too. But I haven't canceled my LastPass subscription yet, because I'm paid up for several more months in advance. I just haven't been using it.
Can someone tell me, provided you have a strong master password, what will the hacker do with AES256, top secret grade, encrypted password? Lose 100 years to crack?
I'm waiting...
People here are extremely stupid honestly and just act on impulse without any logic. The gloom and doom is hilarious in these posts. Read about encryption guys please and stop spreading bullshit and act like it is the end of the world that hacker got hold of encrypted data. Who the hell cares? Unless you are a public person and don't want people know you had an account on pornhub (because that is the only issue that I can see as a problem as website addresses were not encrypted) ... no one cares...
I actually did. And he is referring to people that have weak passwords and low count hash iteration set. Neither apply to me and many others. Also many critical services have 2 step auth of their own. Finding my password from lastpass will not help them at all. In fact , I can give you my gmail password if you want. If you can't login, do you agree to pay me 1k $?
Also, hash iteration doesn't count too much when you have a really strong password. Would the hacker lose 3 years to crack my password knowing the number of iterations I have are low but my password has no ideea how long and complex it is? Doubt it.
Should you be concerned for that data breach? Of course. Should you care? Probably not if you have a strong master password and other services you use have extra security in place.
The issue at hand is the criminally negligent inaction in not continually evaluating the security postures of their customer vaults, and the misleading information releases.
It is possible to sidestep/brute force MFA, but it makes the process more difficult, which is the whole point.
Do what you will but I wouldn’t trust LP ever again.
I do get your point and I agree with it but if you think other corporations are more serious about end-user security you are in for a surprise.
What if others don't even know they were hacked?
And you don't care that the unencrypted URLs in your vaults? So now they know exactly where you were signed up, making it easy to determine if you're a worthwhile target.
You make it sound like it was a user's choice to have a low hash iteration count? And let's be honest, people who used LastPass aren't all savvy tech people, they wanted one password to access all of their passwords. This usually means picking an easy to remember password like a name.
So really you're saying: "I'm lucky, so I don't know why anyone else is complaining."
I agree with you to a large extent. The one thing that has me a little on edge though is while they may be using AES-256 we have no idea how secure their implementation of it is. They admit that they are now planning a "migration to standardized implementation of AES-GCM-256 encryption including peer-reviewed and standardized cryptographic methods and APIs, and retirement of all remaining legacy cryptographic block cipher modes (ECB)."
It's not about cracking the master password. It's more about how they handled it. Also, while it might take a while to crack now, who knows what tomorrow will bring. Technology evolves fast and some folks had some very sensitive information in their vaults. So for last pass to not take it seriously is a bit off putting. Furthermore, the way information has been trickling out who knows when the other shoe will drop.
The data was copied on a backup dev servers. And the keys to that server were stolen from the senior dev. Production wasn’t hacked, it was a Side dev box with real clients data. The production server was fine but not the dev box. So you can understand the malpractice that is going to screw them soooo bad!!
LastPass isn't going anywhere. The personal information taken from Equifax back in 2017 was substantially more damaging from an identity theft perspective, and they are still around.
They'll lay off lots of people, but many people will never cancel their subscription service, so they'll stay afloat.
And unfortunately those who will lose their jobs are not the ones most responsible for the fiasco.
Yea I'll probably keep an eye out for the employee lay offs as a sign The risk of moving to other competitors with their own security holes and human habits/ and training which we dont know about. Lastpass now has their eye open to human error, training and security holes. Yea they "lost everything" which is also something to care about too Other competitors are probably laughing at Lastpass as they draw in migrators, but aren't doing anything about security holes and their own issues.
Bit warden and 1password have been really transparent about their actions and methodologies. So let's not dog whistle the competition when they clearly are better than LastPass by a mile
You're not wrong.
Goto, formerly LogMein, [owns lastpass.](https://en.wikipedia.org/wiki/LastPass) However, Goto was bought by a division of [Elliot Investment Management,](https://en.wikipedia.org/wiki/Elliott_Investment_Management) which had a revenue of around $115 million in 2020 according to wikipedia. With that kind of money involved, and the relatively low cost of running lastpass - the heavy lifting in terms of programming has been done for years - I don't see lastpass filing for bankruptcy unless its parent companies decide to let it go.
A lot depends on how badly they lose the class action suit.
Wait what lawsuit? How can I join?
[удалено]
Hacking happens, lying about it should be criminal fraud.
I'm new to the latest. What indicates they lied about it?
Grossly understated?
It's gonna be harder for enterprise and business to switch. And that's probably a large chunk of their revenue. From what I heard from other password managers that work the enterprise and business space, when you approach a business they either don't have anything or they have LastPass.
This is where we are. We've hundreds of users and we did a quick calculation that it would be something like 10hrs per user to migrate (the user + IT support). That's a lot and given "nothing's gone wrong yet" it's hard to justify, especially since 1Password is quite a bit more expensive, too.
I agrée that it has to be are really hard decision for an organization to have to make as the costs are huge. Having said that, you should have not been put into this situation. You are basically forced to stay. As a single user it was an easy decision as since I had to change all my 2FA and passwords, it was no loss to me. Although, I should have not been put into this situation to begin with. It was not fun and I paid for convenience and this was not convenient at all.
Don't get me wrong because I'm bailing, but most people don't have a clue, in no small part from the way they've understated the situation in their emails.
Yeah I read their emails and thought it was no big deal. I came to this r just to double check. How serious is it?
The hackers have your encrypted vault and can brute force the password offline. Account holder data was unecrypted and they have that. Other url info was also unecrypted. How serious? If your master password was less than 12 characters, very.
Understand this: the GDPR will tear them appart. It’s coming. One GDPR principle is 72h notice to clients of a leak. That alone fucks them. And I am certain there is even more to it than those 72h notice.
I'm sure there are lots of people who don't know about it, or just ignore it as 'another data breach', so they might stick around. They need their enterprise customers though, I understand as a business it would be tough to migrate 100's - 1000's of users to another platform, but it would look bad if you stayed, so you can't win really...I guess LP Customer Success team will be doing some good deals for large customers renewing their contracts.
I am waiting for the lawsuits. Then I think they'll be finished.
Companies like mine are still paying. Enterprise costs a pretty penny. We are looking into switching but for as shit as LastPass’s security has been, they actually had a very good enterprise setup. The alternatives, which are great for personal use, come up short for enterprise needs. I hope the alternatives add more business features but sometimes it is too big a paradigm shift. Until then, there are businesses like us paying a few grand per year minimum which will help keep the lights on.
People need to vote with their wallets and cancel the subscription. I dumped this thing and went to iCloud Keychain which is more convenient to use and probably more secure.
I'm not familiar with it, but this story makes it sound like there's only one PIN you need to enter to unlock the phone, and after that you have access to everything. That's arguably less secure than a regular password manager with credentials you have to enter after unlocking the phone, and an automatic timeout. But I'm not sure they're talking about the same thing as you (iCloud keychain). It seems odd that unlocking the victim's phone gave access to so much. Is that normal? https://www.msn.com/en-in/money/technology/a-woman-who-got-locked-out-of-her-apple-account-minutes-after-her-iphone-was-stolen-and-had-10000-taken-from-her-bank-account-says-apple-was-not-helpful-at-all/ar-AA17Xv4X
That’s not how the keychain works. These people have easy to steal pins on their phones and for some reason needed to enter them at the worst possible time. I hardly ever need to enter my pin due to Face ID.
I switched to iCloud Keychain, too. But I haven't canceled my LastPass subscription yet, because I'm paid up for several more months in advance. I just haven't been using it.
Can someone tell me, provided you have a strong master password, what will the hacker do with AES256, top secret grade, encrypted password? Lose 100 years to crack? I'm waiting... People here are extremely stupid honestly and just act on impulse without any logic. The gloom and doom is hilarious in these posts. Read about encryption guys please and stop spreading bullshit and act like it is the end of the world that hacker got hold of encrypted data. Who the hell cares? Unless you are a public person and don't want people know you had an account on pornhub (because that is the only issue that I can see as a problem as website addresses were not encrypted) ... no one cares...
You have no idea how bad this really is — go listen to the last episode or two of the Security Now podcast. Steve Gibson has a pretty good explainer.
I actually did. And he is referring to people that have weak passwords and low count hash iteration set. Neither apply to me and many others. Also many critical services have 2 step auth of their own. Finding my password from lastpass will not help them at all. In fact , I can give you my gmail password if you want. If you can't login, do you agree to pay me 1k $? Also, hash iteration doesn't count too much when you have a really strong password. Would the hacker lose 3 years to crack my password knowing the number of iterations I have are low but my password has no ideea how long and complex it is? Doubt it. Should you be concerned for that data breach? Of course. Should you care? Probably not if you have a strong master password and other services you use have extra security in place.
The issue at hand is the criminally negligent inaction in not continually evaluating the security postures of their customer vaults, and the misleading information releases. It is possible to sidestep/brute force MFA, but it makes the process more difficult, which is the whole point. Do what you will but I wouldn’t trust LP ever again.
I do get your point and I agree with it but if you think other corporations are more serious about end-user security you are in for a surprise. What if others don't even know they were hacked?
And you don't care that the unencrypted URLs in your vaults? So now they know exactly where you were signed up, making it easy to determine if you're a worthwhile target. You make it sound like it was a user's choice to have a low hash iteration count? And let's be honest, people who used LastPass aren't all savvy tech people, they wanted one password to access all of their passwords. This usually means picking an easy to remember password like a name. So really you're saying: "I'm lucky, so I don't know why anyone else is complaining."
2FA won’t save you if you didn’t change your passwords to your recovery email and or saved the 2FA backup codes to last pass.
Backup codes are probably the worst idea you can have in security.
Exactly, but some services auto create them without a way to turn it off.
I agree with you to a large extent. The one thing that has me a little on edge though is while they may be using AES-256 we have no idea how secure their implementation of it is. They admit that they are now planning a "migration to standardized implementation of AES-GCM-256 encryption including peer-reviewed and standardized cryptographic methods and APIs, and retirement of all remaining legacy cryptographic block cipher modes (ECB)."
It's not about cracking the master password. It's more about how they handled it. Also, while it might take a while to crack now, who knows what tomorrow will bring. Technology evolves fast and some folks had some very sensitive information in their vaults. So for last pass to not take it seriously is a bit off putting. Furthermore, the way information has been trickling out who knows when the other shoe will drop.
The data was copied on a backup dev servers. And the keys to that server were stolen from the senior dev. Production wasn’t hacked, it was a Side dev box with real clients data. The production server was fine but not the dev box. So you can understand the malpractice that is going to screw them soooo bad!!
LastPass isn't going anywhere. The personal information taken from Equifax back in 2017 was substantially more damaging from an identity theft perspective, and they are still around.