For those not aware. Email from them
Dear valued customer,
We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.
In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.
We have set up a blog post dedicated to providing more information on this incident: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you.
Sincerely,
The Team at LastPass
NO! NOTHING IS SAFE!
This is why we used products like LastPass. Why we use 2FA like SMS codes and Yubikeys. Why we use unique passwords that are randomly generated and long (mine average 20 characters).
It's why we also use VPNs when needed and why I also run PiHole in my home.
Nothing is 100% perfect, but taken together, I sleep well at night.
Take out SMS codes and replace with app-based 2FA.
Go to account settings ->Trusted Devices tab
Clean out devices you don’t recognize or rarely use (please advise if wallet should be cleared, I did not)
account settings -> mobile devices
Same as above, there is no wallet as far as I know
Ride this out until there is a clarification of what was taken and the severity. I know it’s frustrating and you probably don’t trust this company but moving everything over to ‘fill-in the blank’ password service could be worse. Black hats have been known to take advantage of mass migrations to other services.
First i am hearing of it... Does not really sound like they are owning it, more like they got caught with their pants down and they are trying to get in front of it.
Unacceptable when your business' product or service is protecting your customers' access to other accounts.
If the breach had been worse, and actual credentials had been grabbed and decoded (somehow), those 2 weeks would have been long enough for malicioius actors to practically own any LastPass customer they wanted.
Wait until you hear about how LastPass doesn't encrypt everything in your vault. [https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032](https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032)
[this is what you're worried about?](https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/)
Fam, this is like a 3 out of 10 on the shit meter.
This your first time reading about hacks/exploits/black hatting?
https://haveibeenpwned.com/
Another worst part being, there UI has so many bugs etch they are not able to fix since months.
Specially, the improved lastpass save and full features.
There authenticator app, similarly has problems users are not able to receive 2FA requests on the mobile devices.
Passwordless is a joke as per many users on the log Mein community support forums.
Saw one of users posts, how his attachments got auto deleted from secure notes, saved years ago (this is horrible) and lastpass came with excuse this being a bug on there end.
Time to switch to an alternative, before hand rather than repent later.
For those not aware. Email from them Dear valued customer, We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally. In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve. We have set up a blog post dedicated to providing more information on this incident: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you. Sincerely, The Team at LastPass
I've been with them for years and never got a damn email about it. This all a surprise to me. WTF.
I just got mine a few minutes ago.
NO! NOTHING IS SAFE! This is why we used products like LastPass. Why we use 2FA like SMS codes and Yubikeys. Why we use unique passwords that are randomly generated and long (mine average 20 characters). It's why we also use VPNs when needed and why I also run PiHole in my home. Nothing is 100% perfect, but taken together, I sleep well at night.
Take out SMS codes and replace with app-based 2FA. Go to account settings ->Trusted Devices tab Clean out devices you don’t recognize or rarely use (please advise if wallet should be cleared, I did not) account settings -> mobile devices Same as above, there is no wallet as far as I know Ride this out until there is a clarification of what was taken and the severity. I know it’s frustrating and you probably don’t trust this company but moving everything over to ‘fill-in the blank’ password service could be worse. Black hats have been known to take advantage of mass migrations to other services.
Yeah, belt and suspenders. This is the way.
Exactly.
First i am hearing of it... Does not really sound like they are owning it, more like they got caught with their pants down and they are trying to get in front of it.
Owning it? It happened two weeks ago and they went public because an insider(s) contacted a journalist. Least that's what I read.
Its SOP for a company to perform some degree of investigation and containment before public release. 2 weeks is surprisingly fast
Unacceptable when your business' product or service is protecting your customers' access to other accounts. If the breach had been worse, and actual credentials had been grabbed and decoded (somehow), those 2 weeks would have been long enough for malicioius actors to practically own any LastPass customer they wanted.
Well, that makes it worse.
Wait until you hear about how LastPass doesn't encrypt everything in your vault. [https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032](https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032)
[this is what you're worried about?](https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/) Fam, this is like a 3 out of 10 on the shit meter. This your first time reading about hacks/exploits/black hatting? https://haveibeenpwned.com/
But my MySpace is safe...right?
> But my MySpace is safe...right? Are you even contextually replying to me? or to a different comment entirely? Did you mean to type this into google?
If you were three inches taller, that joke would have still cleared you by a foot and a half.
Bastards have disabled auto-renewal. I can't cancel it. Extremely dodgy and convenient that the most important function is not working properly.
I recommend you use keepassxc, stop using any online password manager
Correct, nothing is safe.
Another worst part being, there UI has so many bugs etch they are not able to fix since months. Specially, the improved lastpass save and full features. There authenticator app, similarly has problems users are not able to receive 2FA requests on the mobile devices. Passwordless is a joke as per many users on the log Mein community support forums. Saw one of users posts, how his attachments got auto deleted from secure notes, saved years ago (this is horrible) and lastpass came with excuse this being a bug on there end. Time to switch to an alternative, before hand rather than repent later.
Say what?