[HN Gopher] Ask HN: How did my LastPass master password get leaked?
___________________________________________________________________
Ask HN: How did my LastPass master password get leaked?
Hi, I've just had a bizarre thing happen and wanted to see if the
HN community could come up with some theories as to what happened.
LastPass blocked a login attempt from Brazil (it wasn't me).
According to an email I received from LastPass, this login was
using the LastPass account's master password. The email doesn't
look like it's a phishing attempt. What troubles me is that the
master password was stored in a local encrypted KeePassX file. I
can imagine that someone has my KeePassX file and the (completely
different) password to this file. If that's the case, I'm in a
world of hurt. But are there any other possibilities? Is the email
from LastPass accurate i.e. was the login attempt actually using my
master password? Is there some LastPass extension installed on some
computer still having a valid auth token allowing them to login as
me to LastPass..? I'm really confused, and scared. Thanks for
your help. P.S. The LastPass account had 2FA set up, but I was
able to simply remove it (since I didn't have access to the token
anymore). That's scary too -- what's the point of a 2FA you can
remove...?? --- Update: - the email was truly not phishing --
the same information regarding the login attempt appears in my
LastPass dashboard. I also talked to LastPass support over the
phone, and they confirmed seeing the same information. - There are
2 separate users in the thread below confirming that the same exact
same thing happened to them, from the exact same IP range as me.
Either the 3 of us had the same malware/Chrome extension or somehow
had our master passwords compromised...? Or...? Is this a LastPass
issue?
Author : gregsadetsky
Score : 356 points
Date : 2021-12-27 19:36 UTC (3 hours ago)
| gnosticman wrote:
| baobabKoodaa wrote:
| I'm guessing that the email actually was a phishing attempt, and
| no-one actually has your LastPass master password.
| gregsadetsky wrote:
| Unfortunately, once logged into LastPass, I see the exact same
| information in my "Account History". I also talked to support
| on the phone and they confirmed it.
|
| So unfortunately, not a phishing attempt!
| anotheryou wrote:
| Does lastpass have a login history? first thing would be to check
| if the mail is genuine
| gregsadetsky wrote:
| Completely agree. I did check and my Account History is showing
| the same info. I also talked to their support and they
| confirmed this info.
| jacquesm wrote:
| That's really bad news.
| gxqoz wrote:
| Where is LastPass's account history?
| donedeals wrote:
| Got the same but from NJ.
| a-dub wrote:
| do you have it installed on your smartphone? have you ever
| entered your master password on your smartphone? what sort of
| smartphone do you have, does it get security updates regularly,
| is the manufacturer competent?
|
| same with your desktop. is everything up to date?
| gregsadetsky wrote:
| I have an iPhone and I do have my keepass file there too. So
| yes, presumably, the iOS app that I use could have accessed my
| keepass file and sent it unencrypted over the network to
| someone (which would be terrible).
|
| Thanks for the comment/reminder! I'll definitely have to re-
| consider what I do with regards to the keepass file on my
| phone.
| a-dub wrote:
| also, just for grins. have you checked to see if the same
| email is generated in error when a failed login attempt
| happens from an unknown location?
| gregsadetsky wrote:
| Yes, good call. And I did just check.
|
| A wrong password = no email.
|
| Correct email from different IP = exact same email saying
| "Someone just used your master password to try to log in to
| your account from a device or location we didn't recognize"
|
| That's the exact same email I received earlier with the
| Brazil IP.
| riffic wrote:
| Lastpass has been a pile of hot garbage for a while, so this is
| somehow not surprising.
| Havoc wrote:
| >Is there some LastPass extension installed on some computer
| still having a valid auth token allowing them to login as me to
| LastPass..?
|
| You can kill existing sessions - see account settings destroy
| sessions.
|
| Edit: All looks normal my side. No emails, no login attempts, but
| will change pass just in case
| GBond wrote:
| Reading this thread is giving me major trust issues
| PanopticonMan wrote:
| Just checking the absolutely obvious, because I had a similar
| thing ... and then it turned out I had my VPN on. Thought I'd
| double check, in case someone was a silly as I am.
| jacquesm wrote:
| Yes. Tor or a VPN was my first thought as well.
| gregsadetsky wrote:
| Thanks -- the original login attempt wasn't mine, so yeah. Not
| in this case.
| jacquesm wrote:
| That's too bad because that would have been a nice way to end
| this. Much good luck figuring this out, until further notice
| I would assume that anything that was in there is compromised
| so you better change your passwords.
| gnosticman wrote:
| hakube wrote:
| It happened to me to but I'm no longer using LastPass for years
| now. I got an email saying that somebody tried to access my
| account from the US (the attacker is using a VPN) and changed
| password and recovery email on my Outlook account
| gregsadetsky wrote:
| Did it just happen to you today?
|
| Did the email say that "Someone just used your master password
| to try to log in to your account from a device or location we
| didn't recognize"
|
| And was that master password generally secure / wasn't used
| anywhere else?
|
| Thanks!
| gbolcer wrote:
| Do you have your master password stored in a file or email
| someplace?
| gregsadetsky wrote:
| I only stored that LastPass master password in a KeePass file
| that I keep local and (obviously) encrypted.
|
| I hadn't logged into to that LastPass account since 2017.
|
| Hence, I presumed that my KeePass file might have been
| compromised, but it seems unlikely now, considering many other
| people (6? 7?) are coming to this thread with a similar story
| of their master passwords being known to the "Brazil" attackers
| as well.
|
| i.e. our master passwords have been leaked. By when? And by
| whom?
| minaguib wrote:
| I'd get in touch with LastPass support asap to see if they have a
| digital trail to help you figure out what happened.
|
| I'd also guess the most plausible situation would be malware on
| your computer that managed to sniff your credentials in-
| transit/clipboard/memory/browser/keyboard and exfiltrate it to
| some shady folks.
| gregsadetsky wrote:
| Thanks
|
| Sending emails to support@lastpass.com doesn't work ("This
| inbox is not monitored") and I have to upgrade my account to
| contact their support, which I'll do right away.
|
| EDIT: after checking, the login attempt does appear in my
| Account History (my original email said it didn't -- I wasn't
| looking in the right place)
| duerra wrote:
| ChrisMarshallNY wrote:
| I suspect that it was a random phishing attempt.
|
| _> Login attempt blocked_
|
| _> Hello, Someone just used your master password to try to
| log in to your account from a device or location we didn 't
| recognize. LastPass blocked this attempt, but you should take
| a closer look._
|
| Looks fairly classic. Might want to look at the email
| headers, to see if it really came from LastPass.
|
| I get about ten of these a day. Some are scarily well-done.
|
| Most are for banks that I don't use, but I also get a lot of
| attempts to grab my AppleID. My Apple (mac.com) address is an
| OG address, and has been making the spammer circuit for over
| a decade. I suspect that I actually get hundreds of spams a
| day, but Apple is good at nuking most of them, before they
| reach my inbox.
| vbo wrote:
| Quick note that apple allows you to download a recovery
| code and disable all other account recovery mechanisms
| which I found incredibily soothing.
| gregsadetsky wrote:
| I checked and the same information regarding the attempted
| login appears in my LastPass "Account History". I also
| talked to support and they've confirmed this.
| akdor1154 wrote:
| I'm pretty sure you can get a full login attempt history from
| them in the ui - can't verify though, don't use LP anymore.
|
| Try a bogus attempt yourself with wrong PW, or from a cloud
| host/vpn/etc to verify the audit log you can access.
|
| Assuming it does list your attempts, then yeah, it would have
| to be phishing/lp bug.
| gregsadetsky wrote:
| Yeah, thanks, I was finally able to find my Account
| History, and the foiled login from Brazil does appear
| there. So it seems like the email wasn't phishing.
| asow92 wrote:
| People are always saying (smugly) how crucial LastPass is...
| runlevel1 wrote:
| Do you mean LastPass specifically or password managers in
| general?
|
| If the former: I haven't noticed that -- usually folks on HN
| seem to recommend 1Password or BitWarden.
|
| If the latter: Password managers are important to resist
| credential stuffing attacks through password reuse.
|
| While I don't like that many of them force you to upload your
| secrets to the cloud (LastPass, 1Password 8, etc), it's still a
| better security posture than having your weakest link be every
| site on which you've used the same password.
| dkonieczek wrote:
| I've been getting lastpass 2fa codes via text sent to me before
| and after changing master passwords lately. However I don't get
| the authenticator notification like I would from a login attempt
| so I'm thinking they're attempting password resets?
| dathinab wrote:
| Maybe,
|
| but man I'm soo feed up with services requiring SMS at least
| for setup often as a non-disabelable fallback. It's not secure!
| (And worse sometimes allowing password resets using the 2nd
| factor.)
|
| I understand that there is a usability issue for a non-
| resetable 2nd factor (due to people losing reset 2nd factor),
| but pls. give me and "advanced I know what I'm doing" option or
| similar.
| cranberryturkey wrote:
| was it a login attempt or an actual login?
| gregsadetsky wrote:
| It was a login that (presumably, from what LastPass is saying)
| was "successful" in the sense that the attacker had the master
| password.
|
| The login was blocked because they automatically block any new
| IPs from logging in until you approve a link that you get via
| email.
| robbedpeter wrote:
| A login attempt without the 2fa token, failed with valid master
| password, so far a handful of others have reported it in this
| thread.
| Raed667 wrote:
| My bet would be on malware or compromised browser extension. You
| probably typed (or copy/pasted) the password ans something kept a
| copy along the way.
| gregsadetsky wrote:
| Compromised browser extension could make sense, aye.
|
| Do Chrome extensions have access to the file system too? Is
| there a chance my local KeePassX file has been siphoned off?
|
| Thanks
| halpert wrote:
| Chrome extensions can run native binaries, so yes.
| Raed667 wrote:
| I don't think that's possible, more likely an extension that
| has access to the login form of lastpass
| gregsadetsky wrote:
| Got it, thanks. And yes, you're right, after checking,
| Chrome extensions don't have access to local files by
| default. I checked all of the extensions I have (after
| disabling them all) and none had "file access" enabled.
| tyingq wrote:
| Clipboard access might be possibility.
| lukasm wrote:
| Meta: Do not use LastPass for the whole password. My method
| http://lukasz-madon.github.io/Password-management/
| natch wrote:
| Could be that someone at Lastpass simply does not know how to
| write properly.
|
| Maybe the attacker _attempted_ to use the _master password login
| festure_ without having the actual correct master password
| itself, and the email is poorly written.
| gregsadetsky wrote:
| Unfortunately, I just tried and that email is sent when the
| correct master password is sent.
|
| When someone uses the wrong password, it doesn't send any
| email. (That event is logged though, and I see those failed
| attempts in the dashboard -- those, I'm less worried about,
| obviously)
| ipunchghosts wrote:
| I got the same thing in the last month. Then my bank account had
| 7 transactions from ali express about a week later. Nine were
| mine. I deleted everything in lastpass and deleted my account.
| jacquesm wrote:
| Nine out of seven? How does that work?
| RKearney wrote:
| Since your master password is stored in another password manager,
| would it be accurate to say you copy/paste it into LastPass? If
| so, something running on your machine could be scraping your
| clipboard.
|
| This of course assumes that it wasn't really you from an IP that
| was just misidentified as being from Brazil.
|
| For what it's worth, I stopped using LastPass after they sold out
| to LogMeIn and would recommend others stop using it as well.
| davidstoker wrote:
| Of note, LastPass just announced that they are splitting out of
| LogMeIn and becoming independent again:
| https://blog.lastpass.com/2021/12/lastpass-investing-even-mo...
| briffle wrote:
| Of course, you must reduce the risk to the parent company
| before the huge disclosure comes out </sarcasm>
| lucb1e wrote:
| If this is just sarcasm as claimed then I'm not sure why
| you posted it. If you're actually serious but didn't want
| to sound like you're speculating seriously, then you're
| still speculating but at least it would be on topic.
| Definitely an interesting theory. Unlikely to be true
| but... wouldn't be the first time subcompanies are cut off
| for damage control.
| gregsadetsky wrote:
| Yes, I do copy/paste from my local password manager. A
| clipboard scraper is a possibility, yes.
|
| I hadn't logged into that LastPass account for years, so it's
| definitely not me who attempted to login earlier.
|
| Re: LastPass, is there another cloud-based tool that's
| generally considered as more trustworthy? Bitwarden? Thanks
| rich_sasha wrote:
| I use 1Password, seems alright security wise, won't
| definitely say one way or the other, but you could DYOR on
| it.
| mateuszf wrote:
| Bitwarden is fantastic
| 40four wrote:
| Personally I just stick to local Keepass database files. I've
| never ventured into the cloud based services. If you are
| really worried about it, do you really _need_ to use a cloud
| based password service?
|
| Sure, managing the KeePass files by hand is certainly more
| cumbersome, but to me it's worth it for the security/ peace
| of mind gains. I have never put my DB or key files in the
| cloud. And when I need to sync them up over all my devices, I
| gather all the DB files and use the handy 'merge'
| functionality to get them into the same state.
| GordonS wrote:
| Same here, I use KeePass on several Windows machines, and
| on a couple of Android phones (using KeePass2Android). I
| use a cheap VPS as a central point for syncing - so I can
| make changes on any machine, then sync them over SFTP,
| which merges the changes into the database on the VPS. I
| can then hit sync on any of the other machines, and it will
| pull down the latest database over SFTP and merge in the
| changes.
|
| It sounds a bit complicated reading this back, but in
| reality it's pretty straightforward.
| gregsadetsky wrote:
| I absolutely agree. I love KeePass and use it for
| everything... this LastPass account was setup to share
| passwords with others at an org that I worked at.
|
| The problem is... that LastPass password, the one stored in
| KeePass, is presumably the one that was leaked.
|
| Which is what is spooking me -- if someone has access to my
| entire KeePass file, it's game over.
| softwarebeware wrote:
| So...when you say "...was setup to share passwords with
| others..." is there a chance that this also means the
| master password was shared with one or more others?
| gregsadetsky wrote:
| Sorry, no, that was a confusing way of phrasing it.
|
| The LastPass account that was almost-breached today uses
| the "password sharing" functionality to share passwords
| (to certain sites) with other people in the same org.
|
| I was just explaining that the only reason why I have a
| LastPass account was to share passwords. (not the master
| password, obviously -- I was sharing passwords to other
| sites)
|
| I typically use KeePass for all of my (site) passwords
| and keepass stores all of this in a local encrypted file.
| tomsmeding wrote:
| TIL about the merge functionality! You can also use
| Syncthing to synchronise the databases between your
| devices; if you don't have public IPs for your devices,
| this essentially means that you can only synchronise when
| two devices are on the same network -- but this might not
| be a problem for you.
| coderintherye wrote:
| Bitwarden is great, highly recommend, it's open-source which
| adds to its trustworthiness and has a good track record of
| respecting users.
| nyolfen wrote:
| +1, you can host your own server as well
| https://github.com/dani-garcia/vaultwarden
| sofixa wrote:
| There's an official self-host open source version as well
| ( the one you linked is unofficial), but it's rather
| heavy ( multiple .NET services, MS SQL) and not adapted
| for small scales.
| nyolfen wrote:
| yes, we don't talk about that one
| fragmede wrote:
| 1Password has a cloud-based option these days, for better or
| worse.
| runlevel1 wrote:
| And soon they'll _only_ have a cloud-based option with no
| option for local-only vaults.
|
| https://1password.community/discussion/comment/602340/#:~:t
| e...
| jacquesm wrote:
| Gotta get those sweet SaaS dollars and never mind the
| original goals or the user.
| studiecomput wrote:
| Why do you recommend others to stop using LastPass?
| petarb wrote:
| LastPass has suffered a few security breaches and the overall
| quality of the product hasn't improved. 1Password is a
| superior product with no security breaches.
| sliken wrote:
| https://en.wikipedia.org/wiki/LastPass#Security_issues
| luckylion wrote:
| From my interaction with LastPass support (I'm a premium
| user), they've outsourced to some cheap company where agents
| have no clue how anything works. It took weeks to get through
| to somebody who even understands the problem and their reply
| was essentially "yeah we know it's broken, it's broken
| because of security".
|
| Left a really bad taste in my mouth. I wouldn't be using them
| at all if I didn't have to for a client.
| ChrisMarshallNY wrote:
| I remember reading a blog entry, a few years ago.
|
| Someone received a phishing email from "their bank."
|
| They responded to the email, and got someone on the horn,
| immediately.
|
| But their bank (the real one), sent them to a horrifying
| voice jail.
|
| The point was that the crooks gave better customer service
| than the real bank.
| whatsapps2020 wrote:
| It makes sense economically. Crooks will steal ~100% of
| your bank balance in one day. Bank itself earns 1-2% per
| year.
| ChrisMarshallNY wrote:
| Yup. The blogger was just being cranky about their bank.
| squeaky-clean wrote:
| Barclays recently tried sending me a new credit card
| because they were changing to Mastercard or something.
|
| I got an email one day that my new Barclaycard was
| activated. Called support, and they swore to me it was a
| phishing email (it was definitely from Barclay's official
| domain). Would not listen to me at all and kept trying to
| get me to hang up. I asked if I could tell them the email
| MessageID and they could verify the authenticity. They
| said no.
|
| About 10 minutes into trying to convince them it was not
| a phishing email, I refresh my dashboard and there was a
| $600 purchase at a Long Island Walmart. That shut them up
| really quickly and they transferred me to their fraud
| department who asked me for the MessageID at the bottom
| of the activation email and confirmed it was real...
|
| I asked if I could set up any additional security, and
| how could they activate a new credit card? Did they have
| my online password? Apparently no, you can just call on
| the phone and activate it, no authentication required.
| They told me I could set up a "voice password" for my
| account for all phone support and I did just that.
|
| I called them back 30 minutes later, got through to
| support to where I could change anything about my
| account. Asked them if my "Voice Password" was enabled.
| "Yes it is." "....Okay, no one has asked me for my voice
| password yet, and here you are about to change my
| address". They still didn't really understand the
| seriousness, so I told them "I'm not <my name> I'm a
| hacker trying to steal his money." and they understood.
|
| The worst part? I couldn't cancel that credit card until
| they physically sent me one to activate. No way to visit
| a branch and get one. It ended up getting stolen out of
| the mail THREE TIMES before they finally sent it with a
| signature required.
| trajcek wrote:
| Just happened to me one hour ago and got scared shitless.
|
| Time Monday, December 27, 2021 at 3:50 PM EST
|
| Location UNITED STATES
|
| IP address 107.173.195.83
|
| Actions taken, in this order:
|
| - Head to _Advanced Options_ - > _View account history_ to see if
| anything suspicious is going on (nothing so far)
|
| - Disable Lastpass MFA and use Google Authenticator (Authy)
|
| - _Account Settings_ - > click on _Show Advanced Settings_ - >
| _Destroy Sessions_ (to see if anyone is actively logged in)
|
| - _Account Settings_ - > click on _Show Advanced Settings_ - >
| _Country Restriction_ to my country only (luckily not in the US
| as the bot was)
|
| - Change Master Password
|
| Also moments earlier:
|
| - Investigating all Mac processes
|
| - Disabled all Chrome extensions and deleted most (should have
| made a list)
|
| Let's hope it's not as bad as it seems.
| gregsadetsky wrote:
| You received a "Someone just used your master password to try
| to log in to your account from a device or location we didn't
| recognize" email?
|
| And your master password was secure/not used anywhere else,
| etc.?
|
| Did we all (that's 8 of us now in the thread) get compromised a
| few years ago (using the LastPass extension?) and someone just
| mass attempted to try all of those passwords..?
| anair13 wrote:
| Just got the same notification 2 hours ago, from IP address
| 107.173.195.213
| badrabbit wrote:
| Guess? Either you fell for a phish or my intuition tells me you
| may have run an infostealer malware (exfils data and leaves
| little trail). No matter what type of 2fa you have, it is useless
| if the auth token can be accessed post authentication (cookie
| theft basically).
| CryptoBanker wrote:
| This just happened to me today, but login location was Bangkok. I
| also haven't used my lastpass account in almost 2 years since I
| switched to Bitwarden, so no way this could have stolen from my
| computer recently
| onetime090909 wrote:
| Same thing for me, havent used my account for years, has strong
| password and I just got an email that someone from Paris tried
| to login but was blocked.
| gregsadetsky wrote:
| !!!! This makes 6 of us in this thread...
|
| It's improbable that we were all phished years ago by the
| same group...
|
| Was the LastPass extension hacked years ago (as mentioned in
| https://news.ycombinator.com/item?id=29707325 ) and all of
| our master passwords were leaked/stolen, and someone just
| attempted to use them?
| ahelwer wrote:
| I too moved to bitwarden a year or so ago. Kept my lastpass
| account around just in case. This post inspired me to finally
| delete it for good.
| hotpotamus wrote:
| Exact same here. Made the jump around a year ago and this
| post made me realize the lastpass was still a liability so
| just deleted it.
| gregsadetsky wrote:
| Can you please post more information?
|
| Was this an old LastPass account? You didn't use this master
| password elsewhere, etc.?
|
| Thanks!
| vbo wrote:
| Reading the comments here there's one possibility that I haven't
| seen mentioned in that there may be an issue with lastpass
| allowing some level of access into people's accounts without
| actually having the password (which wouldn't enable the attacker
| to access the encrypted data).
| buryat wrote:
| let's not make any ridiculous assumptions
| vbo wrote:
| I sense sarcasm, but in case my sense is off, there is a
| webapp which allows you to log into your lastpass account and
| webapps are known to sometimes have security issues.
| ComputerGuru wrote:
| Because LastPass is beyond stupid and uses your master password
| to log in to their bbulletin or whatever php forum.
|
| That's what got me to write and publish this:
| https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
|
| EDIT: "or whatever" means I couldn't remember the name of the php
| forum notorious for its insecurity, I thought it was something
| like 'bbulletin'. It was phpBB.
| gkoberger wrote:
| There's a level of irony in complaining about LastPass's
| security, followed by suggestion people run their passwords
| through random third-party software that you wrote. Even if
| your code isn't malicious (which I believe), it opens up so
| many potential attack vectors.
|
| For anyone reading this, please use the official 1Password
| import functionality, not this:
| https://support.1password.com/import-lastpass/
| ComputerGuru wrote:
| There was no 1Password to LastPass importer at the time I
| wrote that (believe me, I looked because I have better things
| to do than write apps to benefit a commercial entity like
| agilebits otherwise), and of course the code is published on
| GitHub and released under the MIT license. It's very short
| and simple and rather easy to review. It's also a .NET
| executable, which is ridiculously easy to reverse-compile
| back to C# (not just assembly) so you can even check that I'm
| distributing an exe that does the same thing as the code I
| published.
|
| EDIT
|
| I just revisited that link I shared, and I have to say, it
| takes some real chutzpah to turn around and accusing me of
| advising insecure practice when the link I shared _literally_
| talks about just that:
|
| _Due to the nature of this application, we strongly urge
| everyone to download the source code, review it quickly, and
| compile it yourself to use this tool. However, we do
| recognize that this may be beyond the means of all security-
| minded folk out there looking to make the switch, so we are
| providing signed binaries available for download. If you do
| opt to use the binary download, make sure to validate the
| authenticode signature like so: ..._
| balls187 wrote:
| > There was no 1Password to LastPass importer at the time I
| wrote that
|
| The details were hazy, but in 2016, there was a way to
| export your passwords from LastPass and import them into
| 1Password, though I don't think there was a way to do so on
| windows (which I believe is what your importer addresses).
|
| After LastPass vulnerability in July 2016, I switched to
| 1Password.
| gkoberger wrote:
| Clearly we both agree it's an insecure practice, since you
| felt it needed a warning.
|
| Now that you know there's an official LastPass importer for
| 1Password, I'm curious why you're defending your version
| rather than updating your blog post, unlinking your
| original HN comment and deprecating the GitHub repo.
|
| I believe you're genuine and just trying to help. If
| there's an attack, it wouldn't be you doing it - it'd be
| someone else replacing the binaries on an old 2017 post
| without you noticing. WordPress is just as insecure as
| phpBB. Like the other commenter said, "Just because you put
| a warning label on a bad practice doesn't mean it's a good
| practice."
| beaunative wrote:
| cut them a break. no body's gonna to update a 2017 blog
| post irl, and last I checked a majority of the bloggers
| just use Wordpress, not exactly their problem.
| criley2 wrote:
| Just because you put a warning label on a bad practice
| doesn't mean it's a good practice.
|
| Pumping your passwords through some random code on Github
| that has a "be smart" label doesn't make it a good idea.
|
| Would be so easy to imitate you, reupload the code with an
| exploit. For giggles, if I was making this into a hijack
| I'd leave all your warnings in and even make them bigger
| and more obvious, confident in the knowledge that 99%+ of
| my stolen users wouldn't read the code or would just
| download the binaries sight unseen.
| balls187 wrote:
| > Just because you put a warning label on a bad practice
| doesn't mean it's a good practice.
|
| That is such a salient point, generally.
| gregsadetsky wrote:
| Sorry, what do you mean by "to log in to their bbuletin or
| whatever php forum"?
|
| According to LastPass, they don't have access to the master
| password // presumably it's not stored on their side. Is that
| accurate..?
|
| Thanks
| 40four wrote:
| I don't use Lastpass, but if what you are saying is correct,
| they could not have sent the OP an e-mail (assuming it's
| legit) informing them of the attempt to sign in using the
| master pass from Brazil, right?
| carlhjerpe wrote:
| Cryptography means lastpass doesn't need the master
| password to verify the password.
| gkoberger wrote:
| After a bit of searching, I wasn't able to find any PHP forum
| software that LastPass lets you log in to. I could only find
| one official-seeming forum, and it uses a different login.
| So, I think this is FUD... I don't use LastPass, but accusing
| them of something like this (and using the phrase "or
| whatever") is pretty serious without proof.
| ComputerGuru wrote:
| They appear to have sunset their phpBB instance. It was the
| main hub and support portal on their website with up to
| thousands of active visitors at any given time. You can see
| it archived here:
|
| https://web.archive.org/web/20150629081250/https://forums.l
| a...
|
| Here's the archived phpBB login page. It asks for your
| LastPass login and password (not your forum account, your
| actual LastPass login and actual LastPass master password):
|
| https://web.archive.org/web/20150717071236/https://lastpass
| ....
|
| Here's a past HN discussion from the time with some guesses
| at how such a phpBB login using the master password could,
| _theoretically_ , be implemented without knowledge of the
| password. Note that this doesn't imply it's possible to
| implement it in a way that would be resistant to their web
| server (running phpBB!!!!) being compromised:
| https://news.ycombinator.com/item?id=16016171
| aidos wrote:
| Unless I'm misremembering, the login to their general
| system was done by never sending the password over the
| wire. Instead they used js to do some sort of hashing
| type system locally.
|
| But during the heartbleed attack when their systems were
| shown to be vulnerable, that was one of their arguments
| as to why it wasn't so bad.
| gregsadetsky wrote:
| Thanks, that's pretty damning.
| indigochill wrote:
| You don't need access to a password to check it, just the
| hash (then they hash what you enter and compare the hash to
| the one they have). So both "They use it to log in to their
| whatever" and "They don't have access to it" can be correct.
| hsbauauvhabzb wrote:
| If there's a breached phpbb instance, the attacker can
| modify login.php to log plaintext credentials.
| explaingarlic wrote:
| Is there an official counter for phpBB RCEs/vulnerabilities
| that revealed user passwords? This has been going on for
| decades now. It's getting ridiculous.
| Nextgrid wrote:
| Welcome to frameworkless PHP where code & user files are
| stored in the same root and any PHP file requested by a web
| client is executed by the server.
|
| In most proper frameworks, including PHP ones, the only thing
| responding to web requests is an entrypoint file (that gets
| passed the request metadata including URL) and the framework
| takes it from there. This means that with proper
| configuration, even requesting a malicious PHP file shouldn't
| actually execute _it_ and instead hit the framework which
| will promptly respond with a 404 (of course, with PHP the
| danger is that in case of misconfiguration the server may
| still prioritize an exact path match and execute the file
| rather than defaulting to executing the framework 's
| entrypoint, where as other languages typically don't rely on
| the webserver to execute the files and couldn't run a
| malicious file even if they tried).
|
| But these stupid legacy applications are still around and
| haven't been updated to fix this design flaw, so any flaw in
| sanitizing uploaded files turns into a persistent RCE. I'm
| sure some people will pitch in and say this isn't a design
| flaw and you're using it wrong, and while I agree that it can
| probably be made secure with enough effort, why leave such a
| loaded footgun around when this is essentially a solved
| problem in all other languages?
|
| In other languages a malicious file being uploaded to the web
| root will at best result in a stored XSS which can be further
| mitigated by having your file uploads on a separate domain,
| but in PHP it's fatal.
| [deleted]
| nwellinghoff wrote:
| Look at the email headers and post them here. Was the email
| actually from lastpass????!!!
| gregsadetsky wrote:
| Yes, the same information appears in my Account History and
| LastPass support confirmed it.
|
| So in this case, it's not a phishing attempt unfortunately.
| coryfklein wrote:
| FWIW, I migrated off paid LastPass onto the free BitWarden plan
| recently and my experience has been much improved. I was a huge
| LastPass proponent in the beginning and at the time they seemed
| like the obvious best choice in a field with few options. But
| they have definitely not been able to keep up with the times and
| their paid service just isn't even comparable to what is now
| available for free.
| somehnguy wrote:
| Similar story as you, promoted LastPass when it first started
| because it worked and was the obvious choice. About 3 years ago
| I finally switched to BitWarden after realizing Lastpass was
| never going to fix their terrible UI. A few months ago I
| switched to 1Password though and am very happy. It has a few
| nice QOL improvements over BitWarden IMO, though BitWarden was
| leagues better than LastPass at least.
|
| This post prompted me to go in and clean out/delete my old
| LastPass account though!
| codexon wrote:
| I just checked my account, no login attempts on my end. My master
| password is not stored or written down anywhere.
| l33r wrote:
| My girlfriend once asked me why I don't use a password manager
| like LastPass. A week later she got locked out of her LastPass
| account because she was inadvertently using an enterprise account
| that one of her clients forced her to use while on a project. And
| even though she was paying for her own premium LastPass
| subscription, the support experience had was terrible. Issue was
| resolved when the client was able to unlock the account for her,
| but it was a pain because it was during the holidays. I would
| avoid a password management software because of her experience.
| orangepanda wrote:
| I completely agree; sticky notes have a much superior support
| experience
| serial_dev wrote:
| What can we learn from this apart from not saving private data
| into someone else's corporate account?
|
| I don't think it's the password manager's fault, mistakes like
| that can happen if you don't double check whose the account is.
| jackson1442 wrote:
| This is like saying that you should never store anything on a
| computer because you know someone who got locked out of their
| work laptop with important documents on it after they were let
| go.
|
| The real lesson here is to never put anything sensitive or
| personal on corporate devices/services.
| lucb1e wrote:
| Your friend used a commercial service under contract for
| someone else for private purposes, and you conclude that
| therefore all password management software must be bad? This is
| definitely not what I have in mind when I recommend people to
| use a password manager.
|
| And regardless, people should finally take this to heart:
|
| If something is important to you, back it up in a format that
| you can read with offline software. I don't care if you store
| it on punch cards under your pillow or in The Cloud, so long as
| it's independent of the primary copy (such that you can access
| it regardless of access to the primary copy, and such that you
| don't need the original service to load the data in order to
| read it). It doesn't sound like that was the case for your
| friend.
| Dumblydorr wrote:
| So what do you do to remember passwords? Do you write them down
| on paper, or maybe save in browser? I'm curious, I've pondered
| writing down my pivotal passwords on paper and hiding in a book
| or something.
| shnock wrote:
| Personally I combine a hash of something site-specific, eg.
| name, purpose etc and a base alphanumeric string. Allows each
| account have their own specific credentials while not being
| overly burdensome to remember.
| jackson1442 wrote:
| What do you do for sites with strange password
| requirements, like 12 character max or requiring you to use
| a very specific set of special characters?
|
| I used to do what you described but my base password was
| rejected by far too many sites because of absurd (and
| insecure) requirements.
| lucb1e wrote:
| > requiring you to use a very specific set of special
| characters?
|
| Stupid requirements don't matter. If you have a secure
| password, e.g. a passphrase consisting of 7 random words
| (diceware) and the service complains that you're missing
| digits, uppercase, and symbols, then adding A0! to the
| passphrase does not make it less secure. Appending
| anything never makes it less secure. You can also write
| down in plain text and store on pastebin what you added
| per site because it's not part of the secret anyway.
| (Okay okay, might as well keep it private rather than
| pastebin; it's about the general point.)
|
| > like 12 character max
|
| This is not that common anymore, most services have
| reasonable limits. If you do run into one and it's too
| important not to use, then you don't have a choice
| anyway: you'll have to make an exception to the scheme
| and memorize or store an actual password for once.
| Doesn't mean you have to design all your other passwords
| for one exceptional case.
| hsbauauvhabzb wrote:
| At least consider an offline manager, one where you control
| updates and backups. Either way, even using a dodgy solution
| (like LastPass) is probably statistically better than not using
| a manager at all...
| bombita wrote:
| Another data point, same deal. Time Monday,
| December 27, 2021 at 1:29 PM EST Location Sao Paulo, SP
| 01323, BRAZIL IP address 160.116.231.145
|
| Went ahead and deleted my Lastpass account and changed my
| password in other password managers.
| gregsadetsky wrote:
| Holy moly!!!
|
| Were you using LastPass around 2017? One theory that's floating
| is that we were all owned by a compromised LastPass extension
| 4-5 years ago.
|
| Just trying to find some common thread among all of us (a
| thread that's different than "lastpass was owned" which
| presumably should be more improbable...)
| tlrobinson wrote:
| Given we're likely stuck with passwords for the foreseeable
| future, I'd like to see two things in a password manager (maybe
| these exist?)
|
| 1. "hardware wallet" level security, with good UX. Maybe a
| USB/Lightning dongle, but I really wish computers/phones had
| built-in capability to do hardware wallets. Apple TouchBar got
| close (I realize it wouldn't considered be a _dedicated_ hardware
| wallet).
|
| 2. a way to automatically roll passwords periodically (with a
| small amount of user intervention, per requirement #1). This
| would require either some excellent AI or crowdsourced
| automations for every website.
| hocuspocus wrote:
| 1. Check out https://www.themooltipass.com
| tlrobinson wrote:
| Cool, great start, but something Yubikey sized would be more
| practical.
| macrolime wrote:
| It can be done with yubikey. Passwords stored encrypted on
| disk and get decrypted on the yubikey with gpg.
|
| https://github.com/drduh/YubiKey-Guide
|
| https://attackpointsecurity.com/go-pass-yubikey-and-gpg
| tjmehta wrote:
| Do you ever store your LastPass in your clipboard? Malicious apps
| on some platforms can access your clipboard without your
| knowledge. Do you use a clipboard manager? Is it trustworthy?
| Does it store data safely on disk?
|
| Good questions to ask yourself
| gregsadetsky wrote:
| Great questions for sure!
|
| In my case, the LastPass master password hadn't been used since
| 2017. It was stored (safely, I presume or at least hope!) in a
| local encrypted KeePass password manager file.
|
| I definitely could have malware on my computer that
| sniffed/read the KeePass file while it's temporarily
| unencrypted (when I open it to get a password).
| emotivehealer wrote:
| Yeah me too. Same IP range too, but location listed as Toronto.
| Not that this means anything.
| Dma54rhs wrote:
| More data (mine as well):
|
| Monday, December 27, 2021 at 12:27 PM EST
|
| Location INDIA
|
| IP address 196.19.204.79
| gregsadetsky wrote:
| Wait sorry, this might be actually critically important.
|
| When you say same IP range, what do you mean? The IP that the
| login attempt happened from starts with 160.?
|
| If 4 of us (in this thread) all had quasi-successful login
| attempts to our accounts, it could mean that some LastPass
| master passwords have been leaked...?? Or LastPass has been
| compromised?
| emotivehealer wrote:
| Begins with 160.116...
| gregsadetsky wrote:
| Exactly the same here!!!!
|
| Wow, this is fantastically bad.
| emotivehealer wrote:
| Also FWIW I too have not used Lastpass for 2-3 years. Login
| history doesn't appear to go back that far but I'd estimate
| it's at least 2 years since I logged in.
| techknight wrote:
| This also happened to me back on Nov 10, 2021. I had an old
| LastPass account, wasn't using it, when all of a sudden i get an
| email:
|
| -- Login attempt blocked Hello,
|
| Someone just used your master password to try to log in to your
| account from a device or location we didn't recognize. LastPass
| blocked this attempt, but you should take a closer look. ---
|
| Like you, it told me that the attempt came from Brazil, using an
| IP address starting with 160. I have no idea how they would've
| gotten that password. Made me wonder if LastPass had some issue,
| but nothing was in haveibeenpwned
| gregsadetsky wrote:
| What, really??
|
| This is too crazy of a coincidence to be a coincidence.
|
| This is _exactly_ what 's happening to me, and same IP prefix.
|
| What does it mean?
|
| ---
|
| How old of account was this? Can you contact me by email (email
| in my profile)?
|
| ---
|
| Two theories:
|
| - there is a problem with LastPass
|
| - you and I both had the same Chrome extension installed that
| was actually compromised, and that extension was listening
| to/sending passwords typed into lastpass.com
|
| I last used this account/master password back in 2017. Is that
| similar-ish to when you used your account?
| dharmatva wrote:
| I am having the same issue!!! One of my important passwords
| was leaked and in free use by a bunch of people who were all
| accessing my evernote account (thankfully it had nothing
| important in it). I've been on a spree to change my passwords
| since then.
|
| I have been wondering - is this because of the following
| lastpass bug?
|
| https://www.zdnet.com/article/lastpass-bug-leaks-
| credentials...
| dogman123 wrote:
| posting another comment here too for visibility, but this
| _just_ happened to me as well....
|
| Time Monday, December 27, 2021 at 1:41 PM EST Location Sao
| Paulo, SP 01323, BRAZIL IP address 160.116.88.235
| sillysaurusx wrote:
| Hmm. So I don't know if this means anything, but I was
| googling for the IP address and wound up at
| https://ipinfo.io/160.116.88.235 which says hostname:
| visit.keznews.com. When you go to that hostname, it's one
| of the best phishing sites I've ever seen. They dynamically
| inserted my ISP's logo (Spectrum) and tried to do a
| phishing attempt:
|
| https://i.imgur.com/C9HQw1c.png
|
| The full non-clickable URL: https://us.poon
| state.click/us/i/spectrum/?track=u.pslnk.link&key=eyJ0aW1lc
| 3RhbXAiOiIxNjQwNjM4NTIyIiwiaGFzaCI6IjNiZjRkYTg5MTA5MzMzNmU5
| NjRmMjZiNDY1NWUyN2UwMjk3NzI0OTYifQ%3D%3D&tsid=7ae4766b-0de5
| -4865-9f1b-025a45c71c3f&bemobdata=c%3D314f53db-f844-46ea-99
| f8-f277456639d3..l%3Df57d9a37-1c67-4958-ac52-6f4854ce6840..
| a%3D2..b%3D1..z%3D0.0016..e%3Dzr4b7f4393675711ecb78f122b3ef
| c6f65f31163358f914cea90c49d2c8cc35b7b0612682b8c773fbcf1..c1
| %3Dwhiskey-oar-eAcMKVvZ..c2%3Dgriseous-
| trout..c4%3DDOMAIN..c6%3DNON-ADULT..c8%3D1655308..c9%3Dfbb8
| c5b0-5140-11ec-a217-0aea8b85a94f..c10%3D0#
|
| I went through and answered the "questions", and it tried
| to take me to the actual phishing site:
|
| https://i.imgur.com/wYt5WB3.png
|
| https://i.imgur.com/Picaw4a.png
|
| Screenshots of the actual phishing site
|
| https://i.imgur.com/Bh5c2lZ.png
|
| https://i.imgur.com/q7xnSki.png
|
| https://i.imgur.com/GX4hWnQ.png
|
| And its url (non-clickable): https://welcom
| e.myonlineeconomy.com/us/238700/25/?pubid=aff-us&pob=3&clic
| k_id=61ca28bcf92ca000011aa4c0&subid=RT-60338e1b79fcbe000121
| 95a3-168&utm_medium=mail&utm_term=ipadpro&terms=y&email=&fn
| ame=&lname=&fp=&address=&city=&zip=&state=&lpkeyua=a17666fa
| 4eadface9331c0311b1e8875.1640638952
|
| Now, the interesting part is that this phishing attempt
| only happened once. When I tried to visit again just now,
| it just says "something went wrong" (on the first site) and
| "Access denied" (on the second site).
|
| I saved the sites to disk as I went, but I doubt these
| dumps will tell you much. Just in case though:
|
| 1. https://gist.github.com/shawwn/4deace812e7c752949a0df096
| ef66...
|
| 2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb
| 1188...
|
| Long story short: It sounds like all of you got phished. I
| suspect you installed a malicious app that somehow targeted
| your web browser's LastPass extension, modifying it to send
| your master password to these fine people. -\\_(tsu)_/-
| gregsadetsky wrote:
| Hey,
|
| That's quite possible, for sure. I am not
| beyond/above/below being phished like anyone else, ha!
|
| The issue -- what makes it perplexing -- is that I
| haven't used this LastPass password since 2017. I know
| because this LastPass account was only used to share
| passwords within an org that I left back then.
|
| Is it possible that I was phished 4 years ago, and they
| sat on the password? Sure.
|
| But 2 other people in this thread being phished from the
| same exact same phishing server/group?
|
| Or we were separately phished using different techniques,
| and now one Brazil server attempted to use all of our
| logins?
|
| That's what's rather strange.
| trevcanhuman wrote:
| Hey guys I think that maybe this has to do with an
| exploit in the web browser LastPass extension about 5
| years ago: HN POST: [0].
|
| [0] https://news.ycombinator.com/item?id=12171547
| gregsadetsky wrote:
| Yeah, that's not impossible. Surprising that they sat on
| the passwords for so long, but this is quite possible.
| Thanks for the reference/link!
| trevcanhuman wrote:
| I feel like this sounds more like a zero-day exploit
| being used to target the LastPass login servers.
| wutwutwutwut wrote:
| Couldn't it just be that someone got a copy of the
| password some years ago and now sold the list of
| credentials to someone else, who then tried to use it?
| Maybe the original owner of the list didn't realize some
| of the credentials was for LastPass, for example.
|
| I'm still seeing hackers trying to log on using passwords
| I haven't used in ~10 years, because it's on a list
| somewhere.
| sillysaurusx wrote:
| This seems likely.
| gregsadetsky wrote:
| I agree, that could make sense.
|
| So LastPass (their extension) may have been hacked ~5
| years ago ish, a few people here on the thread were all
| hacked in the same way, our passwords were sold off, and
| now the same Brazil IP range just tried all of those
| passwords.
| 55555 wrote:
| That's not a phishing site. That's standard zero-click
| /smartlink monetization. It's a lot to explain and I'm on
| mobile but it isn't anything to do with phishing.
| sillysaurusx wrote:
| But, it certainly wasn't from Spectrum (my ISP), but they
| designed the page to make it look like it was.
|
| I agree that it could be totally unrelated to the root
| mystery though. But "everyone here fell for malware or
| got phished" seems like the most likely explanation, even
| if my answer happens to be otherwise incorrect.
| ajb wrote:
| Not sure it's really in Brazil.
|
| LACNIC says the IP range was transferred to AFRINIC. They
| then say that it is owned by:
|
| Affiliated Computing Services (Pty) Ltd descr: P. O. Box
| 261333 descr: Excom 2023 country: ZA
|
| But then further note that ownership is in dispute! We need
| someone to look it up in the current routing tables to see
| where it's presently being routed to.
| gregsadetsky wrote:
| I also saw that very weird thing -- Brazil vs AFRINIC.
|
| Help/insight from ASN? BGP? networking experts would be
| appreciated..! Thanks a lot
| Godel_unicode wrote:
| That IP is present in a cn record for
| visit[.]keznews[.]com, whose whois record lists an admin
| contact in CZ.
|
| Be very wary of geo-ip results, on the modern internet
| they are effectively useless.
| colejohnson66 wrote:
| Ignoring VPNs, why are they useless?
| JaimeThompson wrote:
| Perhaps this will help?
| https://bgpview.io/ip/160.116.88.235
| ajb wrote:
| Far from an expert,but https://www.dan.me.uk/bgplookup
| lists it as owned by AS202769, which is apparently
| "Cooperative Investments LLC" Scamalytics[1] states that
| much of their address space is VPNs, so the trail may go
| cold here.
|
| [1] https://scamalytics.com/ip/isp/cooperative-
| investments-llc
| cassepipe wrote:
| Not an answer to OP but I had seen that that on HM a while ago :
| https://www.lesspass.com/ Really liked the idea of not having to
| rely on a third-party ... But I never used it because of Firefox
| master password and sync functionality. Too lazy.
| stavros wrote:
| I switched to BitWarden from this, this works well until a site
| forces you to change your password (or has arbitrary password
| requirements), then it's basically impossible to do.
| komatsu wrote:
| I wonder how secure is the Firefox solution vs LastPass and
| others.
| ufmace wrote:
| May be a dumb question, but how much are we trusting Lastpass
| that whoever tried these logins actually used the correct master
| password? The posted statements sound a bit ambiguous, maybe
| they're mistaken? Does it show as a login attempt if somebody
| uses your correct account email address and the wrong password?
|
| Of course if Lastpass is sending ambiguous or mistaken
| communication about whether someone else has your master
| password, that's a really bad sign for them as a company too.
|
| On the "bright" side, if somebody had your KeePassX file and
| master password to that, I would think they'd be doing things a
| lot worse than trying to log into your LastPass account from
| Brazil. If they had that data and were serious about LastPass for
| some reason, they'd probably at least break into your email too
| and try and intercept those warning emails. Keep an eye on email,
| banking, credit card, hosting systems, any other higher-value
| accounts that might have credentials in that file for any signs
| of suspicious activity. If there's none, then a successful
| exfiltration of that data seems unlikely.
| gregsadetsky wrote:
| Unfortunately, the email sent from LastPass specifically says
| "Someone just used your master password to try to log in to
| your account from a device or location we didn't recognize"
|
| LastPass support did confirm that the IP from Brazil did have
| the master password.
|
| I also tried to login with a wrong password and that shows up
| as "Failed Login Attempt". This is different -- the person on
| the other side did have the master password.
|
| Re: KeePassX, I agree. It's a catastrophic scenario if true,
| but it does seem improbable.
| leftpass wrote:
| I thought that LastPass didn't send your master password over
| the wire, rather it uses client-side code to take your Master
| Password and turn it into a hash which is then sent to
| LastPass for comparison[1]. If that is the case, how can
| LastPass claim to know that your master password was used? At
| best, they can claim that the hash sent to the server matches
| your password's hash but that is not the same as your master
| password being used.
|
| Given the widespread nature of this issue, I'd guess someone
| has discovered a flaw in the LastPass login process which is
| allowing a bad hash to pass the master password hash check:
| that contradicts what support said, but I'd assume they're
| mistaken, rather than LastPass are lying about how their
| system works.
|
| [1] https://support.logmeininc.com/lastpass/help/about-
| password-...
| 1cvmask wrote:
| Master passwords are static passwords by definition. It could
| have been an old fashioned keylogger for example. It could also
| be a phishing email attempt.
|
| Disclaimer: I worked on the 2FA part of the saas pass password
| manager which never has a master password and always uses
| passwordless MFA like scanning an encrypted barcode for unlocking
| the browser extension.
| yosito wrote:
| Without knowing anything about LastPass, a few ideas come to
| mind. First, is your master password only something that exists
| in your head? Or is it written down anywhere else either
| digitally or physically. If so, someone may have gained access to
| that. Did you use the same password anywhere else, ever? If so,
| it could have been in a database of possible passwords that
| someone used to try to brute force a copy of your KeePassX file,
| and succeeded. Also possible liabilities for brute force attacks
| are using a password that contains some kind of facts or
| information related to you, such as a birthday, loved one's name,
| address, etc, etc.
|
| The other possibility that comes to mind is a man in the middle
| attack of your password was ever sent over the wire with zero or
| weak encryption, when someone was snooping, like on coffee shop
| wifi or even a nosy neighbor on your home wifi.
| gregsadetsky wrote:
| Thanks -- this specific master password was only stored in
| another, offline, password manager.
|
| The specific password was computer generated, and I have not
| used it anywhere else i.e. it was only created for this
| LastPass account.
|
| That's why this (probably) either means that my local password
| manager has been compromised (catastropic if true) or that the
| info I received from LastPass is not completely accurate..?
| claudiojulio wrote:
| Please stop using this service. Use reliable, open source and
| auditable services.
| https://www.privacyguides.org/software/passwords/
| rg111 wrote:
| Here is a wider list: https://github.com/pluja/awesome-privacy
| lucb1e wrote:
| There are 57 different categories on that page, direct link
| to the relevant content: https://github.com/pluja/awesome-
| privacy#password-managers
|
| This list is also more narrow, not wider: awesome-privacy
| recommends Bitwarden, Keepass, and Padloc, while
| privacyguides recommends Bitwarden, Keepass, Psono, Password
| Safe, and Pass.
| ChrisMarshallNY wrote:
| I remember reading that LastPass had a breach, some time ago.
|
| I think that LastPass and 1Password are the ultimate targets for
| hackers.
|
| Wouldn't surprise me if they got in. Hackers ain't Matthew
| Broderick, anymore.
|
| _EDIT: Deleted somewhat cynical editorializing_
| OliverLukacovic wrote:
| Hopefully LastPass is already researching. Nothing on any other
| boa d, Twitter or on LastPass webpage. The Chrome vulnerability
| was 2019. Long time to stand in the shadow.
| gregsadetsky wrote:
| LastPass support brushed it off, unfortunately. A second agent
| I talked to (after the story started picking up here) reached
| out to Level 2, but they also brushed it off.
| bigmattystyles wrote:
| After reading that is wasn't phishing, my first thought is that
| they use log4j internally and the attempts to extract user
| passwords via email came from the inside.
| [deleted]
| replete wrote:
| You trusted an online service to look after your passwords. Use
| something local, like 1password. I have no idea why anyone would
| use a hosted solution like LastPass. Of course something will
| happen?
| dpark wrote:
| > _I have no idea why anyone would use a hosted solution like
| LastPass._
|
| Convenience. I use Bitwarden. I get a lot of value from having
| my passwords synced across multiple PCs and my phone.
| replete wrote:
| 1Password allows you to use a local vault, encrypted with a
| master password, that can be synced across devices in
| multiple ways, for instance using Dropbox. There's no web
| logins going, no 'someone elses database' accessed over the
| web. I have used this solution for a number of years, and
| would _never_ go for a cloud option like lastpass, for
| important personal data.
| dogman123 wrote:
| Hey, this _just_ happened to me too....my password would be near
| impossible to guess and is not used elsewhere...
|
| Just deleted my last pass account!
|
| here's the info that came with the email
|
| Time Monday, December 27, 2021 at 1:41 PM EST Location Sao Paulo,
| SP 01323, BRAZIL IP address 160.116.88.235
| Dma54rhs wrote:
| Mine was from India, master password definetly unique and very
| strong. I'm still hoping for some bug that mass alerted every
| day login attempts instead of actually gaining access.
| gregsadetsky wrote:
| WHAT!! Same IP range for me.
|
| How is this possible????
| dogman123 wrote:
| not sure, but this seems pretty bad! fwiw, i haven't used
| lastpass in at least a year. i've been using 1password.
| gregsadetsky wrote:
| How old approximately was your account? I used my master
| password the last time in 2017... were our master passwords
| compromised back then... and someone held on to them for
| that long? That seems improbable?
| cosmojg wrote:
| What browser extensions do you have installed?
| gregsadetsky wrote:
| I don't remember which extensions I had in 2017,
| unfortunately...
| dogman123 wrote:
| just checked my email. last pass account was created in
| 2015, not sure if the current leaked password has been in
| use that whole time, but it has definitely been quite a
| few years. moved over to 1passward in march of this year
| and likely have not used last pass at all since.
| boringg wrote:
| What prompted the move to 1password? Curious as I am
| deciding myself which service to use.
| trevcanhuman wrote:
| Not OP commenter but I personally would recommend using
| pass (https://passwordstore.org), I'm a little paranoid
| about all this fuzz, plus did you see the news in HN a
| few months ago about a password manager web browser
| extension having an exploitable vulnerability? Not sure
| if it was lastpass but I'll try to search for it...
|
| Edit: I found an _old_ post from about 5 years ago on a
| vulnerability in LastPass's extension [0]
|
| [0] https://news.ycombinator.com/item?id=12171547
| gregsadetsky wrote:
| That's really so strange.
|
| What is the probability that you, techknight (the other
| user in this thread) and me used the exact same
| compromised software back in ~2017 and had our master
| passwords stolen then? And for that person/bot (in
| Brazil) to try all of those master passwords now?
|
| It's beginning to look like this is a LastPass issue,
| no..?
| dogman123 wrote:
| it certainly does look like a lastpass issue....
| techknight wrote:
| LastPass was my first thought, but I couldn't find anyone
| else having the same issue and decided it couldn't
| possibly be them. Now I'm not sure!
|
| I've emailed you a list of the extensions I use in Chrome
| - if you want to share publicly any that we have in
| common I'm okay with that
| gregsadetsky wrote:
| Hey, thanks -- just replied to your email.
|
| Since I haven't used this LastPass master password since
| 2017, I'd have to remember which extensions I had back
| then, which is hard to do...
|
| I may have had 1Password and Adblock Plus which you
| had/have too.
|
| But it's hard to say. It's a possible vector (that you,
| dogman123 and I had the same compromised extensions) but
| also... why would the hackers have sat on our master
| passwords for nearly 4 years (in my case)?
| sillysaurusx wrote:
| One other breadcrumb:
| https://news.ycombinator.com/item?id=29706957
|
| It's looking like you got phished a long time ago, or
| installed malware which targeted the lastpass extension.
|
| Did all of you use the same OS four years ago? (Windows
| perhaps?) Some malware targets Chrome/Firefox files on
| disk. A malicious extension probably wouldn't be able to
| affect your LastPass extension, but a malicious malware
| app could easily modify it.
| gregsadetsky wrote:
| Yeah, all of us being phished years ago is a possibility
| (I just replied to your other comment)
|
| I used macOS/Chrome back in 2017. I definitely could have
| been phished then, or used a compromised extension.
| [deleted]
| denysvitali wrote:
| Is the date / time exactly the same? It seems like they might
| have emailed _everyone_ at this point. Maybe it's just a bug.
| Cu3PO42 wrote:
| I have a LastPass account (also not used for some time) and
| have not received this email.
| sovietssbns wrote:
| got one at 1528EST from 23[.]236[.]213[.]5 - OSINT shows it
| part of BLAZING_SEO_PROXY
|
| pw was only ever used here and stored offline
| gregsadetsky wrote:
| That's a different IP range, but the fact that it's all
| happening at once (i.e. these unique, never used elsewhere
| LastPass master passwords being used to login) is rather
| strange..?
|
| Or I am drawing a random line through a cloud of dots..? :-)
|
| What other IPs are part of BLAZING_SEO_PROXY?
___________________________________________________________________
(page generated 2021-12-27 23:00 UTC)