Mastodawn

The #breach of #LastPass revealed a poorly maintained product riddled with flaws, delivered by a company unable to explain their own failings.

Attackers were able to steal unencrypted customer data including their IP addresses and site URLs, as well as the encrypted password vaults themselves.

The product - used by over 100,000 businesses and 33 million individuals - has left long-term customers with outdated security settings, which translates directly to an increased risk of their vaults being cracked.

It's time to jump ship if you haven't already, here's why: https://opalsec.substack.com/p/last-call-for-lastpass?sd=pf

Huge shoutout @WPalant for his detailed analysis of LastPass as a product, and dissecting the evasive language in their latest advisory.

#infosec #CyberAttack #Hacked #cyber #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #cybersecurity

Last Call for LastPass

We examine the flaws endemic to LastPass' product, and their bungled response to and disclosure of their recent compromise.

Opalsec

Show thread

Ben Jan 7, 2023

@Opalsec interesting read, thank you

Show thread

Opalsec

Jan 7, 2023

@ben_quick No worries, thanks for taking the time to read it! 🙏🏻

Show thread

SamuelJohnson Jan 7, 2023

@Opalsec @WPalant Lastpass authenticator app is no longer available in my Play store.

I switched to Bitwarden years ago when LogMeIn bought the company (too sketchy for me) and started deleting records from Lastpass but never finished, assuming 2FA would secure until I got around to it.

Enabled passwordless login today then found a) requires MFA be disabled then b) it seems not to be available right now (at least if app isn't already installed?) and disabling it again isn't possible.

Show thread

Neb Jan 7, 2023

@Opalsec @WPalant

Unfortunately, my university won't let me switch. How does everyone feel about using Chrome as a password vault?

Show thread

Wladimir Palant Jan 7, 2023

@Duric It’s okay'ish. I wrote about it under https://palant.info/2018/03/13/can-chrome-sync-or-firefox-sync-be-trusted-with-sensitive-data/. Their original solution was horrible, but they’ve since improved it. So now it’s ok as long as you set a passphrase to protect the passwords (this is not the default setting).

You still have to keep in mind that passwords are the only thing protected. Everything else you choose to sync with Google servers will be unencrypted.

@Opalsec

Can Chrome Sync or Firefox Sync be trusted with sensitive data?

When using Chrome Sync or Firefox Sync, you should always choose a long randomly generated passpharse. Otherwise, your passwords won't be sufficiently protected.

Almost Secure

Show thread

Neb Jan 7, 2023

@WPalant @Opalsec

Thanks for the feedback. Appreciate it. I do use passphrases and I do use chrome at home.

One more question, if I may. Can you set a separate master password on Chrome, like you can with LastPass? By default, Chrome uses your devices password.

Show thread

Wladimir Palant Jan 7, 2023

@Duric Good question. I’ve only looked into Chrome for desktop, not the mobile version. No idea how it works there.

@Opalsec

Show thread

Pedro Camargo Jan 8, 2023

@Opalsec @WPalant
Want something on top of it? If you ask Lastpass for a refund, they will ask you to fill a SPREADSHEET form with your bank details for a wire transfer and send it over EMAIL.
When confronted with the fact that they are asking me to send sensitive bank detail over email, their answer was to double down.