More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • merc@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    133
    arrow-down
    5
    ·
    1 year ago

    Nearly every victim was a LastPass user.

    But every victim was a cryptocurrency user.

    • GreenBottles@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      1 year ago

      I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest

      • CoderKat@lemm.ee
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        1 year ago

        I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.

        If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.

      • hatchling@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.

    • LufyCZ@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      12
      ·
      1 year ago

      This doesn’t say anything about crypto.

      It says everything about the users themselves.

    • hansl@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      25
      ·
      1 year ago

      I also heard every victim were addicted to water…

  • saltynuts420@lemm.ee
    link
    fedilink
    English
    arrow-up
    61
    arrow-down
    4
    ·
    1 year ago

    instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable

    • forbiddenlake@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      1 year ago

      But who is running the bitwarden server? Bitwarden the private company.

      I self host vault warden, but it’s really not something everyone can do.

    • yetAnotherUser@lemmy.ca
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      1 year ago

      I personally use KeepassXD on my phone, although it hasn’t had a security audit. There is also KeepassXC for desktop, which has had an audit

    • PlexSheep@feddit.de
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.

      • anyhow2503@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        That’s pretty much what Bitwarden does at its core. It will only synchronize the encrypted password vault and each client keeps an offline copy of it.

    • itsdavetho@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      How does bitwarden encrypt their passwords? Im just realising that since it works on both my laptop and phone with no configuration it can’t be overly nuanced

      • tony@lemmy.hoyle.me.uk
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        1
        ·
        1 year ago

        It’s encrypted on the client and bitwarden themselves can’t decrypt it (we assume, but there have been audits that seemed to confirm that).

        If you want to you can just run your own server then they can’t see the traffic at all.

        • RealHonest@lemmy.one
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          16
          ·
          1 year ago

          Who’s we? You probably mean you assume. Bitwarden is open source so an assumption need not be made.

          • Mananasi@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            There’s an assumption that the code you see is the code running on their server. And on top of that there’s lots of other software running on their servers.

    • IverCoder@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Private entities are more reliable for personal data than companies whose stocks have gone public.

  • sonnenzeit@feddit.de
    link
    fedilink
    English
    arrow-up
    47
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.

    I’m using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven’t touched the configuration since; it just works automagically in the background.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        It’s a pretty common setup to be clear, easy setup, works like a charm.

        Just keep in mind that it’s not a backup solution, my Homeserver does that for me.

      • TitanLaGrange@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Nothing major as far as I can tell. Here’s an overview via SuperUser. KeePassXC might be a better option for some use cases if you’re mostly not on Windows as it does not require .NET. Note that “KeePassXC does not support plugins at the moment and probably never will”, but it does have built-in support for some things you might want a plugin for in KeePass2.

          • PlexSheep@feddit.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            They say that but I can’t help but feel it sucks on Linux. Especially their GUI Apps.

          • TitanLaGrange@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            It does indeed. My job includes writing and deploying .NET apps on multiple platforms, and it works fine for me.

            But some people prefer not to use .NET when comparable native options are available, so they might prefer KeePassXC.

  • dangblingus@lemmy.world
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    10
    ·
    1 year ago

    Pro Tip: You don’t need to give a private company all of your passwords. That literally defeats the purpose of having passwords.

    • RIP_Apollo@feddit.ch
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      1 year ago

      Except you’re giving your passwords in an encrypted format. So if the company is trustworthy, it’s safe to let them store your passwords because it’s encrypted in such a way that even the company who own the password manager couldn’t access your passwords even if they wanted to.

      (Note the caveat of “IF the company is trustworthy”, which rules out Lastpass)

      Now I accept that there are legitimate arguments against storing passwords in the cloud via a password manager… so in that case, you may wish to use a local password manager (like Keepass) instead. But realistically, a typical person isn’t capable of memorising lots of unique, secure passwords… so the passwords need to be written down or stored in a password manager, just to avoid weak passwords or password reuse.

    • Asafum@feddit.nl
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      7
      ·
      1 year ago

      A-fucking-men… but I was always given shit for saying this.

      Anything can be hacked or stolen, I don’t trust any company to secure my information. :/

      • TwilightVulpine@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        5
        ·
        1 year ago

        I keep thinking of the people who make their passwords garbled random text impossible to memorize but then they trust an online service to keep it safe and private. When breaches happen, maybe even a post-it note at home would have been more secure.

          • Soggy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            7
            ·
            1 year ago

            Unique passwords for every single account is an over-abundance of caution. Sensitive accounts: financials, medical, email, yes those should all be insulated from single-source failures. Your xbox live, netflix, and instagram are probably fine as a universal “entertainment” password.

  • SeducingCamel@lemm.ee
    link
    fedilink
    English
    arrow-up
    40
    ·
    1 year ago

    Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice

    • meseek #2982@lemmy.ca
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      1 year ago

      Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.

      I wouldn’t sleep well knowing my passwords were on there at any given time.

      • learningduck@programming.dev
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        4
        ·
        1 year ago

        You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there’s no back door somewhere to some degree.

      • SatyrSack@lemmy.one
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        So just change whatever passwords you had saved to LastPass. That would mitigate any issues, right?

        • CoderKat@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          Pretty much. Though also any security questions or other private info you have saved, some of which is much more annoying to protect.

          Though one annoying thing is that even if you change everything, what they find might help them social engineer an attack.

          I second Bitwarden, BTW. Best password manager I’ve used.

        • meseek #2982@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Just. It’s not an insurmountable problem, but I wouldn’t be happy changing the login details, one by one, on the some 80 websites I have in my vault.

          Not to mention if you’re using an email anonymizer, you’ll have to regenerate new emails for them all too. I guess you could do it on demand, but knowing my batch of emails in floating around the dark web doesn’t sit well with me. Worse yet if it’s your actual email, then they have that now.

      • qaz@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It’s e2e and the code to do so is opensource, and you can always host Vaultwarden yourself.

  • RBWells@lemmy.world
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    1
    ·
    1 year ago

    That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.

  • eran_morad@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    1
    ·
    1 year ago

    migrated my shit out of lastpass like 10 years ago or whenever it was bought by logmein. douches.

  • Honytawk@lemmy.zip
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    5
    ·
    1 year ago

    I don’t understand saving your passwords to the cloud in the first place

    It is like storing all the passwords in one convenient place that can be accessed from any location on the planet, making it the most convenient and juicy target for hackers.

    Even encrypted, it just doesn’t make sense.

    • thbb@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      At one of my clients, a large institution, they go further: you’re not allowed to use the local browser’s password manager. And still have to abide by the usual password rules: rotate every 3 months, complex passwords, etc.

      As a result, users store a plain text file on their desktop (some go as far as printing it), that conveniently allows them to retrieve their passwords.

      Too much security kills security.

      • Karyoplasma@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        16
        ·
        1 year ago

        Forcing a password change after a period of time has shown to make people gravitate towards the simplest passwords that are still within the policy or other, even less secure, solutions. That’s why security standards nowadays advise to not implement forced password changes.

        • Sarsoar@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          My last job got around the “make people gravitate towards the simplest passwords” issue by giving you a list of 10 randomly generated strings you could pick. ( you could refresh the list a few times though)

          So what happened anyways, like the person you are replying to said, is we had passwords written everywhere. One guy kept a sticky not on the back of his badge (which got turned around alot so he would walk around with his password showing), another kept it on a sticky under his keyboard, and just in general we would find passwords written everywhere.

  • momtheregoesthatman@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    After years as a family plan subscriber, I moved my personal (1k+) passwords off of LP after the last – and most egregious – breach. I have quite a bit self hosted in my environment but Proton Pass interests me as I can get my wife and son in it easily as we already have the family plan. Lemmy is loaded with tech savy, so my question is; same devil different form? I’ve tried BW but it wasn’t condusive to the whole familys use (at least not a few years ago).

    • Hankaaron@yall.theatl.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      This is my problem. I have a family that includes several elderly people. It was a HUGE accomplishment to get them onto LastPass. Nothing more complicated than that’s going to work. Hell I do not want to take the time figure out any self hosting crap.

      I’ve tried 1password and hated the UI.

      Any other suggestions?

    • Yeahboy92@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      If it is cloud hosted then there is always a possibility. Programs like keypass run locally and are only in jeopardy once your system is compromised. The issue with keypass is implementing it for multiple users is probably a chore (never looked into it).

  • Professor_Piddles@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.

    I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.

    • Rootiest@lemm.ee
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Use KeePass.

      My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures

      KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.

      I personally use KeePass, secured with a master password + YubiKey.

      Then I sync the database between devices using SyncThing over a Tailscale network.

      KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it’s protected.

      You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it’s useless without the combined password/hardware key.

      • lazynooblet@lazysoci.al
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Absolutely, Keepass is a great alternative to cloud managed password managers.

        You are also vulnerable to keyloggers or clipboard captures

        Keepass (and most password managers) are vulnerable to this as well.

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Keepass (and most password managers) are vulnerable to this as well.

          Not if you use the browser extension

          Plus it does automatically clear the clipboard after a short time which isn’t perfect but it’s still an improvement over using a text file

        • jarfil@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          True, but KeePass has some countermeasures, like wiping the clipboard after some time, sending the password directly to a browser extension, or entering the master password on a “secure desktop” (technically not all that secure, but more secure than the lack of it).

    • trevor@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Why not use KeePass then? It’s entirely local and you don’t have to risk running your own encryption solution.

    • ThetaDev@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.

      Use a local password manager. KeePass (use the KeePassXC variant on Linux) is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.

      • Professor_Piddles@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Thanks, great point. Lots of suggestions for KeePass here, so I’ll definitely look into it. I appreciate the command line tool recommendation as well, as that’s my preference. Cheers!

  • Neptune@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    4
    ·
    1 year ago

    All that promotion/awards tagging as best password manager for nothing. Glad I picked up KeyPassXC and KeyPassDX and sync between my phone and PC with gdrive

    • Buddahriffic@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      At first I was confused about why this was being downvoted, but then I noticed the “gdrive”. You’re using a different cloud to avoid this specific cloud.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Not really a problem until aes-256 is broken, especially with an extra pass file and/or hardware Tokens.

        But yeah that’s suboptimal

      • Neptune@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I know google sucks but it’s easier to sync across and I have separate key file locally on both devices… 🤷

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    This is the best summary I could come up with:


    Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service.

    Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.

    These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.

    We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.

    Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:

    “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”


    The original article contains 363 words, the summary contains 196 words. Saved 46%. I’m a bot and I’m open source!

  • Smacks@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    1 year ago

    The only password manager I trust to connect to the internet is the Firefox manager, Keypass for the important stuff.

  • Ech@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    6
    ·
    1 year ago

    Anybody serious about security wouldn’t store vital passwords online in the first place. The convenience isn’t worth it when whatever company is used gets hacked because an intern got phished.

    • isolatedscotch@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      on serious services wallets are encrypted using your master password, and unless you chose “password” you can be almost certain you won’t get hacked even in case the company gets breached