LastPass owner GoTo shares more bad news about November’s security breach (opens in new tab)

(theverge.com)

49 pointsemdashcomma3y ago5 comments

5 comments

I left LastPass years ago but have no idea whether my info might still be in this breach. At this point I’m almost afraid to ask.

CommitSyn3y ago

I signed up for LastPass in like 2012 and stopped using it around 2015 or 2016. I had a very strong copy/pasted master password but I still haven't logged in to see what my iterations were at (probably 100).

The attackers can't hurt me if I close my eyes, right?

runamok3y ago

IMO at this point every LastPass user should:

1. Check their password iterations to evaluate how urgent the rest of these steps are: https://support.lastpass.com/help/how-do-i-change-my-passwor...

2. If iterations are 100100 and your password is not a dictionary word (or quite short) you are probably ok but...

3. I'd still identify any high value passwords like email, financial, cryptocurrency, etc. and rotate them.

I am guessing the iterations are stored in the vault so would point out the low hanging fruit to the hackers.

All the other things LP is doing doesn't really matter since the customer vaults are already exfiltrated and do not use any sort of MFA offline.

poglet3y ago

"may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings"

What does MFA settings mean in this context? Does enabling MFA protect users from these type of attacks? Is MFA used as a part of the encryption key used to protect data?

richardjennings3y ago

TOTP is a popular MFA mechanism that is composed from a shared secret and settings (often communicated by qr code). Utilities like LastPass can generate TOTP codes for you if you share the config. The statement reads like any MFA config shared is potentially compromised and should be replaced.

j / k navigate · click thread line to collapse