[andrewmcdonough]

One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.

For example, it's clear backups were stolen, but they won't say how old the backups were, or what their retention policy is. So even if you changed your password to a stronger one, with more rotations, it may be that the attacker got hold of very old backups with weaker security. I've asked their support team for information about time windows of backups stolen, if they have a retention policy and whether it was adhered to, but they won't share that information. Instead we are left with a blog post that is more than a month old, no recent updates, and questions remaining unanswered. I'm a paying 'enterprise' customer, and they are meant to be ISO270001 compliant, so a retention policy should be a pretty simple thing to share.

[selykg]

At this point you should assume you're breached. If they aren't going to give you the details, you should assume the worst.

I have asked all of my team to change their passwords. We use LastPass via our parent company and will be switching off LastPass soon for our team. LastPass never would've been my choice, it was made before I joined.

But assume you're breached, change it all now, and ideally you're not going to stay with LastPass. Their communication sucks, which is just icing on the cake in this entire situation.

[deadfece]

Export from LP and start migrating, starting with changing common social IdPs like Google, Facebook, Twitter, Github, Apple, Microsoft/Live/Xbox/Outlook. Update the password of remote access programs like Parsec, and your cell phone provider's password. Then go through your TOTP generator and start changing everything in your TOTP generator (especially since you might be using LP Authenticator - if you are, then move to a different authenticator at the same time). Next: banking, your work payroll, investment accounts, Tax/IRS, shopping. From here one out start going through the list by the amount of money involved. If you doubt that then go through them ordered by the amount of data involved.

If you get lost and stuff seems too hard, if your replacement product lets you sort by age then just sort by oldest and hit 5 today. Hit 5 more tomorrow. Keep chipping at it. At this point you might as well change one every single day.

[azinman2]

I’ve always felt like there’s a startup in there that can reliably change all your passwords for you. Probably something like one time $299, which sounds expensive, until you realize the pain of doing this.

[selykg]

Ironically... isn't that something LastPass does for you?

https://www.pcworld.com/article/430756/nifty-new-lastpass-da...

This is an old article, no idea if the feature still exists or not.

[ipaddr]

More like does to you and forces you to do it yourself

[ryandrake]

Depending on how it was implemented, that could just increase the attack surface. Assuming it's a cloud service, now we have another company that has all your passwords, that can be breached. A better way would be desktop software that runs on your local machine and logs in to each web site by itself and changes all your passwords, without using any remote compute or storage, outputting a local file with all your new passwords (don't make the same mistake again using a cloud password manager).

[azinman2]

I imagined this was local. I think it would be very difficult to trust it otherwise.

[sorokod]

Attack surface will increase regardless of implementation. It is another point that can be attacked, one that did not exist before.

[deadfece]

I love web scraping, maybe I can update this prior idea. With the high proliferation of botting, a lot of sites are now resistant to this type of scripting, but at this low volume of interaction, it may be doable with some effort like Undetected Chromedriver.

https://drewdevault.com/2017/05/11/Rotating-passwords.html

https://github.com/tsudoko/pass-rotate

[artificial]

Vault rotation++. I was bitten by this switching authenticators when one didn't have an export at the time. It was such a massive pain to login and remove, add, setup and annotate, store secrets and repeat.

[paradox242]

This was also the final straw for our organization, we have initiated a company-wide reset of any credentials stored in in their service (thanks, LastPass) and are definitely not going to be renewing. The frequency of recent breaches, and especially the opaque manner in which they have been handled have destroyed any credibility they may have once had with regard to being trustworthy enough to store important secrets.

[panarky]

> definitely not going to be renewing

That reads like you're resetting credentials and then putting the new credentials back in LastPass, and then possibly maybe moving away from LastPass at some point in the future.

Given how little LastPass has disclosed, and the negligence we already know about, we should not only assume we're breached, but we should also assume LastPass is still storing critical data in cleartext, they don't have a "zero knowledge architecture", and their systems are still vulnerable to intrusion and exfiltration.

[andrewmcdonough]

That's good advice. I already made that assumption when the leak was first publicised and changed all of my important passwords the same day. I'm just trying to decide whether it's worth changing the hundreds of other low value passwords that were once stored in LastPass. I migrated to another service a few years ago, but I'm concerned the attackers have got hold of older backups, containing sensitive data that I had deleted, but with LastPass's poor communication, there is no way of knowing.

[porter]

What would your choice be?

[burnte]

"One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk."

Yes they have. They had a breach, and lied about it. You can't trust anything about them now. Assume a total breach and move on.

[phpisthebest]

The biggest problem here is for former customers.

What if you closed your account 5 years ago, did they still have backups?

[sedatk]

"Assume total breach" implies to update everything you had with them regardless of the timeframe.

[phpisthebest]

I assume for many people that is easier said than done

[sedatk]

It is, hence the gravity of the situation.

[tallanvor]

Honestly, even before this latest update, it's safest to assume that your data will be decrypted at some point, and get started changing everything now.

Luckily I had already switched over to Bitwarden, but I still had around 250 accounts to go through, although about 40 entries ended up being duplicates, defunct sites/products, or so old that the accounts were already deleted due to inactivity.

If you haven't started rotating all of your credentials already, this news should definitely get you started on it!

[adamsb6]

I never expected I'd experience such joy at a website failing to load, or to see it had been turned into a completely different business that doesn't even have a login form.

Thanks, LastPass!

[slantedview]

I did the Lastpass->Bitwarden migration around Christmas, and it was probably 6 hours all told just changing passwords for the accounts I administer. The good thing is, you get pretty fast at changing them after a while.

[vasco]

There's ISO compliance and there's ISO "compliance". I'm pretty sure if most shops were honest they wouldn't be compliant, but more like compliance-inspired.

[bee_rider]

ISO compliance, a la “banana” or “strawberry” flavor.

[bombcar]

Even if you change all your pssswords NOW you’ve still had the metadata of where you have accounts leaked.

[ShredKazoo]

In principle, your passwords might be stored as a JSON blob encrypted using a key derived from your master password. In which case that metadata could still be secure. I doubt it though.

[lolinder]

LastPass already admitted that the metadata was all leaked. Usernames and passwords were encrypted, but all else seems to have been in the clear.

[ThunderSizzle]

Based on what happened to my wife, if the password was encrypted, breaking it was trivial

[lolinder]

She probably had an account that had a very low number of iterations. LastPass never updated those unless someone knew to do it manually, so if it was an old account she likely had 5,000 iterations out of the recommended minimum of 100,000.

[ThunderSizzle]

It wasn't an old account. It was made within a year of the breach.

[william_T]

just checked, mine is 5,000

[phpisthebest]

>>they are meant to be ISO270001 compliant

means that some auditor, met with someone that does not know anything, and checked boxes in a form.

[_fat_santa]

The title should be updated to reflect that this wasn't data from LastPass but from other products under the Gogo umbrella.

> Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.

[nicce]

If you are in EU, according to GDPR, they should share information so that you can evaluate the risk. Otherwise they are breaking the law.

[Calamitous]

> One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.

Worst case: it’s entirely possible they don’t know.

[emodendroket]

Do they even know?