Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How did my LastPass master password get leaked?
877 points by gregsadetsky on Dec 27, 2021 | hide | past | favorite | 515 comments
Hi,

I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened.

LastPass blocked a login attempt from Brazil (it wasn't me). According to an email I received from LastPass, this login was using the LastPass account's master password. The email doesn't look like it's a phishing attempt.

What troubles me is that the master password was stored in a local encrypted KeePassX file.

I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that's the case, I'm in a world of hurt.

But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?

I'm really confused, and scared.

Thanks for your help.

P.S. The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). That's scary too -- what's the point of a 2FA you can remove...??

---

Update:

- the email was truly not phishing -- the same information regarding the login attempt appears in my LastPass dashboard. I also talked to LastPass support over the phone, and they confirmed seeing the same information.

- There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me.

Either the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised...? Or...? Is this a LastPass issue?




Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum.

Thatโ€™s what got me to write and publish this: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...

EDIT: "or whatever" means I couldn't remember the name of the php forum notorious for its insecurity, I thought it was something like 'bbulletin'. It was phpBB.


There's a level of irony in complaining about LastPass's security, followed by suggestion people run their passwords through random third-party software that you wrote. Even if your code isn't malicious (which I believe), it opens up so many potential attack vectors.

For anyone reading this, please use the official 1Password import functionality, not this: https://support.1password.com/import-lastpass/


There was no 1Password to LastPass importer at the time I wrote that (believe me, I looked because I have better things to do than write apps to benefit a commercial entity like agilebits otherwise), and of course the code is published on GitHub and released under the MIT license. It's very short and simple and rather easy to review. It's also a .NET executable, which is ridiculously easy to reverse-compile back to C# (not just assembly) so you can even check that I'm distributing an exe that does the same thing as the code I published.

EDIT

I just revisited that link I shared, and I have to say, it takes some real chutzpah to turn around and accusing me of advising insecure practice when the link I shared literally talks about just that:

Due to the nature of this application, ๐˜„๐—ฒ ๐˜€๐˜๐—ฟ๐—ผ๐—ป๐—ด๐—น๐˜† ๐˜‚๐—ฟ๐—ด๐—ฒ ๐—ฒ๐˜ƒ๐—ฒ๐—ฟ๐˜†๐—ผ๐—ป๐—ฒ ๐˜๐—ผ ๐—ฑ๐—ผ๐˜„๐—ป๐—น๐—ผ๐—ฎ๐—ฑ ๐˜๐—ต๐—ฒ ๐˜€๐—ผ๐˜‚๐—ฟ๐—ฐ๐—ฒ ๐—ฐ๐—ผ๐—ฑ๐—ฒ, review it quickly, and compile it yourself to use this tool. However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. If you do opt to use the binary download, make sure to validate the authenticode signature like so: ...


I am extremely grateful to ComputerGuru and others who freely share code and binaries they used to scratch a specific itch like this. As for security, I'd never dream of running anything like this outside of an isolated, offline system and would destroy the instance immediately afterwards.


> There was no 1Password to LastPass importer at the time I wrote that

The details were hazy, but in 2016, there was a way to export your passwords from LastPass and import them into 1Password, though I don't think there was a way to do so on windows (which I believe is what your importer addresses).

After LastPass vulnerability in July 2016, I switched to 1Password.


Password managers generally use CSV, avoiding vendor lock-in. However, back when Lastpass doubled their subscription cost (yes, doubled, literally) I switched to Bitwarden. At that point, there was some issue with exporting passwords with a certain character (IIRC it was ; or #). I ended up changing the few passwords which quit working.

As for OP, my take is you clicked a bad link triggering a zero day vulnerability in your browser, or perhaps you logged in on Lastpass via a VPN or Tor? Its pure speculation though.


There is, I just did it recently. It's an unncrypted copy paste dump from lastpass into 1password


This was in reference to the OP not having an option in 2017 to import to 1pass.

If I recall, I had to sign up for LastPass premium to pull my passwords to my phone, and then use keychain to import them to 1pass.

I don't think that solution would work for Windows users back in 2016.


There was a 1password to lastpass importer at that time, I know because I used it


Just because you put a warning label on a bad practice doesn't mean it's a good practice.

Pumping your passwords through some random code on Github that has a "be smart" label doesn't make it a good idea.

Would be so easy to imitate you, reupload the code with an exploit. For giggles, if I was making this into a hijack I'd leave all your warnings in and even make them bigger and more obvious, confident in the knowledge that 99%+ of my stolen users wouldn't read the code or would just download the binaries sight unseen.


1) Clone random git repo on Kali, related to Kali usage.

2) Don't read the code.

3) ???

4) Forever don't know what or when it happened.


> Just because you put a warning label on a bad practice doesn't mean it's a good practice.

That is such a salient point, generally.


Funny how common it is though


Well, why shouldn't people who already use insecure software with vulnerabilities (LastPass) without the possibility to even audit the code also run some code written by other people they don't know?


BREAKING: There is no perfect security.

>Would be so easy to imitate you, reupload the code with an exploit.

Put your keyboard where your fingers are: do it by tomorrow morning and post here when you're done.


And there ya go.


Clearly we both agree it's an insecure practice, since you felt it needed a warning.

Now that you know there's an official LastPass importer for 1Password, I'm curious why you're defending your version rather than updating your blog post, unlinking your original HN comment and deprecating the GitHub repo.

I believe you're genuine and just trying to help. If there's an attack, it wouldn't be you doing it โ€“ it'd be someone else replacing the binaries on an old 2017 post without you noticing. WordPress is just as insecure as phpBB. Like the other commenter said, "Just because you put a warning label on a bad practice doesn't mean it's a good practice."


cut them a break. no body's gonna to update a 2017 blog post irl, and last I checked a majority of the bloggers just use Wordpress, not exactly their problem.


I agree that's the right response, maybe just give them some time to consider it. It can be tough to give up something you worked on.


There's a level of irony in complaining about malicious code, and still recommending a closed source password manager.


I can't parse this. Is your point that "closed source" is a synonym for "insecure"?


Closed source is a synonym for insecure if you accept secure means no blackbox processes.


Do you think bank ATM software/hardware, plus online banking and components should be open sourced?


Dingding Exactly!


Sorry, what do you mean by "to log in to their bbuletin or whatever php forum"?

According to LastPass, they don't have access to the master password // presumably it's not stored on their side. Is that accurate..?

Thanks


After a bit of searching, I wasn't able to find any PHP forum software that LastPass lets you log in to. I could only find one official-seeming forum, and it uses a different login. So, I think this is FUD... I don't use LastPass, but accusing them of something like this (and using the phrase "or whatever") is pretty serious without proof.


They appear to have sunset their phpBB instance. It was the main hub and support portal on their website with up to thousands of active visitors at any given time. You can see it archived here:

https://web.archive.org/web/20150629081250/https://forums.la...

Here's the archived phpBB login page. It asks for your LastPass login and password (not your forum account, your actual LastPass login and actual LastPass master password):

https://web.archive.org/web/20150717071236/https://lastpass....

Here's a past HN discussion from the time with some guesses at how such a phpBB login using the master password could, theoretically, be implemented without knowledge of the password. Note that this doesn't imply it's possible to implement it in a way that would be resistant to their web server (running phpBB!!!!) being compromised: https://news.ycombinator.com/item?id=16016171


Unless Iโ€™m misremembering, the login to their general system was done by never sending the password over the wire. Instead they used js to do some sort of hashing type system locally.

But during the heartbleed attack when their systems were shown to be vulnerable, that was one of their arguments as to why it wasnโ€™t so bad.


They pretty heavily fumbled exactly this heartbleed response too. They claimed they "weren't vulnerable" because of this setup but they clearly were. If you exfiltrated an SSL key, which heartbleed allowed, you can serve whatever JS (including JS that just explicitly exfiltrated your passphrase) you wanted to end users.

LastPass is full of clowns. There's already two examples of their cavalier approach to what should be simple security in this thread and I'm pretty sure there are more.


> Instead they used js to do some sort of hashing type system locally.

Just the other day a co-worker brought up this idea as an offhand remark. After bouncing it off those present, it took him all of twenty seconds to see why it might do harm and will do little good.

You'd think a password manager would employ some security minded people who could shoot down ideas that bad immediately.


What were the counterpoints?


A weakness in your clientside hashing will make your site weaker to brute-force attacks, since it will reduce the number of hashes (or passwords) an attacker has to try (collisions in client-side hashes will too, but very negligibly for a good hash function). It's also impossible to recover from without relying on another form of authentication to re-establish trust. For many sites this means downgrading to single-factor.

Any hash upgrade mechanism can be abused by a (possibly MITM) attacker to change a user's password while leaving you and the user none the wiser that specifically this occurred. If you need to lock someone out while their phone is beeping at them over their bank account being emptied, while not even making it look like their password was changed, that sounds like a fun way.

Lastly it's virtually the same as plaintext, since any salt will be known by even just a passive attacker. A true MITM won't even have to brute-force the hash.

Conclusion: Might do harm, will do little good.


Thanks, that's pretty damning.


I don't think this is accurate. It appears that the phpBB instance performs a redirect to a SAML login, meaning the login page where you're being asked for your master password is the regular login page.

Now, the fact that they have a web-based vault access requiring entry of your master password? Pretty bad, considering you can't disable it, and it's automatically activated even when just using the browser extension (at least as of a few years back, when I asked them to fix that.)


I donโ€™t use Lastpass, but if what you are saying is correct, they could not have sent the OP an e-mail (assuming itโ€™s legit) informing them of the attempt to sign in using the master pass from Brazil, right?


Cryptography means lastpass doesn't need the master password to verify the password.


If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.

Itโ€™s a combination of people being very bad at generating, remembering, and entering passwords plus generally being unwilling to wait minutes or even seconds to generate the hash on their local computer.


> If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.

I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)

The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.

But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.


MD5 is long considered a broken, weak hash algorithm. Here is the MD5 hash of a password:

d9afca35a87a2af4168500640fcf2370

Password is 16 characters long, all lower case, no numbers, no special symbols.

Please tell me the password.


What percentage of people do you think actually use 16 character passwords?


Probably pretty low.

I use 64 character passwords, or if there is a length limit, always the longest possible. Thatโ€™s the beauty of using a password manager :)


Do you use 64 character master password?


One advantage about having memorized a bunch of poetry back in the day is I have a lot of secure long passphrases to hand

Aesop, my author, makes mention of two mice and they were sisters dear 1234567890123456789012345678901234567890123456789012345678901234567890

70 and little effort


I consider mine pretty long, and it's right around 30 characters.


56 billion md5 hashes per second for $1.80 per hour at OVH. (single Nvidia Tesla v100 GPU)

Still a no-go for plain old brute forcing all a-z combinations. But, if your password is some combination of actual words, common keyboard sequences, or anything else in a password dictionary, it's cracked pretty quick/cheap.


The best I could find is this

https://stackoverflow.com/questions/10041298/how-to-recover-...

But can you show me the way how you'd go on about this? Really curious.


You can't. That's the point of the post. There is no known feasible pre-image attack on MD5.


You don't need access to a password to check it, just the hash (then they hash what you enter and compare the hash to the one they have). So both "They use it to log in to their whatever" and "They don't have access to it" can be correct.


If thereโ€™s a breached phpbb instance, the attacker can modify login.php to log plaintext credentials.


Is there an official counter for phpBB RCEs/vulnerabilities that revealed user passwords? This has been going on for decades now. It's getting ridiculous.


Welcome to frameworkless PHP where code & user files are stored in the same root and any PHP file requested by a web client is executed by the server.

In most proper frameworks, including PHP ones, the only thing responding to web requests is an entrypoint file (that gets passed the request metadata including URL) and the framework takes it from there. This means that with proper configuration, even requesting a malicious PHP file shouldn't actually execute it and instead hit the framework which will promptly respond with a 404 (of course, with PHP the danger is that in case of misconfiguration the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint, where as other languages typically don't rely on the webserver to execute the files and couldn't run a malicious file even if they tried).

But these stupid legacy applications are still around and haven't been updated to fix this design flaw, so any flaw in sanitizing uploaded files turns into a persistent RCE. I'm sure some people will pitch in and say this isn't a design flaw and you're using it wrong, and while I agree that it can probably be made secure with enough effort, why leave such a loaded footgun around when this is essentially a solved problem in all other languages?

In other languages a malicious file being uploaded to the web root will at best result in a stored XSS which can be further mitigated by having your file uploads on a separate domain, but in PHP it's fatal.


> the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint

This is properly solved by frameworks having this entrypoint be in a โ€˜publicโ€™ folder and that also being the webroot, so only index.php and nothing else is available for a direct match (unless /../ in the url works, which would be a huge security hole).


we miss cgi-bin/


good mention. an rtfm for everyone else.


There is such a counter, CVE databases.

If you would actually take a look, you would realize you are spreading FUD.

phpBB has been rewritten from scratch around 2008 with phpBB3 and hasn't had a single severe vulnerability since. That's 13 years.


Sure. But CVEs don't enumerate RCEs/vulnerabilities that reveal user passwords - they care about a superset of all of that. And when you look at the common vulnerabilities in phpBB3, "phpBB3 hasn't had a single severe vulnerability" seems like very selective language.

I am merely giving my unprofessional opinion that phpBB(1+) has only caused harm. A significant portion of leaks seem to be attributed to it. They really could have done better, and their reputation is forever dead.

To make clear: I am sure that the current version of phpBB works just fine and isn't as disease ridden as we all know it to be. However, the fact that all of these issues have existed for so long means that perhaps we need to take a look at the software as a product and determine that its performance has not been good enough, and to expect similar performance in the future.


This also happened to me back on Nov 10, 2021. I had an old LastPass account, wasn't using it, when all of a sudden i get an email:

-- Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. ---

Like you, it told me that the attempt came from Brazil, using an IP address starting with 160. I have no idea how they would've gotten that password. Made me wonder if LastPass had some issue, but nothing was in haveibeenpwned


What, really??

This is too crazy of a coincidence to be a coincidence.

This is exactly what's happening to me, and same IP prefix.

What does it mean?

---

How old of account was this? Can you contact me by email (email in my profile)?

---

Two theories:

- there is a problem with LastPass

- you and I both had the same Chrome extension installed that was actually compromised, and that extension was listening to/sending passwords typed into lastpass.com

I last used this account/master password back in 2017. Is that similar-ish to when you used your account?


posting another comment here too for visibility, but this _just_ happened to me as well....

Time Monday, December 27, 2021 at 1:41 PM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address 160.116.88.235


Not sure it's really in Brazil.

LACNIC says the IP range was transferred to AFRINIC. They then say that it is owned by:

Affiliated Computing Services (Pty) Ltd descr: P. O. Box 261333 descr: Excom 2023 country: ZA

But then further note that ownership is in dispute! We need someone to look it up in the current routing tables to see where it's presently being routed to.


I also saw that very weird thing -- Brazil vs AFRINIC.

Help/insight from ASN? BGP? networking experts would be appreciated..! Thanks a lot


Far from an expert,but https://www.dan.me.uk/bgplookup lists it as owned by AS202769, which is apparently "Cooperative Investments LLC" Scamalytics[1] states that much of their address space is VPNs, so the trail may go cold here.

[1] https://scamalytics.com/ip/isp/cooperative-investments-llc


That IP is present in a cn record for visit[.]keznews[.]com, whose whois record lists an admin contact in CZ.

Be very wary of geo-ip results, on the modern internet they are effectively useless.


Ignoring VPNs, why are they useless?


I wouldn't go so far as useless, but they frequently exhibit significant inaccuracy, no matter which vendor/service you use. It's not unusual for me to query 7 APIs and be told the user is in 7 different cities spanning 5 states. At least there's usually a quorum at the country level. Given the market ($$$) for IPv4, this feels like it's only getting worse as more blocks of IPs are being sold, leased, transferred, even between continents/RIRs and the geo providers are always a few steps behind.

For the IP posted above, I have 3 providers claiming it's in Sao Paulo, 3 who says it's in Joburg (this is as accurate as anyone's going to get right now) and one says it's in Chicago! If I'm trying to do something with these results programmatically, I don't have a majority or a plurality to pick as a "winner" and I have to try weighting specific providers, which is a whole new mess.

Anyway, there's a good idea brewing in RFC8805 but it'd require pretty much every AS to play along.


I've routinely seen edge cases where geo IP databases are just wrong, even from providers like Google and others.

My home would routinely show up as from a country a thousand miles away. Friends down the street would show up several states over. Customers I know which were a state over would appear from a different country. The databases are usually right, but they're still often wrong. Often enough to cause frustrations.


Why ignore VPNs? Im sure someone else can chime in but to my knowledge that's what makes them useless. You can't be sure someone isn't running VPN, then you can never be certain GeoIP is correct, thus it's useless.


Because everyone knows that VPN IPsโ€™ geoloc is useless, so I assumed that those were being ignored. Also because itโ€™s possible to see if an IP is (possibly) a VPN one by looking up the owner.


As with most things IP-related, this is only somewhat true. There are a lot of VPN providers that specialize in not getting their exit IPs marked as VPNs, so just because an IP isn't listed as a VPN by your intel provider of choice doesn't mean it's not a VPN. GDPR also means finding netblocks with super generic IP-whois is really easy.

Geo-ip is a perfect analysis trap, because it seems like it's probably a good idea so people put it into the roadmap. Then they spend forever tracking down all the ways it doesn't work (I bet you have customers in whatever geo you're thinking of blocking, there's a surprising amount of netblocks that are attributed incorrectly, etc), and then the sunk cost fallacy leads them to maintaining their creaky system. Imagine what you could have done with that effort in the meantime.

Now, let's put our badguy hat on. It takes effectively zero time to tell if your target is geo-blocking (compare your port results between several geos, or cheat with censys and shodan). Being blocked? Launch your attack from IP space in another geo. Pro-tip on that: nobody blacklists cloud provider IP space because of VDI solutions. You can migrate between stolen cloud accounts faster than the provider can suspend them, especially for reconnaissance and initial payload delivery.

Edit: see also, renting time on botnets, renting physical colo, compromising residential ISP equipment, and friends.


Perhaps this will help? https://bgpview.io/ip/160.116.88.235


Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/160.116.88.235 which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:

https://i.imgur.com/C9HQw1c.png

The full non-clickable URL:

  https://us.poonstate.click/us/i/spectrum/?track=u.pslnk.link&key=eyJ0aW1lc3RhbXAiOiIxNjQwNjM4NTIyIiwiaGFzaCI6IjNiZjRkYTg5MTA5MzMzNmU5NjRmMjZiNDY1NWUyN2UwMjk3NzI0OTYifQ%3D%3D&tsid=7ae4766b-0de5-4865-9f1b-025a45c71c3f&bemobdata=c%3D314f53db-f844-46ea-99f8-f277456639d3..l%3Df57d9a37-1c67-4958-ac52-6f4854ce6840..a%3D2..b%3D1..z%3D0.0016..e%3Dzr4b7f4393675711ecb78f122b3efc6f65f31163358f914cea90c49d2c8cc35b7b0612682b8c773fbcf1..c1%3Dwhiskey-oar-eAcMKVvZ..c2%3Dgriseous-trout..c4%3DDOMAIN..c6%3DNON-ADULT..c8%3D1655308..c9%3Dfbb8c5b0-5140-11ec-a217-0aea8b85a94f..c10%3D0#
I went through and answered the "questions", and it tried to take me to the actual phishing site:

https://i.imgur.com/wYt5WB3.png

https://i.imgur.com/Picaw4a.png

Screenshots of the actual phishing site

https://i.imgur.com/Bh5c2lZ.png

https://i.imgur.com/q7xnSki.png

https://i.imgur.com/GX4hWnQ.png

And its url (non-clickable):

  https://welcome.myonlineeconomy.com/us/238700/25/?pubid=aff-us&pob=3&click_id=61ca28bcf92ca000011aa4c0&subid=RT-60338e1b79fcbe00012195a3-168&utm_medium=mail&utm_term=ipadpro&terms=y&email=&fname=&lname=&fp=&address=&city=&zip=&state=&lpkeyua=a17666fa4eadface9331c0311b1e8875.1640638952
Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).

I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:

1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...

2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...

Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ยฏ\_(ใƒ„)_/ยฏ


Hey,

That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!

The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.

Is it possible that I was phished 4 years ago, and they sat on the password? Sure.

But 2 other people in this thread being phished from the same exact same phishing server/group?

Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?

That's what's rather strange.


Hey guys I think that maybe this has to do with an exploit in the web browser LastPass extension about 5 years ago: HN POST: [0].

[0] https://news.ycombinator.com/item?id=12171547


Yeah, that's not impossible. Surprising that they sat on the passwords for so long, but this is quite possible. Thanks for the reference/link!


You don't necessarily know they sat on it. You only just got a notification of the failed login now.

That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.

Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.

If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.

It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.


Yeah, totally agreed and all great points.

I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.

One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:

https://news.ycombinator.com/item?id=29710262

So... it might turn out to be a much more recent vulnerability after all.


Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.

I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.


I agree, that could make sense.

So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.


Perhaps you can ask the other victims when did they register their accounts to see if that's true?


I've been trying to ask this to people posting reports, and although there are many "older" accounts (like mine, circa 2017 or older), at least 2 reports are from accounts created this year:

https://news.ycombinator.com/item?id=29710262

https://news.ycombinator.com/item?id=29711950

That would make "more sense" that our credentials weren't stored and unused for years, i.e. that this is possibly a new, recent breach.


This seems likely.


I feel like this sounds more like a zero-day exploit being used to target the LastPass login servers.


Great post, seriously.

How many extensions are you using again? :-)


Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I donโ€™t recognize. Iโ€™ll post a full list when Iโ€™m back at a laptop.

โ€œToo manyโ€ :)


The only ones I have that match up there are EditThisCookie and ublock (origin)

EditThisCookie was last updated November 22, 2020, so it doesn't seem likely from that.

ublock origin was updated December 2, 2021, but they haven't changed devs or anything that would make me suspicious.


Thatโ€™s not a phishing site. Thatโ€™s standard zero-click /smartlink monetization. Itโ€™s a lot to explain and Iโ€™m on mobile but it isnโ€™t anything to do with phishing.


But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.

I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.


the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP


I just tried logging into my LassPass (not used for a while) and I entered the password wrongly (I capitalised one letter) and got an email "Someone just used your master password to try to log in to your account from a device or location we didn't recognize."

Maybe it says someone used your master password even if they didn't? It gave the IP as Islington which is kind of correct.


I think that password case is a separate issue. If I remember correctly, many online services do "secretly" accept mixed cases for the same password (because users make more mistakes than they realize and it would be "annoying" to be too strict)

If you didn't receive a "Someone just used" email (with an IP that's completely geographically off from where you are) that's a good sign, of course.


I tried pushing back on just such a request once, pointing out it made of of the password "security" requirements pointless (use mixed case letters).

"But famous company X does this, it is really convenient for users!" was all the response I got. All I could do at the time was (internally) shake my head.


Oh! If the messaging is the same regardless of whether the right password is used then that changes everything!


When a wrong password is used, no email is sent out from my multiple experiments today.

I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.

Here's what I found from a quick google re: password case:

https://www.zdnet.com/article/facebook-passwords-are-not-cas...

https://security.stackexchange.com/questions/68013/facebook-...

"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."


I don't think that's the case. I went back and looked at the auth logs and there are many "failed logins" and one "Login verification email sent", which is the only one I got an email for.


I am having the same issue!!! One of my important passwords was leaked and in free use by a bunch of people who were all accessing my evernote account (thankfully it had nothing important in it). I've been on a spree to change my passwords since then.

I have been wondering - is this because of the following lastpass bug?

https://www.zdnet.com/article/lastpass-bug-leaks-credentials...


Just happened to me one hour ago and got scared shitless.

  Time Monday, December 27, 2021 at 3:50 PM EST
  Location UNITED STATES
  IP address 107.173.195.83
Actions taken, in this order:

  - Head to *Advanced Options* -> *View account history* to see if anything suspicious is going on (nothing so far)
  - Disable Lastpass MFA and use Google Authenticator (Authy)
  - *Account Settings* -> click on *Show Advanced Settings* -> *Destroy Sessions* (to see if anyone is actively logged in)
  - *Account Settings* -> click on *Show Advanced Settings* -> *Country Restriction* to my country only (luckily not in the US as the bot was)
  - Change Master Password
Also moments earlier:

  - Investigating all Mac processes
  - Disabled all Chrome extensions and deleted most (should have made a list)
Let's hope it's not as bad as it seems.

Edit#1 | Following IP addresses are reported in the thread so far:

  160.116.88.235
  160.116.231.145
  160.116.88.235
  107.173.195.83
  107.173.195.213
  154.202.117.78
  196.19.204.79


One other thing to note is that by default lastpass allows reverting to your previous password for 30(?) days. The option is in account settings -> advanced -> "Allow master password changes to be reverted".

To be safe you would probably want to disable that then change your password again. Just don't lose your new password as you then can't revert.

See https://support.logmeininc.com/lastpass/help/recover-your-lo...


I last changed my master password in 2019, and it gave me the option to revert to previous password. So it's not just a 30 day thing.


That is concerning and directly contradicts the docs:

"You can revert to your previous master password only if the change had taken place within the last 30 days."

I guess it is possible it is another UX issue and would fail if you tried, but that still isn't very reassuring.


You received a "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email?

And your master password was secure/not used anywhere else, etc.?

Did we all (that's 8 of us now in the thread) get compromised a few years ago (using the LastPass extension?) and someone just mass attempted to try all of those passwords..?

Edit: since you're tracking IPs found in this thread (thanks!) my attacker's was 160.116.189.21 . You also have 1 ip duplicated (160.116.88.235) which was from the same user both times. You can also add 160.116.95.249 which was just posted


"Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look."

Could be... I haven't rotated my password in a while. Could you link me to more info about the LastPass compromise that you mentioned?

p.s. My master password is definitely not dictionary material, and it's not used anywhere else, so I am 100% sure it's not a bruteforce / phishing attempt.


That's so extremely bad and really cannot be a coincidence at this point. We were all owned in the same way years ago...?

The compromise was mentioned here: https://news.ycombinator.com/item?id=29707325


So they had waited all these years, before they act on those Password? Seems like there should be some other explanation.


All of this IP space is cybercrime-related.

Most of it was initially obtained via fraud/corruption from AFRINIC and being currently announced by AS202425 (Ecatel, notorious crime host). Whoever is using it is up to no good.

The rest is owned and announced by ColoCrossing which could be considered a legit ISP by some metrics, but also has an extensive history of hosting lots of shady stuff.


- Disable Lastpass MFA and use Google Authenticator (Authy)

could you please explain this point? Isn't LastPass Authenticator equivalent to Google Authenticator, Authy or any other TOTP app? Or is there something that makes it less secure than other apps? Perhaps because it has cloud backups?


Honestly after the scare it just seemed stupid that I chose LastPass' own MFA for my LastPass account. Also if they really did get exploited, no idea what it means for their MFA solution.


When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones associated with the lastpass stuff thus making the old keys useless. Also obviously he should change his master password to a new one.


> When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones

wouldn't it be the same if you were going the other way around? E.g. switching from Authy to Lastpass Authenticator


Lastpass MFA is not at all like Google Authenticator. The codes in Lastpass Authenticator are optional and can be bypassed. It's not secure at all.


> are optional and can be bypassed.

How so? Are you saying that if I sign up for example to Dropbox and use Lastpass Authenticator for the 2FA, there is a way for me to log into Dropbox without retrieving the code from LastPass Authenticator? How would that work?


This is my worst nightmare and I wonder what the order of operations is in terms of downloading and unlocking a vault. This sounds like you need the master password to download and unlock the vault, so thatโ€™s a tiny bit of extra protection I guess (not much).

I wonder if password managers should be designed around, and encourage the use of, an undocumented PIN thatโ€™s appended to every stored password. You could use the same PIN for everything and if someone got your vault decrypted there would at least be a chance they didnโ€™t get the secondary PIN too.


Can't use the same PIN as a hacker would just add myhackurl.com/login to your vault and see what the PIN came across as. I think you'd also run into issues with password length as a lot of sites still have a restriction. I like the idea though and maybe a different implementation could work.


I mean a PIN that's not stored in the vault or auto-filled. It would be something extra that you add manually after the password manager fills in the password

So the password manager would put in 'password' and I'd manually type '1234' to make it 'password1234'.


That would not have stopped the vulnerability 'LastPass bug leaks credentials from previous site' (see Zdnet article posted elsewhere) though that's not a common vulnerability in software.


Isn't that what 2FA is for? An additional "PIN" that changes every couple of seconds.

Also, do not store your 2FA reset codes in the same account as your passwords.


Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!


For me it happened a couple weeks earlier:

> Time Tuesday, December 7, 2021 at 11:12 AM EST

> Location Ottawa, KS 66067, UNITED STATES

> IP address 208.114.93.34


adding 160.116.250.63 for the login attempt on my account


Hey, this _just_ happened to me too....my password would be near impossible to guess and is not used elsewhere...

Just deleted my last pass account!

here's the info that came with the email

Time Monday, December 27, 2021 at 1:41 PM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address 160.116.88.235


Mine was from India, master password definetly unique and very strong. I'm still hoping for some bug that mass alerted every day login attempts instead of actually gaining access.


I'm hoping for an email bug / false positive too.

Also, incorrect login attempts (i.e. using the wrong password) does not send out an email.

If you do attempt to login with the correct master password from a different/new IP, then you'll get the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email.


Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!


Can you guys list out the browser extensions you are using and/or if you're using LP on mobile?

We need to find a common thread.


WHAT!! Same IP range for me.

How is this possible????


Is the date / time exactly the same? It seems like they might have emailed _everyone_ at this point. Maybe it's just a bug.


I have a LastPass account (also not used for some time) and have not received this email.


not sure, but this seems pretty bad! fwiw, i haven't used lastpass in at least a year. i've been using 1password.


How old approximately was your account? I used my master password the last time in 2017... were our master passwords compromised back then... and someone held on to them for that long? That seems improbable?


just checked my email. last pass account was created in 2015, not sure if the current leaked password has been in use that whole time, but it has definitely been quite a few years. moved over to 1passward in march of this year and likely have not used last pass at all since.


That's really so strange.

What is the probability that you, techknight (the other user in this thread) and me used the exact same compromised software back in ~2017 and had our master passwords stolen then? And for that person/bot (in Brazil) to try all of those master passwords now?

It's beginning to look like this is a LastPass issue, no..?


LastPass was my first thought, but I couldn't find anyone else having the same issue and decided it couldn't possibly be them. Now I'm not sure!

I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that


Hey, thanks -- just replied to your email.

Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...

I may have had 1Password and Adblock Plus which you had/have too.

But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?


One other breadcrumb: https://news.ycombinator.com/item?id=29706957

It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.

Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.


Yeah, all of us being phished years ago is a possibility (I just replied to your other comment)

I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.


How'd they get past the 2FA, though?

Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?


LP shoots an email as soon as someone attempts to login with the correct password from a new IP.

Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.


it certainly does look like a lastpass issue....


What prompted the move to 1password? Curious as I am deciding myself which service to use.


Not OP commenter but I personally would recommend using pass (https://passwordstore.org), Iโ€™m a little paranoid about all this fuzz, plus did you see the news in HN a few months ago about a password manager web browser extension having an exploitable vulnerability? Not sure if it was lastpass but Iโ€™ll try to search for itโ€ฆ

Edit: I found an old post from about 5 years ago on a vulnerability in LastPassโ€™s extension [0]

[0] https://news.ycombinator.com/item?id=12171547


I was so pissed at LastPass when the Firefox extension stopped working when Firefox Quantum was released, they didn't have an ETA for fixing it, their support is completely crap. I gave up no LastPass with 9 months left on my subscription and moved to 1Password. Also, LastPass UX is still awful to this day (I have to use it for work). Migrating from LastPass to 1Password was like migrating from Linux to Mac. It's more expensive, but it's sooooo much better and polished.


What browser extensions do you have installed?


I don't remember which extensions I had in 2017, unfortunately...


got one at 1528EST from 23[.]236[.]213[.]5 - OSINT shows it part of BLAZING_SEO_PROXY

pw was only ever used here and stored offline


That's a different IP range, but the fact that it's all happening at once (i.e. these unique, never used elsewhere LastPass master passwords being used to login) is rather strange..?

Or I am drawing a random line through a cloud of dots..? :-)

What other IPs are part of BLAZING_SEO_PROXY?


Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!


That IP is not from Brazil. It revert-resolves to keznews.com (Looks like it's registered in Prague)

If you try hitting it, it will redirect you to some website which might or might not be the same to every person


Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!


I feel this is like a Reddit detective moment. Almost everyone here is going to have uBlock Origin installed.


Yeah I agree. And a few users who were compromised confirmed not having uBlock. So yeah. False trail.


Are we sure that same email isn't sent out if someone tries to log into your account with the wrong password?


No email is sent when an attempt was made to login with the wrong password.

Logging in with the wrong password is logged in the Account History as "Failed Login Attempt"

Logging in with the correct password (or hash? TBD) from a new IP triggers the email and that's logged in the Account History as "Login Verification Email Sent"


Just checking the absolutely obvious, because I had a similar thing ... and then it turned out I had my VPN on. Thought I'd double check, in case someone was a silly as I am.


Thanks -- the original login attempt wasn't mine, so yeah. Not in this case.


That's too bad because that would have been a nice way to end this. Much good luck figuring this out, until further notice I would assume that anything that was in there is compromised so you better change your passwords.


Yes. Tor or a VPN was my first thought as well.


This has nothing to do with OP's problem but I figured this may be a good place to post about my bad experience with LastPass back in 2019:

When I moved to Bitwarden, I have deleted my account on LastPass. I have received a confirmation email regarding my account which states [0]:

> Your LastPass account has been permanently deleted and all of your data has been purged from our systems.

A few months later I receive a email stating that my premium subscription is expiring [1]. Clearely my account was not actually permanently deleted from their systems. Considering LastPass is a service used for storing passwords, I think this is unacceptable. How am I sure that they also still don't have my passwords that I had saved in their account?

I reached out to them via Twitter when this happened (because that is apparently how you get support in this day of age) and only then I was told that my account was actually deleted. I still have no way of verifying if this is in fact true or not.

[0]: https://i.imgur.com/P5yEqEl.png [1]: https://i.imgur.com/WyEueF6.png


You can never know for certain if your passwords are still stored somewhere or not, but I wouldn't worry about a billing email arriving after your account was deleted.

Many companies will retain billing/transactional data even if you delete your account. They might do this for regulatory compliance (eg.in Austria I need to store invoices for 7 years in case the Finanzamt wants to do an audit) or they might just do it as a protection against fraud or credit card chargebacks.

I would assume that "deleting an account" just means "delete your data" (ie. passwords and most personal data) and does not mean "delete all information related to me as if I had never done business with you".


It's very possible the billing system is separate from everything else.


It's most likely generated via Stripe (or some equivalent). And even though the account and associated information has been deleted from the Lastpass servers, they didn't delete it from all their vendors, forgetting that those vendors might send the end-user an email. A classic PM move, de-prioritizing any feature related to a churned user...


This article claims LastPass has responded to their request for comment: https://www.howtogeek.com/776450/lastpass-says-it-didnt-leak...

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. Itโ€™s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."


Finally, if it is indeed not Lastpass's fault and as they say they dont store master password on their server, then there must be a software all these victims have in common. And it has to be fairly common so we could get at least 20 report on a HN thread.

Side Note: Interesting all it takes was AppleInsider publishing, getting some sort of traction. And Lastpass had a response within two hours.

Edit: This still doesn't make sense though. Unless @gregsadetsky had his computer access full hacked. Otherwise I dont see how his master password could have been stolen. Many of similar reports were from dead account they had a long time ago and wasn't actively being used.


Yeah, what doesn't make sense is that the emails we all received says:

"Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

so either:

- the email was sent incorrectly i.e. our master passwords were /not/ used to login. In that case, why was the email sent?

- the email is correct i.e. someone does indeed have access to our master password (it was confirmed to me by one of the support agents -- that email is supposed to be sent out when the password is correct but used from a new IP) -- in that case, how is it possible that >20 people here were compromised?

In addition:

- many people here report never using their master password anywhere else

- and... not all accounts were old i.e. from 2017. A few accounts were from October/November 2021:

https://news.ycombinator.com/item?id=29711950

https://news.ycombinator.com/item?id=29710262


An extra consideration is that LastPass claim to be monitoring their systems constantly, specifically call out automated attempts ("fairly common bot-related activity"), so we can assume that monitoring includes "attempts to login with wrong passwords" or "attempts to login to accounts that do not exist". That information would be a good way to identify a credential-stuffing attack with confidence, i.e: they might be seeing millions of login attempts to accounts that don't exist + accounts that do with the wrong password...

If that is the case, then the email must be sent in error... which is definitely plausible, i.e: they have a logic mistake somewhere in their system which is incorrectly identifying some unsuccessful attempts as successful (which is triggering an event which triggers the email, the audit log entry etc).

Hopefully they make a better statement soon, because this is very terrible communication from a password management company.


That's possible, but the audit log shows the event that triggered the email and failed logins as two separate things.

The events are "failed login" and "Login verification email sent". The second one is what triggered the email and this event seems like it should only happen if you correctly login but their additional checks stop it from authenticating completely. The email has a button for "verify new device or location", which sure makes it seem like the login was successful.

I hope they just mangled up their event logger and it really should have been a failed login attempt but was logged as a valid login and triggered the email.


There have been several major breaches of security in recent months, such as the log4j vulnerability, that could have allowed malware to end up being spread to quite a few people. If your computer has been compromised, KeyPass files are among the list of items malware will attempt to send back. There are also secondary attacks which might have resulted in capturing their master passwords without needing to steal a KeyPass or similar file (such as key loggers). Given the scope of recent breaches it seems likely to me that there should be a sudden cluster of users whose passwords were individually compromised.


It does make sense if you consider that there can be more than 1 vulnerability and that some attacker targeting LastPass may use recent password from a fresh vulnerability mixed with older passwords from some previous breach.

I'm not actually following what does not make sense.


What's confusing to me is that my password was never used elsewhere (it was generated only to be used with LastPass and stored in KeePass). Other reports here say that their passwords were unique as well.

I just have a doubt right now about the possibiliy that this attack was using passwords from past breaches (which is what LastPass is saying)


There are several recent vulnerabilities which could have resulted in your computer being infected with malware without you knowing (like the log4j vulnerability). Because you're storing your passwords in a KeePass vault this actually increases the platform size for attack. This could have taken the form of several fairly simple attacks, such as key logging, clipboard (copy & paste) sniffing and quite a few other methods of stealing your master password purely because you've stored it somewhere other than your brain. Given the number of reported events in recent days, this looks more like individual compromisation events (malware/viruses locally on each affected users computer) than a single large breach.

It's also entirely possible this is all is due to an entirely new vulnerability which hackers have uncovevered which the security community has not recognized yet. This is less likely, but whether it is the case or not doesn't change the fact this likes like a higher than average incident rate for indivual compromises, rather than a larger single event.


But when they are talking about breaches they aren't just referring to other web sites being hacked. In theory, your computer may have been compromised some time during the last years.

It was just weeks ago some very popular package on NPM was found to collect credentials.

Again, not saying that's what happened but theoretically your computer was breached with some malware which collected credentials. I just meant it "makes sense" from a technical point of view. The likelyhood of this being the issue I am more unsure about.


Understood, and that makes sense.


> Unless @gregsadetsky had his computer access full hacked.

He stored the LastPass password in KeePass, right? KeePass has had vulnerabilities allowing JavaScript on any web page read secrets from the KeePass storage.

I'm not saying that's what happened, but I don't think it's safe to say that "had his computer access full hacked.".

There's also plenty of NPM packages and similar which has had vulnerabilities which could have extracted passwords from whatever storage is used. Then it doesn't matter if the account was dead or not.

Also, it's not safe to say that "there must be a software all these victims have in common". An attacker can specialize in LastPass and may have purchased several credential lists right? Maybe some credentials were extracted via some vulnerable NPM library, maybe some via KeePass vuln, maybe some from password stuffing.

We're just speculating here, but I think what you're saying is a bit too definitive based on what we know so far. To me, LastPass seems a bit like a mess so I would not be surprised if they are to blame though.


Yes and agree, pure speculation / inferring guesses. Based on the assumption the attacker would choose the easiest path. Although I did thought of Keepass leak, but most of the other incidents doesn't use KeePass though.

I just wish HN has a show newest comment first, it is bit hard to follow at the moment.

>LastPass seems a bit like a mess so I would not be surprised if they are to blame though.

Reading that. There is another possibility... no one was hacked..... it was just attacker trying to log in using the wrong password and the email Lasspass generated completely messed up.


I wonder how high the chance is of the master password itself having been reused, and of one of _those_ password sets getting compromised. Although I'd expect most people using a password manager would not be likely to reuse a master password.

On the other hand, my paranoia is now kicking in and I am on my way to change my (non-LastPass) master password, just in case past-me was very stupid a few years ago and then forgot about it...


So, in other words, they have no idea about what's going on. I'm not sure whether that's good or bad.


My master password was specifically for LastPass and it's a quite complex non-English language non-dictionary variant. There is no way that it's due to another breach or that it's a dictionary attack.


Please stop using this service. Use reliable, open source and auditable services. https://www.privacyguides.org/software/passwords/


Here is a wider list: https://github.com/pluja/awesome-privacy


There are 57 different categories on that page, direct link to the relevant content: https://github.com/pluja/awesome-privacy#password-managers

This list is also more narrow, not wider: awesome-privacy recommends Bitwarden, Keepass, and Padloc, while privacyguides recommends Bitwarden, Keepass, Psono, Password Safe, and Pass.


By "wider", I meant more categories, and not more items for this particular category.


This page does not provide any information why the recommended solutions (Bitwarden, KeePassXC) are more secure than the products it warns against (1Password, LastPass, Roboform, and iCloud Keychain).


Because Bitwarden and KeePassX are open-source and auditable?


Audited is better than auditable


Audited AND auditable is better (Bitwarden: https://bitwarden.com/help/article/is-bitwarden-audited/#thi...)


This. I cringe every time I see a coworker log into some site using LastPass, 1Password, or really any other cloud-hosted password manager.


Since your master password is stored in another password manager, would it be accurate to say you copy/paste it into LastPass? If so, something running on your machine could be scraping your clipboard.

This of course assumes that it wasnโ€™t really you from an IP that was just misidentified as being from Brazil.

For what itโ€™s worth, I stopped using LastPass after they sold out to LogMeIn and would recommend others stop using it as well.


Of note, LastPass just announced that they are splitting out of LogMeIn and becoming independent again: https://blog.lastpass.com/2021/12/lastpass-investing-even-mo...


Of course, you must reduce the risk to the parent company before the huge disclosure comes out </sarcasm>


Yes, I do copy/paste from my local password manager. A clipboard scraper is a possibility, yes.

I hadn't logged into that LastPass account for years, so it's definitely not me who attempted to login earlier.

Re: LastPass, is there another cloud-based tool that's generally considered as more trustworthy? Bitwarden? Thanks


Personally I just stick to local Keepass database files. Iโ€™ve never ventured into the cloud based services. If you are really worried about it, do you really need to use a cloud based password service?

Sure, managing the KeePass files by hand is certainly more cumbersome, but to me itโ€™s worth it for the security/ peace of mind gains. I have never put my DB or key files in the cloud. And when I need to sync them up over all my devices, I gather all the DB files and use the handy โ€˜mergeโ€™ functionality to get them into the same state.


TIL about the merge functionality! You can also use Syncthing to synchronise the databases between your devices; if you don't have public IPs for your devices, this essentially means that you can only synchronise when two devices are on the same network -- but this might not be a problem for you.


You can also use Syncthing and the merge function! It comes in very handy when two devices have made changes to the password database file and you end up with merge conflicts :D


Syncthing works great even behind a NAT, not sure how it works but it just works for me (might depend on your NAT though)


I've had zero success with nat hole punching in the past, on multiple networks. Maybe I'm just unlucky. :)


Some routers have UPnP disabled by default, maybe enabling that would help?


Same here, I use KeePass on several Windows machines, and on a couple of Android phones (using KeePass2Android). I use a cheap VPS as a central point for syncing - so I can make changes on any machine, then sync them over SFTP, which merges the changes into the database on the VPS. I can then hit sync on any of the other machines, and it will pull down the latest database over SFTP and merge in the changes.

It sounds a bit complicated reading this back, but in reality it's pretty straightforward.


why not just use dropbox? and secure dropbox using 2FA?

FWIW, I used to run nextcloud on a ec2 instance. Decided to just use dropbox instead. the webdav support on nextcloud was neat with keepass


My whole point was I like to be in total control my password database, and never have to decide whether to trust a third party provider or not.

Not saying Dropbox or lastpass isnโ€™t trustworthy. Just that itโ€™s a point of failure you can eliminate, if the lack of convenience isnโ€™t a huge deal to you.


I might take that back :) currently trending on the front page, a real article about Lastpass master passwords being compromised. https://news.ycombinator.com/item?id=29716715

So yeah, take Lastpass off the list, I donโ€™t trust them :)


I have the VPS for others things anyway, and I don't use Dropbox.


I absolutely agree. I love KeePass and use it for everything... this LastPass account was setup to share passwords with others at an org that I worked at.

The problem is... that LastPass password, the one stored in KeePass, is presumably the one that was leaked.

Which is what is spooking me -- if someone has access to my entire KeePass file, it's game over.


Wow, you were ahead of the curve here @gregsadetsky! Looks like real news articles are coming out about this now! https://news.ycombinator.com/item?id=29716715


I feel like the proverbial canary in the mine. Well, a dead canary...


So...when you say "...was setup to share passwords with others..." is there a chance that this also means the master password was shared with one or more others?


Sorry, no, that was a confusing way of phrasing it.

The LastPass account that was almost-breached today uses the "password sharing" functionality to share passwords (to certain sites) with other people in the same org.

I was just explaining that the only reason why I have a LastPass account was to share passwords. (not the master password, obviously -- I was sharing passwords to other sites)

I typically use KeePass for all of my (site) passwords and keepass stores all of this in a local encrypted file.


Yeah, hard to say. I donโ€™t think it means itโ€™s โ€˜game overโ€™ though. I think it just means you might need to go through the tedious process of walking through your whole DB file and update every password. And generate a new key file. Then and only then will you have peace of mind I think. Good luck!


Just configure keepass to sync with a file stored online when opening or saving the database and you have the same convenience. Syncing the main database file itself fails if different systems change the file without reloading in-between, but with sync configured it works perfectly.


Bitwarden is great, highly recommend, it's open-source which adds to its trustworthiness and has a good track record of respecting users.


+1, you can host your own server as well https://github.com/dani-garcia/vaultwarden


There's an official self-host open source version as well ( the one you linked is unofficial), but it's rather heavy ( multiple .NET services, MS SQL) and not adapted for small scales.


yes, we don't talk about that one


Is the unofficial one Security Audited?


Unofficial server so you probably should avoid the web application (or build it yourself from official sources). In theory it could contain malicious code that leaks your password.


I'm in this party too. bitwarden for yourself, friends and family...


I use 1Password, seems alright security wise, wonโ€™t definitely say one way or the other, but you could DYOR on it.


1Password has a cloud-based option these days, for better or worse.


And soon they'll _only_ have a cloud-based option with no option for local-only vaults.

https://1password.community/discussion/comment/602340/#:~:te...


Gotta get those sweet SaaS dollars and never mind the original goals or the user.


Bitwarden is fantastic


Why do you recommend others to stop using LastPass?


https://en.wikipedia.org/wiki/LastPass#Security_issues


I just switched last night for unrelated reasons

1. BW supports inline Android 11 password fill. I find the UX much better with this feature

2. LP is a bit buggy, particularly on Android

3. LP is slow to add new features

4. I didn't expect this, but I really enjoyed BW's UI

5. On Android, I enjoy the three quick launch buttons they provide

6. LP creates new logins in folders of it's choosing by default. Not a fan

But in general, BW it just "works" better/faster for me


LastPass has suffered a few security breaches and the overall quality of the product hasnโ€™t improved. 1Password is a superior product with no security breaches.


From my interaction with LastPass support (I'm a premium user), they've outsourced to some cheap company where agents have no clue how anything works. It took weeks to get through to somebody who even understands the problem and their reply was essentially "yeah we know it's broken, it's broken because of security".

Left a really bad taste in my mouth. I wouldn't be using them at all if I didn't have to for a client.


I remember reading a blog entry, a few years ago.

Someone received a phishing email from "their bank."

They responded to the email, and got someone on the horn, immediately.

But their bank (the real one), sent them to a horrifying voice jail.

The point was that the crooks gave better customer service than the real bank.


Barclays recently tried sending me a new credit card because they were changing to Mastercard or something.

I got an email one day that my new Barclaycard was activated. Called support, and they swore to me it was a phishing email (it was definitely from Barclay's official domain). Would not listen to me at all and kept trying to get me to hang up. I asked if I could tell them the email MessageID and they could verify the authenticity. They said no.

About 10 minutes into trying to convince them it was not a phishing email, I refresh my dashboard and there was a $600 purchase at a Long Island Walmart. That shut them up really quickly and they transferred me to their fraud department who asked me for the MessageID at the bottom of the activation email and confirmed it was real...

I asked if I could set up any additional security, and how could they activate a new credit card? Did they have my online password? Apparently no, you can just call on the phone and activate it, no authentication required. They told me I could set up a "voice password" for my account for all phone support and I did just that.

I called them back 30 minutes later, got through to support to where I could change anything about my account. Asked them if my "Voice Password" was enabled. "Yes it is." "....Okay, no one has asked me for my voice password yet, and here you are about to change my address". They still didn't really understand the seriousness, so I told them "I'm not <my name> I'm a hacker trying to steal his money." and they understood.

The worst part? I couldn't cancel that credit card until they physically sent me one to activate. No way to visit a branch and get one. It ended up getting stolen out of the mail THREE TIMES before they finally sent it with a signature required.


It makes sense economically. Crooks will steal ~100% of your bank balance in one day. Bank itself earns 1-2% per year.


Yup. The blogger was just being cranky about their bank.


+1 -- happened to my account today as well. Haven't logged into or used this account in years. Password is unique and has never been used elsewhere.

Deleted my account.

Email Text:

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account ...@gmail.com Time Monday, December 27, 2021 at 11:53 AM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address 160.116.95.249


Yikes, seriously... We're at 13? independent reports.

Would you mind sharing how old was this account? Was it from 2017, or before?

Trying to find some common thread between all of us i.e. which exploit it might have been.


Same thing for me. I last changed my master password on Oct 4 2021. password never used elsewhere and stored only in my head, which makes me suspect a bad chrome extension.

``` Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account xxx@xxx.com Time Monday, December 27, 2021 at 12:06 PM EST Location Berlin, BE 12529, GERMANY IP address 196.19.169.161 ```


Itโ€™s unlikely to be due to a browser extension. A browser extension that can steal your master password can steal all the other passwords as well, it doesnโ€™t need LastPass for that. More importantly, an extension can only steal your master password when it is used โ€“ yet several people reported not having used LastPass for a year or more. Itโ€™s still not impossible that an extension has been stealing master passwords for years only for them to be used now, itโ€™s merely unlikely.

Judging by the reports here, the source of the leak appears to be LastPass after all. Given that most people write about old accounts, my original suspicion was https://palant.info/2018/07/09/is-your-lastpass-data-really-... โ€“ from all I know, LastPass never investigated whether that websiteBackgroundScript.php issue was already being abused. It was obvious enough that someone might have discovered it independently of me.

If on the other hand you changed your master password recently (and someone had a login attempt on a brand new account) then this theory is moot. While I am aware of a number of LastPass design flaws (see https://security.stackexchange.com/questions/45170/how-safe-...), none of them could be the culprit here. It must be something new then. The weird thing: LastPass must have stored unencrypted passwords somewhere, because reversing 100,000 rounds of PBKDF2 wouldnโ€™t have allowed such large-scale attacks.


>Given that most people write about old accounts, my original suspicion

No - there are now reports of same thing happening with recent changes to password

https://twitter.com/Valcristerra/status/1475734357805572098


Yes, Iโ€™ve already seen this. Iโ€™ve written https://palant.info/2021/12/29/how-did-lastpass-master-passw... discussing the possibilities here. So far the most likely suspicion is that LastPass infrastructure is compromised and a pass-the-hash attack is going on.


So they are using your "newer" password from Oct 2021? Because all the previous incident seems to relate to very old password usage dated back in 2017.

If so then it is big, very big. Could it be log4J?

Edit: 12 hours later still no update or response from LastPass.


At least another reported incident in this thread is from someone who registered their account in November of this year...!

https://news.ycombinator.com/item?id=29710262

(I ask them to confirm whether they mean November 2021 and further down in the thread, they confirm that)

And yes, if it's a recent attack -- that's very troubling. (and would be more probable than an attacker sitting on passwords for 4 years)


Maybe you could share the list of extensions you use, unless you consider it too private?

I haven't gotten any email like this myself and in my organization with 20 LP users no one else has as well it seems. I am using uBlock Origin and LastPass only.


Meta: Do not use LastPass for the whole password. My method http://lukasz-madon.github.io/Password-management/


+1 for healthy paranoia.


I am surprised that LastPass have not yet addressed this. Even if it isn't a widespread incident, the fact that this is being reported by multiple people seems worrying enough for a password manager to respond promptly.


I agree. I contacted the support agent I talked to again with a link to this thread and all of the similar IP addresses that tried to login, presumably with the knowledge of our master passwords.

I also sent off a random email to the Verge, and tried tagging LastPass on Twitter.

Does anyone have tech media connections who could try to squeeze a word out of LastPass?


Looks like not getting any media attention. But There are now more than a dozen incidents which is quite worrying.

Some twitter "expert" insist most of these incidents here were phished. But I read many of them hasn't even touch the password for years. And report of new account compromised suggest this isn't something done by phishing attempt. Not to mention most people here tends to be on a higher level of security and tech knowledge level.

Edit: Well Appleinsider [1] picked up the story, the only bad thing is this expose Hackernews the site to a much wider mainstream audience.

It is also interesting to see how news spread out online in real time.

[1] https://appleinsider.com/articles/21/12/28/lastpass-master-p...


Thanks for the link re Apple Insider! Glad it's gaining some traction. Would really hope to learn more / have an investigation into this and some (non deflecting) answers from LastPass.


krebsonsecurity might want to take a look? Sounds like right up their ally.


Good idea, I'll contact them.


May be a dumb question, but how much are we trusting Lastpass that whoever tried these logins actually used the correct master password? The posted statements sound a bit ambiguous, maybe they're mistaken? Does it show as a login attempt if somebody uses your correct account email address and the wrong password?

Of course if Lastpass is sending ambiguous or mistaken communication about whether someone else has your master password, that's a really bad sign for them as a company too.

On the "bright" side, if somebody had your KeePassX file and master password to that, I would think they'd be doing things a lot worse than trying to log into your LastPass account from Brazil. If they had that data and were serious about LastPass for some reason, they'd probably at least break into your email too and try and intercept those warning emails. Keep an eye on email, banking, credit card, hosting systems, any other higher-value accounts that might have credentials in that file for any signs of suspicious activity. If there's none, then a successful exfiltration of that data seems unlikely.


Unfortunately, the email sent from LastPass specifically says "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

LastPass support did confirm that the IP from Brazil did have the master password.

I also tried to login with a wrong password and that shows up as "Failed Login Attempt". This is different -- the person on the other side did have the master password.

Re: KeePassX, I agree. It's a catastrophic scenario if true, but it does seem improbable.


I thought that LastPass didn't send your master password over the wire, rather it uses client-side code to take your Master Password and turn it into a hash which is then sent to LastPass for comparison[1]. If that is the case, how can LastPass claim to know that your master password was used? At best, they can claim that the hash sent to the server matches your password's hash but that is not the same as your master password being used.

Given the widespread nature of this issue, I'd guess someone has discovered a flaw in the LastPass login process which is allowing a bad hash to pass the master password hash check: that contradicts what the support agent said, but I'd assume they're mistaken, rather than LastPass are lying in their documentation about how their system works.

[1] https://support.logmeininc.com/lastpass/help/about-password-...


Very interesting theory!

What's a bit surprising is how "low effort" the rest of the attack was: presumably if they found this flaw to bypass passwords, they then attempted to login (which caused an email to be sent out), but LastPass stopped them because they (i.e. the folks on the Brazil IP range) were logging in from a new IP.

So this would be a case of one protective layer (the new IP detection) compensating for a vulnerability in the other one (the password protection).

That would be "re-assuring" in a certain way (as the passwords themselves did not leak -- presumably!).

Thanks


Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.

Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.


Again, really great point re: our passwords hashes floating around, rather than the passwords themselves.

I wonder if haveibeenpwned.com would somehow have information about this. I just pinged them on twitter.


If Lastpass was zero knowledge then this wouldn't make sense. The master password or some derivative of it should decrypt your passwords on the local device.

I use Keeper and despite it being cloud based, that's exactly how it works.


Your test of a login attempt with a wrong password was a good idea, but did you do it from a location they would not recognize? That's what you need to do to rule out that the Brazil message was not merely a wrong password login attempt.

I'm a bit skeptical that if someone tried a login with the correct password but from an unrecognized location that they would block it by default. People do travel and do change devices. It would really suck if you were far from home and needed to use one of your passwords and couldn't login because your are not at your normal location.

What I've seen from other services when logging in from a new location is either

1. They send an email or text to the email or phone number associated with the account, which must be acknowledged before the login is allowed, or

2. The login is allowed but they send an email or text telling me that there was such a login and that if it wasn't me how I can kick the person out and re-secure the account.

This item from their support site suggests that they do #1 [1].

[1] https://support.logmeininc.com/lastpass/help/best-practices-...


LastPass does send out an email every time that there is a new login attempt with the correct password from a new ip address. An included link from that email must be followed for the ip to be approved. Then, you can actually login from that ip. (and yes, that's annoying re: travel/ip changes...)

When a wrong password is entered, no email is sent.

I tested the above (using a new ip with correct password -> email; wrong password -> no email) and it also aligns with what my "Account History" shows. There's a list of bad password attempts, and there's a separate list of "Login Verification Email Sent" i.e. the password was correct (presumably -- or maybe its hash -- that's one theory going around) but it was from a new, un-verified-so-far ip.


I've had that exact thing happen before when logging on using my phone's hotspot. It did really suck, and what I ended up doing is remoting into my PC at home. I feel like they care a lot more about false negatives versus false positives.


I received the alert of a blocked login attempt yesterday from 168.81.33.157 (Mumbai, India).

I donโ€™t use LastPass often and wasnโ€™t 100% on my master so I tried logging in and also received the block login alter from my attempt. I verified the new location/device and then tried again and it told me the password was invalid. Tried again and got in fine.

Could it be that master passwords are not actually compromised but they are sending the unrecognized device/location on any login attempt regardless of correct master?

Can someone else verify blocked login from unknown device/location using a wrong master password?


Hey,

I tested it here a few times, logging in with a wrong password does not generate an email, while logging in with the correct password from a new IP does generate that "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email.

Could you try again logging in with a completely wrong password (to see if you get a email) and then logging in with the correct password from a new IP?

Also, you can verify that those kinds of events (wrong password and correct password from new IP) are logged in the LastPass Account History. Instructions to get the Account History are here https://news.ycombinator.com/item?id=29708122


Interesting. I tested twice before with the wrong password and vpn and it generated the email but was not able to get in. I assume it would still show in account history because that event is the login verification email event.

It isnโ€™t sending that email for me at this point so maybe something has been corrected and LastPass will acknowledge something soon.


Just making sure, when you say wrong password, was the password completely wrong, or you changed the lower/upper case? There's a separate conversation on this topic here https://news.ycombinator.com/item?id=29708869

And again, to confirm, you used the wrong password and received an email saying "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" ?

Thanks!


For me, the behavior is:

* Connecting from my own IP with wrong password: It tells me to "Check my master password and try again."

* Connecting from another IP with wrong password: It tells me to "Check your inbox for an email from LastPass: <myemail**@gmail.com>" and also to check my login info.

It's a bit odd that it tells me to check my email even though the master password I provided was incorrect.


Yeah, it's as if the error message (when using a wrong password on a new IP) was trying to not say that the password is wrong. It's just saying "check your email", just as if you had typed in the correct password (from a new IP).

But when you did attempt to login with a wrong password, you never received a "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email, correct?


Correct, at 10:20 eastern I did receive the verify device/location email using an invalid password but it is no longer sending the email.


That would truly be the best outcome possible -- that LastPass sent out "Someone just used your master password" emails incorrectly i.e. those were false positives.


They are saying itโ€™s just a credential stuffing attack and being that my master passphrase is only used for LastPass Iโ€™m hoping that is all that is going on. Their statement does say โ€œItโ€™s important to note that, at this time, we do not have any indication that accounts were successfully accessedโ€ but I would still like confirmation the emails were sent even on invalid attempts.


But if your master passphrase is only used for LastPass (as is exactly my case -- I've never used it elsewhere), how can it can be credential stuffing? Or was the password breached from LastPass itself in the past? That's possible, but then it doesn't jell with people having this same issue with accounts created in November 2021.

As far as I can tell, the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email we all received was only sent when a correct password was used. Incorrect passwords did not trigger that email.

But yes, it would be great to learn that those emails were sent incorrectly i.e. it was a false positive (i.e. someone tried to login with a wrong password, but the email above was sent anyway). It's still not great that the wrong kind of email was sent, but that would be a low level bug.


I was never able to successfully trigger the false positive last night but I believe the most recent explanation from LastPass is in line with what I have been seeing. Intermittent false positive emails.

https://www.techradar.com/au/news/lastpass-accidentally-scar...


Yeah, just saw their new announcement (thanks for doing those tests yesterday by the way!)

I don't know how much to read into their use of "some" and "likely" i.e. "some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error"

I would want to know whether they can demonstrate that wrong passwords were used in this attack. And have an explanation for those users who received the email a 2nd time after changing their passwords.


I was just able to trigger the email again on a bad password. Going to figure out the exact 123โ€™s and screen record.


The proper response to this;

0. Consider using a new device for the following or wipe and reinstall an old device in case it's a malware/spyware attack.

1. Change your email provider(s) passphrase first, assuming it may be compromised. This is your key to recovering most other accounts if necessary. Make sure 2FA is turned on.

2. Work down the priority list (financial, work, GitHub, etc.) and reset passwords. Turn on 2FA where applicable.

3. Consider using integrated browser password managers (slightly less in-band signalling for such a security-sensitive tool) or your own locally encrypted list which can be synced with version control to other devices.


This just happened to me today, but login location was Bangkok. I also havenโ€™t used my lastpass account in almost 2 years since I switched to Bitwarden, so no way this could have stolen from my computer recently


I too moved to bitwarden a year or so ago. Kept my lastpass account around just in case. This post inspired me to finally delete it for good.


Exact same here. Made the jump around a year ago and this post made me realize the lastpass was still a liability so just deleted it.


Same thing for me, havent used my account for years, has strong password and I just got an email that someone from Paris tried to login but was blocked.


!!! This makes 6 of us in this thread...

It's improbable that we were all phished years ago by the same group...

Was the LastPass extension hacked years ago (as mentioned in https://news.ycombinator.com/item?id=29707325 ) and all of our master passwords were leaked/stolen, and someone just attempted to use them?


Same thing for me as well.


Can you please post more information?

Was this an old LastPass account? You didn't use this master password elsewhere, etc.?

Thanks!


Old LastPass account with a random string as the password, definitely not used anywhere else


And you received the same "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email?

Someone is tracking IP addresses now in the thread -- would you mind sharing what was your attacker's IP?


154.201.46.49


Thanks!


This just happened to me Nov 10. I created a brand new LastPass account (created for the sole purpose of retrieving a password a client shared with me), generated a password from 1Password and copy/pasted it into the sign-up form in Chrome. It was barely an hour later before I got the โ€˜Login attempt blockedโ€™ from Sรฃo Paulo.


That's really bad, and possibly invalidates the theory that this is a breach dating back from 2017...

Would you mind sharing the ip address that attempted to login?

Also, you created the account this year, in 2021?

Thanks


Yep I created the account just last month, here are the 'Was this you?' details from the email:

Time Wednesday, November 10, 2021 at 2:57 PM EST

Location Sรฃo Paulo, SP 01323, BRAZIL

IP address 160.116.92.198


Thanks for confirming.

This is what's really, extremely troubling: some of the accounts (which had almost successful login attempts from the 160.116 range) here were created years ago. Mine was from 2017, others were too.

But a few reports, like yours, talk about recently created accounts.

In my personal case, I've never logged into that LastPass account since 2017.

So... was there a vulnerability back in 2017 and very recently? Or was this a recent vulnerability? Do the attackers have our master passwords, or did they discover some ability to counteract the master password verification, which is triggering those emails to be sent?


Could it be that some malware were run on your machines recently (say a few weeks ago) which extracted the master passwords and then used it now? If your LastPass master password was stored on your computer then malware could have collected it and sent it off to some attacker.

Or could it be that all of you guys are using the same router, same ISP, same anything-else, which has snooped on traffic and collected the credential?


Malware is not impossible, but in my case, the password is stored in an encrypted keepass file. Did the malware wait for me to open my keepass vault and snoop the password then? Possibly. But it presumably could/would have done much worse things.

Other people in this thread are also confirming that their password was unused anywhere else.

And as more independent people are reporting the same story happening to them, the less probable it is that we were all hit with the same malware. It's looking more and more like this is something happening on the LastPass side.

A router/ISP should not be able to snoop the traffic between us and LastPass as presumably it's encrypted.


Let me preface by saying I'm speculating of course.

> Did the malware wait for me to open my keepass vault and snoop the password then?

It's not impossible at least. There's been vulnerabilities in Keepass RPC which allowed any javascripts on Internet reading your passwords [1]. If a simple javascript can read secrets from keepass, I would not be at all surprised if that has happened.

> the less probable it is that we were all hit with the same malware.

Sure. But there's also some selection bias here, were a lot of people visiting hackernews is affected. On twitter, everyone (more or less) who's discussing this issue links this post, which at least in theory could indicate that the scope of the issue is relatively narrow (compared to the entire internet). It could be that some specific developer tools or libraries have been affected for example (as any of the recent packages on NPM which people claim may have sniffed credentials).

1: https://forum.kee.pm/t/a-critical-security-update-for-keepas...


I copy/pasted the password from 1Password, it may lend credence to the malware Chrome extension theory, at least in my case. Anybody else using these?

uBlock Origin, Google Images Restored, Allow Right-Click, Clear Cache, StartMeeting.com Launcher, ShowPassword, Tampermonkey, Usability Hike: Find usability problems, Window Resizer, Tag Assistant Companion, Google Analytics Debugger, Google Docs Offline, Google Optimize, Google Suspicious Site Reporter


I use uBlock Origin too (only one in common with you), but in my case, I hadn't copied/used the master password before the login attempt

The login attempt was out of the blue, using a password I hadn't used since 2017.

My LastPass password may have been compromised back in 2017, but there are at least two reports here of recent accounts being compromised as well (with the attacker connecting from the same 160... IP range)


happened to me too, the only one there I have is uBlock origin, matched what somebody also had. Hard to imagine it's ublock origin though because it has so many users.


Same issue for me.

Time Monday, December 27, 2021 at 3:55 PM EST

Location UNITED STATES

IP address 154.202.117.78

Password is only used for lastpass. It was caught since I use 2FA. I did previously have "The Great Suspender" chrome extension, which changed hands and had an update including malware, I wonder if this was the culprit.

I last changed my master password on November 24, 2017, the previous exploit was apparently resolved in July 2016.


Wow. Truly insane to see all of these confirmations pile up.

And like you, my master password dates back to 2017.

So there was another exploit after 2016? Or a much more recent one?

I haven't used The Great Suspender in the past.


I might be overreacting but if itโ€™s true then itโ€™s bad. Ive Been getting reports from my devices that all my accounts had been leaked in a data breach and I was thinking whaaa? What all of them? Wait a minute! Some of which I had generated complex long passwords for in Lastpass and even I didnโ€™t know what the password was. So this fits.

My Evernote account which I donโ€™t use any more is showing logins from Brazil. Iโ€™ve disabled and asked for an count deletion. Ive got a bad feeling about this.


Is this all today? Also did you check account history on your LastPass before asking for account deletion?


Yes just checked earlier when I saw activity here. Ive actually been getting reports for a few days about accounts being in a breach from iOS and Google and I have diligently changed my passwords. Then looked at the old Evernote account and saw logins from Brazil and India. I use 2FA everywhere important but if this master is compromised then itโ€™s all over. I cant delete my Lastpass account it is controlled by the organisation I work for. I can delete the entries there though. It is the old Evernote account that Iโ€™ve asked for deletion, and Iโ€™ve deleted all the notes. It itโ€™s already too late there they has obviously downloaded everything already. Sorry for garbled text Iโ€™m on mobile and headed back to home to assess on my laptop there.


Did you have country restrictions enabled? That seems to have (temporarily) saved a few people here


Another data point, same deal.

  Time Monday, December 27, 2021 at 1:29 PM EST
  Location Sรฃo Paulo, SP 01323, BRAZIL
  IP address 160.116.231.145
Went ahead and deleted my Lastpass account and changed my password in other password managers.


Holy moly!!!

Were you using LastPass around 2017? One theory that's floating is that we were all owned by a compromised LastPass extension 4-5 years ago.

Just trying to find some common thread among all of us (a thread that's different than "lastpass was owned" which presumably should be more improbable...)


I got the "Someone just used your master password" email too

Time Monday, December 27, 2021 at 3:05 PM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address 160.116.190.69

I haven't used LastPass since 2016 or 2017.


Thanks for this additional confirmation/data point!

Something clearly happened around 2017 to all of us... And to see the same ip range today come up again and again is really troubling.


Actually that can very much be the case. Just checked and I signed up for it on Sun, 4 Jun 2017, 08:17, which fits the breach (not sure what was the exact date on it)


I'm guessing that the email actually was a phishing attempt, and no-one actually has your LastPass master password.


Unfortunately, once logged into LastPass, I see the exact same information in my "Account History". I also talked to support on the phone and they confirmed it.

So unfortunately, not a phishing attempt!


Other poster above says support confirmed the master pass was used


I didnโ€™t receive any emails (usually they send them do when logging in from non-recent locations). I have 2FA turned on via Google Authenticator, also not used LastPass for a year or so. When I tried to delete my account, guess what โ€œSomething went wrong: A.โ€. Was unable to login again, but I was able to re-register and see empty vault, then delete it again with the same error message.

I contacted their support to check if itโ€™s gone for good, waiting for a reply. Lesson learned, donโ€™t forget to delete password vaults not in use.

account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore)

I rarely say โ€œamazingโ€, but this is the time.


Also getting that same error trying to delete my old unused Lastpass account :(


Given weโ€™re likely stuck with passwords for the foreseeable future, Iโ€™d like to see two things in a password manager (maybe these exist?)

1. โ€œhardware walletโ€ level security, with good UX. Maybe a USB/Lightning dongle, but I really wish computers/phones had built-in capability to do hardware wallets. Apple TouchBar got close (I realize it wouldnโ€™t considered be a dedicated hardware wallet).

2. a way to automatically roll passwords periodically (with a small amount of user intervention, per requirement #1). This would require either some excellent AI or crowdsourced automations for every website.


> โ€œhardware walletโ€ level security

This is mutually exclusive with passwords:

A hardware wallet never reveals its private key and allows you to review and approve private key operations through a well-defined and hardened interface. Passwords are bearer tokens, and there is no such option.


I use pass[0] against a Yubikey with a touch-policy that requires a touch to decrypt. I use passmenu, which types up the password (using xdotool) so clipboard stealing isn't as easy (probably adds a different attack vector though).

Not as good as webauthn etc, but still better than copy-pasting passwords, or a browser extension that keeps passwords decrypted in memory.


2. a way to automatically roll passwords periodically

Ironically, thatโ€™s what LastPass can do for many important sites. Technical details: it opens a site, clicks around its menus and does that for you, and you see all of this automation on your screen. Imagine how many non-2FA users are now experiencing automated password resets on their most valuable accounts.

Iโ€™m all for 1, as I take my physical keys with me everywhere, but random ISB solutions out there I donโ€™t really trust any more than e.g. lastpass.


1. Check out https://www.themooltipass.com


Cool, great start, but something Yubikey sized would be more practical.


It can be done with yubikey. Passwords stored encrypted on disk and get decrypted on the yubikey with gpg.

https://github.com/drduh/YubiKey-Guide

https://attackpointsecurity.com/go-pass-yubikey-and-gpg


Isn't a hardware wallet airgapped?

For a cheap alternative you can use an old smartphone, and disable all radios. People will use a Librem 5 in 20 years still for this purpose wink.


> Isn't a hardware wallet airgapped?

No, most of them connect over USB. The important thing is reducing the attack surface to a bare minimum with simple protocols and implementations.

I think at a minimum it would need to emulate a keyboard to type out complex passwords. Ideally it could also receive simple commands from, say, a browser extension to request filling in a specific website.


I remember reading that LastPass had a breach, some time ago.

I think that LastPass and 1Password are the ultimate targets for hackers.

Wouldn't surprise me if they got in. Hackers ain't Matthew Broderick, anymore.

EDIT: Deleted somewhat cynical editorializing


My bet is on the 2017 breach. Those affected/unaffected can share how old their master password is? With enough data points it can be easy to pinpoint.


My master password, and whole account, was definitely from 2017.

Which 2017 breach are you referring to? This?

https://www.theguardian.com/technology/2017/mar/30/lastpass-...


Yes, my bad,it's technically not a breach, since in theory it was never exploited.


No, it's super interesting.

So presumably back in 2017, the vulnerability was found but considered to be un-exploited, but it's maybe turning out that our master passwords did get breached back then and laid dormant for a few years, to be finally used just now?


What happens with such data is the pastes get distributed eventually (used to happen on a forum like Hackforums or Chan, moved more towards Tor I can imagine). Then it recently got in the hands of an attacker who tried to exfiltrate the data.

We don't know if the attacker tried the same password on a different service, such as Gmail for example. It does not make sense to not try this, given the geoblock.

I remember seeing on a hacker conference in 2019 a demo by some Italians (in my mind I think about Evilsocket) of a phishing attempt where they automated the process of getting the 2FA from e-mail. Geoblock or IP whitelisting is essentially a form of 2FA.


My bet would be on malware or compromised browser extension. You probably typed (or copy/pasted) the password ans something kept a copy along the way.


Compromised browser extension could make sense, aye.

Do Chrome extensions have access to the file system too? Is there a chance my local KeePassX file has been siphoned off?

Thanks


I don't think that's possible, more likely an extension that has access to the login form of lastpass


Got it, thanks. And yes, you're right, after checking, Chrome extensions don't have access to local files by default. I checked all of the extensions I have (after disabling them all) and none had "file access" enabled.


Clipboard access might be possibility.


Chrome extensions can run native binaries, so yes.


they can't


They can. Look up native messaging ports.


that doesn't let you launch processes, it lets you interact with running ones. even if the chrome extensions could launch new processes, they run inside Untrusted integrity level on Windows, you can verify this at chrome:sandbox and checking the Chrome task manager (shift+esc). You cannot interact with processes above your own integrity level nor launch processes with an integrity level higher than your current.


I stopped using Lastpass in 2017 after the second breach that year that allowed remote code execution:

https://en.wikipedia.org/wiki/LastPass#2017_security_inciden...

It wasn't so much that that happened, but rather their response:

https://blog.lastpass.com/2017/03/important-security-updates...

- "Our investigation to date has not indicated that any sensitive user data was lost or compromised"

- "No master password change is required"

- "No site credential passwords need to be changed"

Given the fact that an attacker could run code in a user's browser extension without any communication with Lastpass servers, there was no way for them to know whether the master or site passwords had been stolen. The only responsible thing for them to do at that point in my view was to recommend everyone change all their passwords. Instead they completely played it down.

So they completely lost my trust and I spend the next several days moving off Lastpass and changing the passwords for hundreds of websites...I feel for all of you finding yourselves in that situation now. :-(


Discussion from the time:

https://news.ycombinator.com/item?id=13924737

https://news.ycombinator.com/item?id=13941468


After reading that is wasn't phishing, my first thought is that they use log4j internally and the attempts to extract user passwords via email came from the inside.


Adding to the chorus. I used LastPass until 2018. I received a similar email from LastPass (and had forgotten that I never got around to actually deleting the account after I migrated).

My master password was a long multi word phrase with numbers and special characters, and was not used for anything except LastPass. I find their claims of credential stuffing suspect.

Edit -- Also had MFA enabled and received the email in November.


Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!


FWIW, I migrated off paid LastPass onto the free BitWarden plan recently and my experience has been much improved. I was a huge LastPass proponent in the beginning and at the time they seemed like the obvious best choice in a field with few options. But they have definitely not been able to keep up with the times and their paid service just isn't even comparable to what is now available for free.


Similar story as you, promoted LastPass when it first started because it worked and was the obvious choice. About 3 years ago I finally switched to BitWarden after realizing Lastpass was never going to fix their terrible UI. A few months ago I switched to 1Password though and am very happy. It has a few nice QOL improvements over BitWarden IMO, though BitWarden was leagues better than LastPass at least.

This post prompted me to go in and clean out/delete my old LastPass account though!


> It has a few nice QOL improvements over BitWarden IMO

Mind sharing what in particular you found to be QOL improvements? I'm curious.


Here are a few in no particular order:

-When adding an item on desktop & then immediately trying to use it on another device I had to manually open BitWarden & pull down to refresh for the item to show up. It wouldn't auto-refresh when opening in Safari or another app, I had to open BitWarden itself to force a refresh

-First class support for Apple Watch. Apple watch support on 1Password for desktop use while my MBP is in clamshell mode works fantastic. When not in clamshell it lets me unlock either via TouchID OR Apple Watch, which is really nice. I almost never have to actually type my password. Plus you can add individual items to your watch for viewing.

-Sharing items to my family members is way simpler than with BitWarden. This was the one that pushed me over to 1Password actually, my girlfriend wanted to start using a password manager. The documentation for having family members/shared entries with BitWarden was pretty confusing and kinda wishy-washy on how exactly to setup that kind of thing. 1Password also recently added the ability to share an item to a user that doesn't use 1Password (via a link with the ability to set a time limit) which can be handy.

-1Password seems to do slightly better with finding authentication related fields in random web pages & apps

-In general I just find the workflow for adding new items/recalling old ones with 1Password slightly more intuitive than with BitWarden

None of these are dealbreakers for using BitWarden at all IMO, just QOL improvements via a paid-for more polished product. BitWarden provides a very solid experience especially considering the free tier, I just think 1Password is a little more polished.


Thank you for responding!


I got the same thing in the last month. Then my bank account had 7 transactions from ali express about a week later. Nine were mine. I deleted everything in lastpass and deleted my account.


Nine out of seven? How does that work?


I assume typo for โ€œNoneโ€


I think they meant none.


Ah yes, that makes more sense. Thanks!


I'd get in touch with LastPass support asap to see if they have a digital trail to help you figure out what happened.

I'd also guess the most plausible situation would be malware on your computer that managed to sniff your credentials in-transit/clipboard/memory/browser/keyboard and exfiltrate it to some shady folks.


Thanks

Sending emails to support@lastpass.com doesn't work ("This inbox is not monitored") and I have to upgrade my account to contact their support, which I'll do right away.

EDIT: after checking, the login attempt does appear in my Account History (my original email said it didn't -- I wasn't looking in the right place)


I suspect that it was a random phishing attempt.

> Login attempt blocked

> Hello, Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Looks fairly classic. Might want to look at the email headers, to see if it really came from LastPass.

I get about ten of these a day. Some are scarily well-done.

Most are for banks that I don't use, but I also get a lot of attempts to grab my AppleID. My Apple (mac.com) address is an OG address, and has been making the spammer circuit for over a decade. I suspect that I actually get hundreds of spams a day, but Apple is good at nuking most of them, before they reach my inbox.


I checked and the same information regarding the attempted login appears in my LastPass "Account History". I also talked to support and they've confirmed this.


Quick note that apple allows you to download a recovery code and disable all other account recovery mechanisms which I found incredibily soothing.


I sense sarcasm, but in case my sense is off, there is a webapp which allows you to log into your apple account and webapps are known to sometimes have security issues.


I'm pretty sure you can get a full login attempt history from them in the ui - can't verify though, don't use LP anymore.

Try a bogus attempt yourself with wrong PW, or from a cloud host/vpn/etc to verify the audit log you can access.

Assuming it does list your attempts, then yeah, it would have to be phishing/lp bug.


Yeah, thanks, I was finally able to find my Account History, and the foiled login from Brazil does appear there. So it seems like the email wasn't phishing.


Heh, I reached out to that same email literally earlier today to complain about their abysmal Android support, and I'm already a paying customer. I'm not happy with their non-response automated email and will be looking for a good alternative.


Without knowing anything about LastPass, a few ideas come to mind. First, is your master password only something that exists in your head? Or is it written down anywhere else either digitally or physically. If so, someone may have gained access to that. Did you use the same password anywhere else, ever? If so, it could have been in a database of possible passwords that someone used to try to brute force a copy of your KeePassX file, and succeeded. Also possible liabilities for brute force attacks are using a password that contains some kind of facts or information related to you, such as a birthday, loved one's name, address, etc, etc.

The other possibility that comes to mind is a man in the middle attack of your password was ever sent over the wire with zero or weak encryption, when someone was snooping, like on coffee shop wifi or even a nosy neighbor on your home wifi.


Thanks -- this specific master password was only stored in another, offline, password manager.

The specific password was computer generated, and I have not used it anywhere else i.e. it was only created for this LastPass account.

That's why this (probably) either means that my local password manager has been compromised (catastropic if true) or that the info I received from LastPass is not completely accurate..?


LastPass posted on their blog Dec 28 that they have identified a problem that resulted in emails being sent incorrectly:

https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...

"However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved."


Changed mine just incase. I don't use it anymore I think everything in it is obsolete but always nervous something old is still active in it and I would lock myself out.


Remember to change the setting that lets you revert it to previous too ;)


Also a good idea to rotate each site password.


What are the chances this has something to do with Log4j Vulnerability?

[1] https://community.logmein.com/t5/LastPass-Support-Discussion...


I also just had this happen as well and have the same setup. Unique password stored in keepass-x and I use the chrome extension. I have very few installed though, so hopefully not a malicious one there.

installed extensions: ublock origin, OneTab, Lastpass, metamask, cisco webex, edit this cookie


Thanks for the report. We're probably at 25 reports in this thread by now.

Could you please confirm which ip address the attacker tried to login from?

Also, how old was your account?


My account was created in 2013 and changed the password last in 2016. I went back and looked in the audit log for the last year and there was nothing else suspect. Just some failed logins, but that's pretty common, I didn't see any logged in usage from any IPs but mine


Sure, this is the email

Time Tuesday, December 28, 2021 at 6:20 AM EST Location GERMANY IP address 160.116.206.37


Thanks! Same 160.116 ip range as me and many others here.


My login attempt info: Time Monday, December 27, 2021 at 5:51 PM EST Location GERMANY IP address 168.81.122.153

It was definitely a unique password. Last set in 2017, but changed now. I had just purged virtually all the data in the account recently, but it's still frightening.


Mine was similar

Time Tuesday, December 28, 2021 at 6:20 AM EST Location GERMANY IP address 160.116.206.37


Thanks for your report! There are more than 20 independent reports here... Really scary.


Guess? Either you fell for a phish or my intuition tells me you may have run an infostealer malware (exfils data and leaves little trail). No matter what type of 2fa you have, it is useless if the auth token can be accessed post authentication (cookie theft basically).


I used Keepass + Dropbox (to sync database). This set up was suggested to me when I joined a company that requires complex unique passwords for all sign ups. At the time I didn't think too much about it, but this thread has made me thankful I was guided in this direction.

I don't have experience of any other password management software, so I certainly can't compare and contrast. But I will say Keepass + Dropbox has worked flawlessly for me across desktop, laptop and mobile. The biggest inconvenience I have had is things like manually typing in a Netflix password into a Smart TV when on holiday (just takes time with long passwords with capitals, lowercase, numbers and symbols).


Netflix is a problem for every password manager, since they insist on using their own onscreen keyboard. Even if youโ€™re on Android TV, you canโ€™t switch to the remote app to copy & paste a password. Very annoying, but Iโ€™m starting to think theyโ€™re doing this to make password sharing more of a bother. (Even if itโ€™s just one sign-in being more of a chore)


It happened to me to but I'm no longer using LastPass for years now. I got an email saying that somebody tried to access my account from the US (the attacker is using a VPN) and changed password and recovery email on my Outlook account


Did it just happen to you today?

Did the email say that "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

And was that master password generally secure / wasn't used anywhere else?

Thanks!


Do you ever store your LastPass in your clipboard? Malicious apps on some platforms can access your clipboard without your knowledge. Do you use a clipboard manager? Is it trustworthy? Does it store data safely on disk?

Good questions to ask yourself


Good questions for sure!

In my case, the LastPass master password hadn't been used since 2017. It was stored (safely, I presume or at least hope!) in a local encrypted KeePass password manager file.

I definitely could have malware on my computer that sniffed/read the KeePass file while it's temporarily unencrypted (when I open it to get a password).


Same issue just arose for me but got 2 emails from different IPs. Master password only stored in my head and is completely unique. Master pre-dates 2017. I have only used LP on my one PC and the phones I have used over the years. The only device I do not still have in my possession is one that I traded in 3 weeks ago for new device (I wiped the trade-in).

Location UNITED STATES IP address 198.23.179.27

Location Frankfurt am Main, HE 60313, GERMANY IP address 168.81.130.131


If you change the masterpassword, and then still get the same message after that, then this means it is not from some old hacked data store, but it is someone able to glean the latest masterpassword from your account live.

I saw this on twitter, but cant reply as I am in twit jail: "Exactly the same thing happened to me last night. They tried again literally minutes after I changed the password to something not used on any other form."


Hopefully LastPass is already researching. Nothing on any other boa d, Twitter or on LastPass webpage. The Chrome vulnerability was 2019. Long time to stand in the shadow.


LastPass support brushed it off, unfortunately. A second agent I talked to (after the story started picking up here) reached out to Level 2, but they also brushed it off.


do you have it installed on your smartphone? have you ever entered your master password on your smartphone? what sort of smartphone do you have, does it get security updates regularly, is the manufacturer competent?

same with your desktop. is everything up to date?


I have an iPhone and I do have my keepass file there too. So yes, presumably, the iOS app that I use could have accessed my keepass file and sent it unencrypted over the network to someone (which would be terrible).

Thanks for the comment/reminder! I'll definitely have to re-consider what I do with regards to the keepass file on my phone.


also, just for grins. have you checked to see if the same email is generated in error when a failed login attempt happens from an unknown location?


Yes, good call. And I did just check.

A wrong password = no email.

Correct password from different IP = exact same email saying "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

That's the exact same email I received earlier with the Brazil IP.


Just happened to me a few hours ago. Completely random password only written down in a notebook locked in my safe.

- - - - - -

Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account <my email> Time Tuesday, December 28, 2021 at 7:33 AM EST Location UNITED STATES IP address 163.198.130.161


Also haven't used the account in years so that's even more odd.


Thanks for the report!


Just got the same notification 2 hours ago, from IP address 107.173.195.213


Did your email say "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"?

Just trying to verify that we're all concerned with the same problem.

Thank you


I see a lot of people suggesting other password managers, so I was wandering am I the only one who uses google's? I've used lastpass briefly but it was pretty buggy and didn't feel like it was worth the price. Google (Chrome) password manager is free, and recently got a native autofill for android, which works flawlessly, compared to others.


Chrome password manager probably works great for chrome logins. But it requires everything google. Storing other secrets in there. A bit locker key, game passwords, Firefox, or really anything outside of the google world. Is not going to be that easy in Chrome.

The Chrome option is great at what it does, slightly limited, and not that customizable. Personally I also dislike password manager where the company making the manager also provides the cloud storage used to sync (encrypted) passwords between devices.


Chrome and Firefox both have decent password managers, so I use them.

People are only satisfied with the overall situation because there hasn't been a generic zero-day affecting major email providers or senders allowing mass exploitation of password reset flows.

Federated logins are probably the way to go, though. Folks who "don't trust cloud providers" to store their passwords are already trusting the same companies for their entire OS, possibly the hardware, and significant application stacks, or else they already have plenty of Free Software tools available to manage passwords.


This is quite interesting. The first thing that comes to my mind is the clipboard sniffing. Copy/paste should be never used for passwords. Using it for master password is even more dangerous if you are using a cloud based password manager. KeePass(XC) has Auto-Type after all.

I also wonder if these cases with 1Password and Bitwarden are related: https://old.reddit.com/r/1Password/comments/rimvc8/constantl... https://old.reddit.com/r/Bitwarden/comments/rmp1c4/what_is_t...


Not an answer to OP but I had seen that that on HM a while ago : https://www.lesspass.com/ Really liked the idea of not having to rely on a third-party ... But I never used it because of Firefox master password and sync functionality. Too lazy.


I switched to BitWarden from this, this works well until a site forces you to change your password (or has arbitrary password requirements), then it's basically impossible to do.


I wonder how secure is the Firefox solution vs LastPass and others.


A bit off-topic but to all the security experts in this thread, what's the best way to encrypt a USB that is being carried around? Other than security I am also hoping for a bit of portability where I could plug into, say, public computers and able to see the contents relatively quickly. Is BitLocker considered as "secure"?


I just checked my account, no login attempts on my end. My master password is not stored or written down anywhere.


Reading the comments here there's one possibility that I haven't seen mentioned in that there may be an issue with lastpass allowing some level of access into people's accounts without actually having the password (which wouldn't enable the attacker to access the encrypted data).


let's not make any ridiculous assumptions


I sense sarcasm, but in case my sense is off, there is a webapp which allows you to log into your lastpass account and webapps are known to sometimes have security issues.


Yeah me too. Same IP range too, but location listed as Toronto. Not that this means anything.


More data (mine as well):

Monday, December 27, 2021 at 12:27 PM EST

Location INDIA

IP address 196.19.204.79


Wait sorry, this might be actually critically important.

When you say same IP range, what do you mean? The IP that the login attempt happened from starts with 160.?

If 4 of us (in this thread) all had quasi-successful login attempts to our accounts, it could mean that some LastPass master passwords have been leaked...?? Or LastPass has been compromised?


Also FWIW I too have not used Lastpass for 2-3 years. Login history doesnโ€™t appear to go back that far but Iโ€™d estimate itโ€™s at least 2 years since I logged in.


Begins with 160.116โ€ฆ


Exactly the same here!!!!

Wow, this is fantastically bad.


The location supplied by the LastPass notification for these login attempt IPs seems off. E.g., just taking some of the IPs most frequently posted here as sources of master password login attempts:

196.19.204.79 Stated location: India WHOIS: Poland Warszawa Unit 117, Seychelles (Legacy) AFRINIC AS202769 COOP, US

160.116.206.37 Stated location: Germany WHOIS: Affiliated Computing Services, South Africa AFRINIC AS262287 Maxihost LTD, BR

168.81.122.153 Stated location: Germany WHOIS: Seychelles AFRINIC 202769 COOP, US

Someone is probably putting bogus information into the routes for these IP ranges. But what do all of these IPs have in common? According to my records, they are all related to a dodgy hosting provider in the Netherlands called Ecatel, now called Qasi Networks or IP Volume. And this is all disputed AFRINIC IP space, as per:

https://krebsonsecurity.com/2019/12/the-great-50m-african-ip...


OP, the direction of this is totally based on these questions:

- have you reused your LP master password as a password anywhere besides LP.

- have you entered your LP master password into anything besides a LP login window. (edit: nvm, ya it went into the other PW manager. Without investigating that, not worth pointing the finger at LP and causing enterprise LP account usage chaos).

- Do you enter the LP password into only the browser extension from LP, your phone's LP app, and any other LP-official services when you log into it.

If you can do a yes/no answers, totally clears this up or totally escalates it.


> - have you reused your LP master password as a password anywhere besides LP.

No. I computer generated this password to use it for this LastPass account only. The password was secure (mixed alpha case + numbers, longer than 12 characters), and stored in an encrypted KeePass file.

> - have you entered your LP master password into anything besides a LP login window. (edit: nvm, ya it went into the other PW manager. Without investigating that, not worth pointing the finger at LP and causing enterprise LP account usage chaos).

I have probably logged into lastpass.com's web ui directly i.e. without using their extension. So a compromised extension (back in 2017 when I last used this account/password) could have sniffed it. Or a malware monitoring my clipboard.

> - Do you enter the LP password into only the browser extension from LP, your phone's LP app, and any other LP-official services when you log into it.

As above, I most probably have used the password while logging into lastpass.com in Chrome with other extensions active.


Because it was stored in KeePass it sounds very likely that youโ€™re copy pasting it into LastPass, which could have been intercepted by any malware that accessed the clipboard. Especially if you allow clipboard access to your phone from your computer.


I agree, that's a possibility.

What's harder to understand:

- with so many independent reports, including reports from accounts created as recently as Nov 2021, does it mean that we were all compromised by the same malware (across different devices, operating systems, etc.)

- even stranger things like:

https://twitter.com/Valcristerra/status/1475734357805572098

"Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on?"


My girlfriend once asked me why I don't use a password manager like LastPass. A week later she got locked out of her LastPass account because she was inadvertently using an enterprise account that one of her clients forced her to use while on a project. And even though she was paying for her own premium LastPass subscription, the support experience had was terrible. Issue was resolved when the client was able to unlock the account for her, but it was a pain because it was during the holidays. I would avoid a password management software because of her experience.


Your friend used a commercial service under contract for someone else for private purposes, and you conclude that therefore all password management software must be bad? This is definitely not what I have in mind when I recommend people to use a password manager.

And regardless, people should finally take this to heart:

If something is important to you, back it up in a format that you can read with offline software. I don't care if you store it on punch cards under your pillow or in The Cloud, so long as it's independent of the primary copy (such that you can access it regardless of access to the primary copy, and such that you don't need the original service to load the data in order to read it). It doesn't sound like that was the case for your friend.


This is like saying that you should never store anything on a computer because you know someone who got locked out of their work laptop with important documents on it after they were let go.

The real lesson here is to never put anything sensitive or personal on corporate devices/services.


What can we learn from this apart from not saving private data into someone else's corporate account?

I don't think it's the password manager's fault, mistakes like that can happen if you don't double check whose the account is.


So what do you do to remember passwords? Do you write them down on paper, or maybe save in browser? I'm curious, I've pondered writing down my pivotal passwords on paper and hiding in a book or something.


Personally I combine a hash of something site-specific, eg. name, purpose etc and a base alphanumeric string. Allows each account have their own specific credentials while not being overly burdensome to remember.


What do you do for sites with strange password requirements, like 12 character max or requiring you to use a very specific set of special characters?

I used to do what you described but my base password was rejected by far too many sites because of absurd (and insecure) requirements.


> requiring you to use a very specific set of special characters?

Stupid requirements don't matter. If you have a secure password, e.g. a passphrase consisting of 7 random words (diceware) and the service complains that you're missing digits, uppercase, and symbols, then adding A0! to the passphrase does not make it less secure. Appending anything never makes it less secure. You can also write down in plain text and store on pastebin what you added per site because it's not part of the secret anyway. (Okay okay, might as well keep it private rather than pastebin; it's about the general point.)

> like 12 character max

This is not that common anymore, most services have reasonable limits. If you do run into one and it's too important not to use, then you don't have a choice anyway: you'll have to make an exception to the scheme and memorize or store an actual password for once. Doesn't mean you have to design all your other passwords for one exceptional case.


Ah, must've missed that you have an alphanumeric string. Mine had a couple symbols in it. I personally really like diceware passwords but the guesswork of "oh does this system have a 24 char max, does this one require special chars, etc" just got to be too much effort.

And while the 12 char max is (mostly) a thing of the past, I run into max char issues (usually around 24) far more than I should in 2021.


great, unless you get hit on the head.


At least consider an offline manager, one where you control updates and backups. Either way, even using a dodgy solution (like LastPass) is probably statistically better than not using a manager at allโ€ฆ


I completely agree; sticky notes have a much superior support experience


Just tried to delete my lastpass account and get the following message: "Something went wrong. : A" Not very confidence-building. Anyone know how to work around this?

Also: Went to https://support.logmeininc.com/lastpass/help/delete-your-las... and it doesn't actually tell you how to delete the account, just tells you how to recover your password. Methinks this is all a dark pattern.


There are multiple independent reports here of that error happening as well!

See: https://news.ycombinator.com/item?id=29708961

One commenter noted that it wasn't possible to login again (after that error happened), so presumably the account was deleted...?


same thing happened to me (deletion error; could not log in again)


I wonder if deleting a LastPass account with the devtools opened would have showed us the full error message going over the network. Or maybe the server is truly just sending back "A".


Have you actually contacted lastpass about this?


I contacted LastPass support twice over the phone about the suspicious login attempts. I was shrugged off twice.

I contacted them again by email yesterday, adding the link to this thread, and mentioning the number of similar ip addresses that all attempted to login, presumably with the knowledge of the master password (or a workaround around it? or the password's hashes?). I'm hoping it gets escalated.

Also, I have not contacted LastPass about the error that shows up when deleting an account. I'm keeping my account around since I want to have access to the entry logs related to all of this for now.


He wrote elsewhere that he contacted them but they shrugged it off, or something like that..


As a 35+ year software engineer with a very strong networking background I cannot understand why anyone would put anything in the cloud. The likelihood of me getting hacked is pretty rare. I'm just not that important. Now put me on a server with dumb/non-tech savy rich important bankers, politicians and celebrities on a publicly accessible network and I am a target. So stupid. What's even dumber is that people pay for this service!

Hosea 4:6 My people are destroyed from lack of knowledge.


Here's what happened when I tried deleting my LastPass account: https://i.imgur.com/QazTVTD.png


Same here. However, trying to log in again fails with a "you may have mistyped the email address" so it seems to have worked.


Same. Looks like the deletion went through tho - can't log in anymore. Knock on wood.


Same


Trying to delete my old inactive account and it keeps throwing a meaningless error: "Something went wrong. : A". Wish I'd been more sensible and done it earlier.


I saw the same error earlier today, but trying to log into LastPass.com now shows this error: "You may have mistyped your email address. Try again."

At this stage, it's unclear if my account is already deleted, or if my account is flagged for something else. If it's deleted, it would have been ideal to send an email confirmation about it, but that hasn't happened so far.


Try logging in on Lastpass.com. I got the same error but it says the email is wrong (seems like the account is deleted)


Got the same thing. Doesn't engender any trust at all as there's no confirmation that account is actually deleted. Changed some key passwords again just in case. Switched to 1password a while ago and really hope it doesn't suffer from these kinds of issues.


> Either the 3 of us had the same malware/Chrome extension

Is stealing the master password this way possible in practice? As far as I know, Chrome extensions cannot inject e.g. JavaScript into tabs and toolbar popups that are owned by Chrome extensions. Random pages and extensions are able to send string/JSON messages to an extension but message sources usually have to be on an allow list + JavaScript `eval` should be disabled in the Chrome extension context.


I sometimes didn't use the LastPass extension, and simply logged in by going to lastpass.com and filling out the login form there. That form could have been compromised by an extension.


I've been having this problem for the last couple of months. Correctly using my (altered several times) password that I don't use anywhere else. The attempts come from the Isle of Man. It could be any of 3 different devices that have been compromised. I've run 5 different keylogging detection programs on my machine and get nothing, so wondering if it's a Chrome extension exploit?


To clarify. This has happened several times of late with my account, even after having changed my password, that is exclusive to LastPass. LastPass successfully catches the invalid attempts (I also use 2FA), but still, a bit worrying.


I doubt this is your situation, but about 10 years ago, I discovered a personโ€™s 1Password database on a bookmark sharing service, and it was using a very poorly chosen password. My recollection is that it was a large text file containing Javascript code at the beginning and the encrypted text database at the end. The person must ha inadverantly saved it as part of arching their desktop files to the service.


I wonder if it's related to this https://www.reddit.com/r/privacy/comments/fdo494/facebook_kn...

"The password for this router had been generated using Lastpass."


Reading this thread is giving me major trust issues


I wonder if it's related to this https://www.reddit.com/user/KnewMyModem/comments/ip7o95/6_mo...


I'm a day late, but I just got a similar email but with an IP in Canada. So the anecdata continues...


Thanks, new reports always appreciated! There was a whole new thread today... https://news.ycombinator.com/item?id=29716715


Thanks! I missed that thread, so I came back to this one. I'll check it out.


I know this is irrelevant, but these are my two pennies. Apart from strong password and 2FA, I have restricted login only from my country. So can't login from other country, unless hacker knows which country I have set and uses that VPN. Also I have blocked login from Tor.


>Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?

You can kill existing sessions - see account settings destroy sessions.

Edit: All looks normal my side. No emails, no login attempts, but will change pass just in case


I've been getting lastpass 2fa codes via text sent to me before and after changing master passwords lately. However I don't get the authenticator notification like I would from a login attempt so I'm thinking they're attempting password resets?


Maybe,

but man I'm soo feed up with services requiring SMS at least for setup often as a non-disabelable fallback. It's not secure! (And worse sometimes allowing password resets using the 2nd factor.)

I understand that there is a usability issue for a non-resetable 2nd factor (due to people losing reset 2nd factor), but pls. give me and "advanced I know what I'm doing" option or similar.


Oh no it happened to me too

Time Monday, December 27, 2021 at 2:07 PM EST

Location Fair Lawn, NJ 07410, UNITED STATES

IP address 172.245.155.253


Fascinating, we must be at about 20 independent reports here.

When was your account created?


My account was created 13 years ago.


What year was your master password last changed? It shows it in Vault > Account Settings. Or is your MP also 13 years old?


just an fyi: this can be deceptive, as you can change the security iterations while keeping the master password the same, which will reset this figure.


Thanks a lot for confirming. Many accounts such as yours and mine were from years ago, but there are a few reports here in this thread about accounts created this year.

It's becoming harder to find a common thread between all of us.


Look at the email headers and post them here. Was the email actually from lastpass????!!!


Yes, the same information appears in my Account History and LastPass support confirmed it.

So in this case, it's not a phishing attempt unfortunately.


Could be that someone at Lastpass simply does not know how to write properly.

Maybe the attacker attempted to use the master password login festure without having the actual correct master password itself, and the email is poorly written.


Unfortunately, I just tried and that email is sent when the correct master password is sent.

When someone uses the wrong password, it doesn't send any email. (That event is logged though, and I see those failed attempts in the dashboard -- those, I'm less worried about, obviously)


Sounds like securing your password manager with two factor authentication is a must!


I'm the OP -- I had 2fa enabled on my LastPass account, but didn't have access to the token (a 2fa app running on an old phone I don't have anymore)

I was able to remove the 2fa myself by going through a recovery process and clicking a link they sent me over email...

2fa on LastPass is pretty much useless.


>I was able to remove the 2fa myself by going through a recovery process and clicking a link they sent me over email...

ah that's a little better if it at least needs email


I stopped logging in to my Google account because they keep sending me multiple emails about suspicious activity every time I do. Thanks Google... Finally mostly Google-free.

Not sure why anyone is still using Lastpass though...


I just tried logging in with the wrong password from a new machine and received an email with the same wording.

Anyone care to replicate?

I think the problem might be a badly-worded email- they may not have your password.


Got the same but from NJ.


Did your email say "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"?

Just making sure we're all concerned with the same issue

Thanks!


Yup. Exactly that text.


Thanks for confirming!


I just had this happen to me as well. I don't use the password anywhere else and I also have it stored in keepass-x


some potential areas to consider

- used a VPN service that was malicious - router is compromised - someone near you was running a MITM device like Stingray (assuming you were using a mobile device away from home) - mobile device had unpatched OS (exploit gains root access via something like binary sms) - your desktop / laptop is compromised


Anyone else considering having another password managers, such as bitwarden, and periodically syncing it with lastpass?


Gonna ditch lastpass entirely because of this thread. Their premium stuff is expensive and 3x security incidents is too much for something where that is literally their only job


IMO the best solution at this point is to ditch lastpass. I moved everything over to bitwarden earlier this morning and rotated passwords of all my critical accounts.


You just reused LP masterpass and email on some random forum and thats probably whole story.


Does lastpass have a login history? first thing would be to check if the mail is genuine


Completely agree. I did check and my Account History is showing the same info. I also talked to their support and they confirmed this info.


That's really bad news.


Where is LastPass's account history?


- Lower left corner: Advanced Options

- In the sidebar that shows up, "View account history" -- it's in the middle of the page vertically

Make sure to use both "Logins" and "Events" when doing searches.

The "Login Verification Email Sent" (i.e. someone attempted to login with the correct master password) show up under Events.


disable logins froms countries other than your own for increased security


Careful doing this if you travel. Could be a real PITA if you get to a job site and can't log in to LastPass.


Lastpass is not a good password manager, use something like Bitwarden


there's countless exploits for lastpass. it's definitely possible they logged in, even without having your password. i remember seeing a list of like 10 lastpass exploits


Do you have your master password stored in a file or email someplace?


I only stored that LastPass master password in a KeePass file that I keep local and (obviously) encrypted.

I hadn't logged into to that LastPass account since 2017.

Hence, I presumed that my KeePass file might have been compromised, but it seems unlikely now, considering many other people (6? 7?) are coming to this thread with a similar story of their master passwords being known to the "Brazil" attackers as well.

i.e. our master passwords have been leaked. By when? And by whom?


I don't trust LastPass or practically anyone else to be 100% secure. I use keypass, and store the file somewhere I can access remotely (online file storage) then can access it via my phone. If someone hacks your file storage account, they still can't access your passwords. The master password can be as complex or composite as possible and you never enter it into anything except the secure screen in keypass. There are some neat plugins for keypass too.

TL;DR keepass can do everything lastpass does, while you still hold all the keys and the data.


Which password manager do you folks use?


Keepass + Cloud File Storage + Keepass plugins = about the same thing as Lastpass except you have more control; This could be a positive or negative thing I suppose though. :D


Lastpass has been a pile of hot garbage for a while, so this is somehow not surprising.


was it a login attempt or an actual login?


It was a login that (presumably, from what LastPass is saying) was "successful" in the sense that the attacker had the master password.

The login was blocked because they automatically block any new IPs from logging in until you approve a link that you get via email.


A login attempt without the 2fa token, failed with valid master password, so far a handful of others have reported it in this thread.


It's a side note, but I had 2fa enabled on my LastPass account but didn't have access to my token (it's an old phone that I don't have anymore).

I was able to remove the 2fa by clicking a link that LastPass sent to my email (confirming that I wanted to remove the 2fa).

So if anyone has your LastPass master password and has access to your email, it's game over and having the 2fa enabled on the LastPass account won't do anything.


Lol, that's horrible. Between things like that and simjacking, phones seem to be a terrible thing to involve in security. And people, I guess.


Yeah, and I used an app instead of sms on my phone for the 2fa token. Didn't make a lick of a difference...


Use bitwarden


Master passwords are static passwords by definition. It could have been an old fashioned keylogger for example. It could also be a phishing email attempt.

Disclaimer: I worked on the 2FA part of the saas pass password manager which never has a master password and always uses passwordless MFA like scanning an encrypted barcode for unlocking the browser extension.


> Is the email from LastPass accurate

I don't know LastPass, but is it possible to login and see what emails they sent you? Or maybe see a list of login attempts?


Yes, it's possible to see all of this in the "Account History"

And yes, the same things -- failed password attempts (i.e. someone trying the wrong passwords) and "Login Verification Email" (sent when the correct password is used from a new IP) -- all appear in the Account History.

Unfortunately, the phishing scenario is improbable at this point, and there have also been multiple corroborating reports in this thread.


People are always saying (smugly) how crucial LastPass is...


Do you mean LastPass specifically or password managers in general?

If the former: I haven't noticed that -- usually folks on HN seem to recommend 1Password or BitWarden.

If the latter: Password managers are important to resist credential stuffing attacks through password reuse.

While I don't like that many of them force you to upload your secrets to the cloud (LastPass, 1Password 8, etc), it's still a better security posture than having your weakest link be every site on which you've used the same password.


The former, and in my day-to-day career.


You trusted an online service to look after your passwords. Use something local, like 1password. I have no idea why anyone would use a hosted solution like LastPass. Of course something will happen?


> I have no idea why anyone would use a hosted solution like LastPass.

Convenience. I use Bitwarden. I get a lot of value from having my passwords synced across multiple PCs and my phone.


1Password allows you to use a local vault, encrypted with a master password, that can be synced across devices in multiple ways, for instance using Dropbox. There's no web logins going, no 'someone elses database' accessed over the web. I have used this solution for a number of years, and would _never_ go for a cloud option like lastpass, for important personal data.


Just a sidenote to clarify that the last version of 1Password to allow local vaults is 1Password 7. They are not supported in any 1Password versions going forward. Although from what I understand the company was gauging interest and open to eventually reintroducing this if enough people wanted it, based on this explanation: https://1password.community/discussion/comment/602340/#Comme...


I see no big diff actually. It offers you no more security if you're directly compromised. It also doesn't help much in reducing the risk of the 3rd party services being hacked, as your data still travels through someone else's cloud. The one attack you avoid by it is LastPass being hacked and your encrypted vault stolen - but then you also open up yourself for Dropbox being hacked and your data stolen attack (which also makes for pretty big attack surface with its automatic sync on all machines). In both cases the attacker gets the encrypted vault, so having a good master password is a smart move.

One should really stay away from storing the vault on any permanent online storage, and do the one-time sync using temporary file-transfer services or even better some private peer-to-peer transfer method - but then you loose a lot of convenience of tools like LastPass or 1Password over the Dropbox. And in security everything is in picking the right balance between safety and convenience for you personally.


There is a fairly big difference, you are decrypting a local file using a master password NOT stored on the internet. No data is going over the wire, no 'other peoples computers'.

Even if someone got your vault file, with a _very strong_ master password it's just not going to get brute forced any time soon. [1]

With an online-only solution you have no idea how they are storing your data. I think 1p local vault (only) with db sync with an extremely strong master pw is adequate, but indeed for most use cases, it could be better to simply one-way sync from your main computer to your mobile device with something like Resilio Sync and avoid Dropbox entirely.

I cannot bring myself to trust any online service with this kind of data. Nobody is getting my master password without hacking my machine, brain, or government backdoor. There is a lot of peace of mind to be had with a local system IMO.

[1] https://support.1password.com/pbkdf2/


I would disagree with your premise. LastPass get hacked you hear all about it (this thread being a perfect example). You also then get group minds chasing solutions and spotting issues.

If you get hacked, you wont even know, and when you try to figure out how your genius security solution was foiled, you are on your own there too.

The only way your data is safer is in your mind, which is the first mistake of security; you dont get hacked because you knew about the weakness, you get hacked because you didn't.

PM's are, in most cases, a lot more advantageous for many reasons. But you can't really compare the solo solution at all, imo.


> There is a fairly big difference, you are decrypting a local file using a master password NOT stored on the internet.

That's the same thing that LastPass does AFAIK. According to their site: "Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPassโ€™ servers, and are never accessible by LastPass."

So they pull down the encrypted vault to the local machine before decrypting it, it's never on the wire in an unencrypted form, nor keys leave your local machine.... which is essentially exactly the same thing that you do with 1Password + Dropbox for sync, just in one service. (At least that's my understanding, I might be interpreting the LastPass statements wrong, in which case please do correct me.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: