LastPass Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 17:30:34 +0000 en-US hourly 1 https://wordpress.org/?v=69121 200474804 LastPass Users Can’t Login to App after Resetting MFA https://gridinsoft.com/blogs/reset-mfa-in-lastpass/ https://gridinsoft.com/blogs/reset-mfa-in-lastpass/#respond Tue, 27 Jun 2023 14:16:41 +0000 https://gridinsoft.com/blogs/?p=15581 Since May 2023, users of the LastPass password manager have been experiencing severe login issues after resetting their MFA. It all started when people were asked to reset multi-factor authentication (MFA) applications. The fact is that users are required to re-login to their LastPass account and reset the MFA after the company was hacked at… Continue reading LastPass Users Can’t Login to App after Resetting MFA

The post LastPass Users Can’t Login to App after Resetting MFA appeared first on Gridinsoft Blog.

]]>
Since May 2023, users of the LastPass password manager have been experiencing severe login issues after resetting their MFA.

It all started when people were asked to reset multi-factor authentication (MFA) applications. The fact is that users are required to re-login to their LastPass account and reset the MFA after the company was hacked at the end of last year. And by the way, we also talked that LastPass Breach Investigation Goes On, Things are Even Worse.

Let me remind you that media also wrote that Hackers Broke into the Home PC of the Developer of the LastPass Password Manager and Penetrated the Company’s Cloud Storage, and also that Hunter Biden’s top-secret laptop was protected with a simple password.

The new security measures that will be introduced as part of the planned improvements in this area were announced by the company on May 9th.

Reset MFA in LastPass

As a result, many users were off their accounts and lost access to the LastPass vault, even after successfully resetting MFA apps (eg LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

The problem is exacerbated by the fact that victims cannot even contact LastPass support for help, since it requires logging into their account, and people are locked in an endless loop where they are prompted to reset the MFA.

Reset MFA in LastPass

Forced MFA resync now prevents me from logging in because LastPass doesn’t recognize the new MFA code.says one affected user.
After resetting the MFA, I completely lost access to my storage. The master password does not work, the reset does not work, and even the reset email does not come at all.writes another.
I was prompted to re-enter the master password, then I was forced to reset the MFA, which I successfully did, and now I cannot log in. I can’t even contact support because I need to be logged in to do it.complains another victim.

At the same time, LastPass developers report that they warned about the upcoming reset of the MFA through messages in the application “several weeks” before the start.

Since the warnings clearly didn’t work, the company is now issuing security patch newsletters explaining to users that these changes are necessary to increase the password iterations to the new default value of 600,000.

To increase the security of your master password, LastPass uses a stronger version of the Password-Based Key Derivation Function (PBKDF2). At its core, PBKDF2 is a “password strengthening algorithm” that makes it difficult for a computer to verify that any 1 password is the correct master password during a compromising attack.the developers explain in a bulletin sent to affected users.
Forced logout + MFA resync happens as we increase the number of password iterations for clients. This is due to the encryption of your LastPass vault.the company adds on Twitter.

In another newsletter, the company says users need to re-enable multi-factor authentication to stay secure when logging into LastPass.

You must log into the LastPass website in your browser and re-register your MFA app before you can access LastPass on your mobile device again. You cannot reconnect using the LastPass browser extension or the LastPass Password Manager app.the developers explain.

The entire procedure required to reset the pairing between LastPass and an authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator) is now detailed in a separate document.

As part of security enhancements, users are now prompted to verify their location when they sign in to a website or app using LastPass. Also, if you sign in to a site or app that used LastPass to sign in, you’ll need to re-enter your credentials and authenticate with the authenticator app. The next time you sign in to a site or app using LastPass, you are asked to repeat the same process as an added security measure.

Following an incident in 2022, we sent email and in-product messages to our entire customer base recommending that they reset their MFA secrets with their preferred authenticator app as a precautionary measure. This recommendation was also included in the security bulletins we sent to our B2C and B2B customers in early March and follow-up emails in early April. However, some of our customers still haven’t completed these steps, so we’ve asked them to take action when logging into LastPass. We launched this built-in messaging product in early June in the hope that we would get more response than our emails.a LastPas spokesperson told Bleeping Computer.

The post LastPass Users Can’t Login to App after Resetting MFA appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/reset-mfa-in-lastpass/feed/ 0 15581
LastPass Breach Investigation Goes On, Things are Even Worse https://gridinsoft.com/blogs/last-pass-breach-updates/ https://gridinsoft.com/blogs/last-pass-breach-updates/#respond Thu, 02 Mar 2023 15:54:08 +0000 https://gridinsoft.com/blogs/?p=13583 LastPass, owned by GoTo (formerly LogMeIn) and with over 30 million users, revealed new details about the cyber incidents that have shaken the company since August 2022, when fragments of source code were reported stolen. In January 2023, the company admitted that the breach was more extensive, involving leaks of accounts, passwords, MFA settings, and… Continue reading LastPass Breach Investigation Goes On, Things are Even Worse

The post LastPass Breach Investigation Goes On, Things are Even Worse appeared first on Gridinsoft Blog.

]]>
LastPass, owned by GoTo (formerly LogMeIn) and with over 30 million users, revealed new details about the cyber incidents that have shaken the company since August 2022, when fragments of source code were reported stolen. In January 2023, the company admitted that the breach was more extensive, involving leaks of accounts, passwords, MFA settings, and licence information.

LastPass breach is much more encompassing

As the investigation discovered, hackers successfully made it into the DevOp engineer’s LastPass home computer as part of a lengthy targeted attack. Deploying malware allowed them to access corporate data on cloud storage resources. The unnamed attacker used the stolen data from the August incident to plan and execute cloud storage reconnaissance and exfiltration efforts between August and October 2022. In doing so, the attackers took advantage of an RCE vulnerability in a third-party multimedia software package by injecting a keylogger on the LastPass employee’s personal computer. After that, they were able to intercept the master password and gain access to the DevOps engineer’s corporate vault.

The attacker then exported all available records and the contents of shared folders. They contained encrypted notes with the access and decryption keys needed to access the production environment, AWS S3 LastPass backups, other cloud storage resources, and some critical databases. LastPass has issued a separate bulletin titled “Security Incident Update and Recommended Actions”, which contains additional information about hacking and stolen data. The company has also developed supporting documents outlining steps customers and business administrators should take to improve account security.

How did the breach go that far?

According to the official note released by the LastPass company, only four of their engineers had access to the aforementioned cloud backup. To grab the password from the S3 bucket, hackers deployed a keylogger using the mentioned CVE-2020-5740 vulnerability in the Plex desktop application. As it turned out in the process of the investigation done by LastPass, Plex was hacked around that period as well. Seems that hackers were either lucky enough to synchronise their efforts with the crooks who broke into the Plex, or they are powerful enough to breach several companies at one time. This or another way, these events are creating a really sick halo around the companies that develop password-keeping solutions.

Currently, LastPass tries to remain transparent on the situation. They claim about “improving [the guilty one] engineer’s home network and personal resources security”, without more precision. Additionally, the company changed all the high-privilege passwords that were allegedly touched by a breach and intends to do the same to the ones with fewer capabilities. How long will it take, and had they located all the compromised elements – this remains an unanswered question.

What’s next?

The list of actions recommended to LastPass users was actually published much earlier, after the first disclosure of the incident in December 2022. That included a notice that customers who used 12-character master passwords (ones that are needed to access the LastPass account) may exhale with relief. Such tough combinations were not exposed in any way. People whose master keys were less strong should change all the passwords they stored within the LastPass. That is likely related to how easy it is to guess these passwords – starting from 12 letters, the smallest complications will render any brute force useless.

Brute Force efficiency
Correlation of the time needed to brute force the password with the number of symbols in the password

LastPass’ story will be as acknowledged as hacks of Colonial Pipeline, Kaseya, and Twitter. Despite some of the mentioned ends up with ransomware attacks, the data leak outcome is what really unites them all. And while harm from user data leaks or corporate documents exposure does not have a really big potential to expand, leaked passwords do. It may range from having straightforward losing access to accounts as the result of the account hijack to phishing with impersonation – which will most likely harm your image. And what exactly will happen is quite hard to foresee, as hackers usually tend to sell their booty to numerous other scoundrels in the Darknet. For that reason, it is better to have both your social networks and password vault protected with as reliable a password as possible. You can read how to pick a safe password in our article.

The post LastPass Breach Investigation Goes On, Things are Even Worse appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/last-pass-breach-updates/feed/ 0 13583
Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text https://gridinsoft.com/blogs/vulnerability-in-keepass/ https://gridinsoft.com/blogs/vulnerability-in-keepass/#respond Fri, 03 Feb 2023 01:35:55 +0000 https://gridinsoft.com/blogs/?p=13283 The developers of the open-source password manager KeePass explain that a vulnerability that allows an attacker to steal all user passwords is not so dangerous. The fact is that the developers consider that if an attacker controls your system, then this is no longer your system. By the way, read: Is It Safe to Use… Continue reading Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text

The post Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text appeared first on Gridinsoft Blog.

]]>

The developers of the open-source password manager KeePass explain that a vulnerability that allows an attacker to steal all user passwords is not so dangerous. The fact is that the developers consider that if an attacker controls your system, then this is no longer your system.

By the way, read: Is It Safe to Use a Password Manager in 2022? And also: Experts have discovered vulnerabilities in popular password managers.

You might also be interested to know that Only 26% of users agreed to change their password when they learned that it was compromised.

KeePass is a popular password manager that allows managing passwords using a locally stored database rather than the cloud like LastPass or Bitwarden. To protect such local databases, users can encrypt them with a master password so that malware or an attacker that has entered the system cannot simply steal the database and automatically gain access to all the data stored there.

A vulnerability found in KeePass (CVE-2023-24055) and allows attackers with write access to the target system to modify the KeePass configuration XML file and inject a malicious trigger into it that will allow the password manager database to be exported, including all usernames stored there and passwords in plain text format.

That is, the next time the victim launches KeePass and enters the master password to open and decrypt the database, the “bookmark” for export will work, and all the contents of the database will be saved in a separate file that attackers can read and steal. In this case, the export process runs in the background without notifying the user and prompting for a master password, which allows the attacker to remain unnoticed.

Even worse, the PoC exploit for CVE-2023-24055 has already been published in the public domain, which makes it much easier for malware developers to update their infostealers and create malware that can steal KeePass databases from compromised devices.

After the vulnerability became known, users are asking the KeePass development team to at least add a mandatory confirmation to the password manager that would be requested before automatically exporting the database, or publish a version of the application that does not contain the export function at all.

It is also proposed to add a custom flag to the program to disable export inside the actual KeePass database, which could be changed only by knowing the master password.

However, the KeePass development team has its own point of view on this matter. In their opinion, CVE-2023-24055 should generally be classified as a vulnerability, given that an attacker who already has write access to the target device can obtain information from the KeePass database in many other ways.

In fact, in the KeePass help center, the problem of accessing the configuration file with write permission has been mentioned repeatedly since at least April 2019. And there, too, it is reported that “this is not a security vulnerability in KeePass.”

Having write access to the KeePass configuration file usually means that an attacker can perform more powerful attacks than simply changing the configuration file (and these attacks will eventually be able to affect KeePass, regardless of the protection of the configuration file). Such attacks can only be prevented by maintaining a secure environment (using antivirus software, a firewall, not opening unknown email attachments, and so on). And KeePass cannot work securely in an insecure environment in some magical way.KeePass developers explain.

The post Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-keepass/feed/ 0 13283
Hackers Stole Data from the LastPass Use Password Vault https://gridinsoft.com/blogs/hackers-stole-data-from-lastpass/ https://gridinsoft.com/blogs/hackers-stole-data-from-lastpass/#respond Wed, 28 Dec 2022 09:33:03 +0000 https://gridinsoft.com/blogs/?p=12836 LastPass password manager developers have reported that hackers who recently broke into the company’s cloud storage have accessed it and stolen customer data, including password vaults that could now theoretically be hacked. Let me remind you that the compromise of the company’s cloud storage became known earlier this month. It is noteworthy that for this… Continue reading Hackers Stole Data from the LastPass Use Password Vault

The post Hackers Stole Data from the LastPass Use Password Vault appeared first on Gridinsoft Blog.

]]>

LastPass password manager developers have reported that hackers who recently broke into the company’s cloud storage have accessed it and stolen customer data, including password vaults that could now theoretically be hacked.

Let me remind you that the compromise of the company’s cloud storage became known earlier this month. It is noteworthy that for this hack, the hackers used data previously stolen from the company earlier: during the previous attack, which occurred in August 2022.

Let me remind you that we also wrote that In LastPass for Android found seven built-in trackers.

In early December, the developers wrote that “an unauthorized party, using information obtained during the incident in August 2022, was able to access some customer data,” but there were no details, as they were promised to be provided after the completion of the investigation.

Karim Toubba
Karim Toubba

Now the investigation is over, and LastPass head Karim Toubba says the hacked cloud storage was used to store archived backups of production data, although it was physically separated from the production environment.

The attacker copied information from a backup that contained basic customer account information and related metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers accessed the LastPass service. The attacker was also able to copy a backup of customer storage data from an encrypted container, which is stored in a proprietary binary format and contains both unencrypted data (such as website URLs) and fully encrypted sensitive fields such as websites, usernames, and passwords. secure notes and data for filling out forms.writes Tubba.

It is emphasized that the encrypted data is protected by 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password. Tubba notes that the master password is not known to LastPass and is not stored on LastPass systems.

By the way, the media also wrote that Attackers gained access to privileged credentials that were previously stored in the Ubiquiti IT employee’s LastPass account and gained superuser administrator access to all Ubiquiti AWS accounts.

However, users are still warned that attackers may try to crack their master passwords to gain access to stolen encrypted vault data. At the same time, the developers insist that “it will take millions of years to pick up a master password using public technologies for cracking passwords.”

Your vault’s sensitive data, such as usernames and passwords, secure notes, attachments, and form-filling data, remain securely encrypted thanks to the Zero Knowledge architecture.the developers write.

At the same time, LastPass acknowledges that the leaked data can still be used for phishing attacks on users, credential stuffing attacks, or brute force of accounts associated with the LastPass storage.

You might also be interested in How To Securely Store Passwords.

The post Hackers Stole Data from the LastPass Use Password Vault appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-stole-data-from-lastpass/feed/ 0 12836
In LastPass for Android found seven built-in trackers https://gridinsoft.com/blogs/trackers-in-lastpass-for-android/ https://gridinsoft.com/blogs/trackers-in-lastpass-for-android/#respond Sat, 27 Feb 2021 13:26:32 +0000 https://blog.gridinsoft.com/?p=5168 German cybersecurity expert Mike Kuketz noticed that the LastPass Android app has seven trackers that monitor users. The researcher builds his findings on the report of the non-profit organization Exodus, which is described as an initiative “led by hacktivists, the goal of which is to help people understand the problems of tracking in Android applications.”… Continue reading In LastPass for Android found seven built-in trackers

The post In LastPass for Android found seven built-in trackers appeared first on Gridinsoft Blog.

]]>
German cybersecurity expert Mike Kuketz noticed that the LastPass Android app has seven trackers that monitor users. The researcher builds his findings on the report of the non-profit organization Exodus, which is described as an initiative “led by hacktivists, the goal of which is to help people understand the problems of tracking in Android applications.”

Seven trackers were found in the password manager, including four from Google that collect data for analytics and crash reporting, as well as AppsFlyer, MixPanel and Segment. For example, the latter collects information for marketing teams, and its developers write that the tool offers to create a “single view of the customer” by profiling users and linking together their actions on different platforms (presumably to personalize ads).

In this way, the LastPass developers are striving to monetize the huge number of free users of their application.Mike Kuketz believes.

At the same time, the researcher warns that often application developers do not know at all what data trackers collect and what they transfer to third parties. As a result, integrating someone else’s proprietary code into an application can be dangerous and can lead to data leakage. According to the expert, there is no place for such trackers in a password manager, whose security is extremely important.

According to the expert, LastPass transmits to the side information about the device used, the carrier, the type of the LastPass account, the Google advertising ID (which can be used to link user data from different applications). In addition, trackers “know” when a user creates new passwords and what type they are.

Instead of LastPass, it is better to use other password managers, for example, the open-source KeePass. The fact is that, according to Exodus, there are no trackers at all in either the KeePass code or the 1Password code. There are two beacons in the open source Bitwarden code: Google Firebase analytics and Microsoft Visual Studio crash reports, and four were found in Dashlane.says Kuketz.

LastPass representatives have already assured the media that with the detected trackers it is impossible to transfer confidential user data, and their storage is also safe. It is emphasized that trackers only collect statistical information about the use of the application, which is used to improve and optimize the product. In addition, user can opt out of collecting analytics in the settings.

Let me remind you that ToTok messenger turned out to be a tool for total tracking.

The post In LastPass for Android found seven built-in trackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trackers-in-lastpass-for-android/feed/ 0 5168
HIBP (Have I Been Pwned?) leak aggregator opens the source code https://gridinsoft.com/blogs/hibp-have-i-been-pwned-leak-aggregator-opens-the-source-code/ https://gridinsoft.com/blogs/hibp-have-i-been-pwned-leak-aggregator-opens-the-source-code/#respond Tue, 11 Aug 2020 16:58:56 +0000 https://blog.gridinsoft.com/?p=4171 Founder of Have I Been Pwned? (HIBP) Troy Hunt announced that after a series of unsuccessful attempts to sell the project, about which he talked this spring, he decided to open the source code. Let I remind you that HIBP, founded in 2013, is a service for verifying credentials for compromise. Collecting information about various… Continue reading HIBP (Have I Been Pwned?) leak aggregator opens the source code

The post HIBP (Have I Been Pwned?) leak aggregator opens the source code appeared first on Gridinsoft Blog.

]]>
Founder of Have I Been Pwned? (HIBP) Troy Hunt announced that after a series of unsuccessful attempts to sell the project, about which he talked this spring, he decided to open the source code.

Let I remind you that HIBP, founded in 2013, is a service for verifying credentials for compromise. Collecting information about various data breaches, Troy Hunt created a unique database, the services and API of which are currently used by many sites and software (including Firefox and LastPass) to promptly notify their customers of a possible compromise.

Hunt writes that over the years, he has invested a lot of effort, time, and resources into the project, but he can no longer continue to develop HIBP on his own. According to him, the community’s contribution to the development of Have I Been Pwned has always been considerable, and recently it has only increased.

“Every byte of data loaded into the system in recent years has been provided free of charge by someone who has decided to improve the security landscape for all of us, — writes Troy Hunt. – The philosophy of HIBP has always been to support the community, and now I want the community to support HIBP. Open source is the most obvious way to do this. All the essential elements of HIBP will be put into the hands of people who can help maintain the service, no matter what happens to me.”

The process of moving to an open-source model would not be easy, so Hunt says it will take some time and has not yet named any specific timeline.

“In addition, there is also an aspect of privacy: among these leaks, there is my personal data, and probably yours too, because billions of people have already suffered from data leaks. Regardless of how widely this information circulates, I still have to ensure confidentiality control for the data on leaks itself, even if the project’s code base becomes more transparent” — sums up the expert.

While professionals like Troy Hunt spend their time and resources on protecting users, they (according to a study by Carnegie Mellon University) rarely change passwords, even if their account got into the HIBP database.

The post HIBP (Have I Been Pwned?) leak aggregator opens the source code appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hibp-have-i-been-pwned-leak-aggregator-opens-the-source-code/feed/ 0 4171
Experts have discovered vulnerabilities in popular password managers https://gridinsoft.com/blogs/experts-have-discovered-vulnerabilities-in-popular-password-managers/ https://gridinsoft.com/blogs/experts-have-discovered-vulnerabilities-in-popular-password-managers/#respond Thu, 26 Mar 2020 16:05:20 +0000 https://blog.gridinsoft.com/?p=3607 Experts from York University explained how they managed to detect vulnerabilities in popular password managers. Bugs allowed malware stealing user credentials. It turned out that back in 2017, researchers analyzed five popular password managers: LastPass, Dashlane, Keeper, 1Password and RoboForm. The analysis helped identify four previously unknown vulnerabilities, including one that led to the disclosure… Continue reading Experts have discovered vulnerabilities in popular password managers

The post Experts have discovered vulnerabilities in popular password managers appeared first on Gridinsoft Blog.

]]>
Experts from York University explained how they managed to detect vulnerabilities in popular password managers. Bugs allowed malware stealing user credentials.

It turned out that back in 2017, researchers analyzed five popular password managers: LastPass, Dashlane, Keeper, 1Password and RoboForm. The analysis helped identify four previously unknown vulnerabilities, including one that led to the disclosure of credentials.

Therefore, the most serious of the detected problems allowed the malicious application to impersonate a legitimate program and trick the password manager into revealing the stored credentials. Experts did not risk talking about their research before, as they considered it too dangerous.

“The main problem affected the Android applications 1Password and LastPass, which were recognized as vulnerable to phishing attacks, as it was very strange to determine which saved credentials to offer for autocomplete. In fact, a malicious application could pretend to be legitimate simply by using an identical name”, – write the experts.

So, the researchers created a PoC application that successfully attacked LastPass (and could do the same with 1Password). This application had a login screen designed to mimic the official Google login screen, and therefore was difficult to distinguish from the real one. As a result, LastPass offered for this fake auto-complete with Google credentials.

Vulnerabilities in popular password managers

At the same time, experts note that the attack had a number of obvious limitations: the malicious application must be installed on the victim’s device, and the victim herself must use vulnerable password managers and autocomplete, and also have credentials for the target application stored in encrypted storage.

Another vulnerability that researchers found in all of the password managers listed above (with the exception of 1Password) was that they did not provide sufficient protection for the credentials copied to the clipboard. In particular, in Windows 10, credentials could be pasted from the clipboard in plain text, even if the computer is locked. According to experts, to protect against such attacks, password managers should be able automatically clear the clipboard after a certain time.

Although some password managers allow users to protect their password store with a four-digit PIN code, experts write that RoboForm and Dashlane applications did not have a counter of the number of incorrect attempts to enter this code. That is, an attacker could sequentially enter two PIN codes, then remove the application from the list of recently used ones and try two more PIN codes. Even if an attacker enters PIN codes manually, he can still pick up a PIN code in an average of 2.5 hours.

“We did not fully automate this attack, but we believe that in the case of an automated attack, PIN retrieval will take significantly less time”, — experts write

Researchers contacted the developers of the tested password managers back in 2018. It is reported that five vendors responded to their requests and listened to warnings, but patches were not issued for all detected problems, as many of the vulnerabilities found were given a low priority.

Let me remind you that the popular password meter services put Internet users at risk. So, it remains only to remember passwords, right? )

The post Experts have discovered vulnerabilities in popular password managers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-have-discovered-vulnerabilities-in-popular-password-managers/feed/ 0 3607