LastPass 2022 hack fallout continues with millions of dollars more reportedly stolen
They used the stolen data to take $5.36 million from 40 crypto wallets.
https://www.techradar.com/pro/security/lastpass-hacked-users-see-millions-of-dollars-of-funds-stolen
#dtv mijn abo bij #lastpass verloopt in december… nu vraag ik mij af welke betrouwbare #wachtwoord opslag jullie gebruiken.. en tips hoe ik alles zou kunnen overzetten.
Ditch Your Current Password Manager, and we’ll give you up to 6 months CREDIT for your remaining bill. https://proton.me/pass/switch #1Password #Lastpass #Dashlane
Swiss-made 
Open source 
End-to-end encrypted
What does your password manager set up look like?
If you use an online cloud-based password manager (E.G., #LastPass, #1Password, #Bitwarden, #Dashlane, etc.) how concerned are you about supply chain attacks?
After a wave of attacks, #Snowflake insists security burden rests with customers
The cloud-based data warehouse vendor remains “slightly muted” about the attacks on its customers because it wasn’t breached, CEO Sridhar Ramaswamy said.
Well it just goes to show that people who deny history are doomed to repeat it. Snowflake should take a hint from #Lastpass in regards to what the blatant lying and blaming of customers will get you.
Mr. Ramaswamy you are officially on the Darwin's Award list for 2024.
What a moron.
https://www.cybersecuritydive.com/news/snowflake-security-responsibility-customers/724994/
A non techi friend asked me what is a good password manager nowadays. He use windows and works with banks and other financial institutions as a consultant. He doesn't really need it to be sync online but that would be ok, even if he is a bit paranoid.
For now, all I was able to say is #1pass used to be OK, and avoid like plague #lastpass, but that's all I can say.
Any advices ? Thanks :) sharing is appreciated, I've a small reach.
Lots of people watching stock prices right now. I don’t actually expect much of a show there. Yes, it will go down a bit, and then it will come back up again. This happened many times, to companies which produced similar and worse disasters.
Don’t believe me? Check out the stock charts for LogMeIn Inc., the company behind LastPass. Try to find the dent made by the 2022 breach announcement and the subsequent news coverage. Compare the stock price to what it is today. That’s a company that demonstrated enough neglect to be rightfully dead today. Instead, I have people still asking under my blog posts whether they should dump LastPass or keep using it.
The inertia is very real. It takes lots of effort to switch vendors. CrowdStrike will claim an unforeseeable issue, a one of a kind. And almost everyone will believe them and keep using their product. Until the same thing happens again. And likely even then still.
LastPass says 12-hour outage caused by bad Chrome extension update
LastPass says its almost 12-hour outage yesterday was caused by a bad update to its Google Chrome extension.
Starting at around 1 PM ET yesterday, LastPass users were suddenly unable to access their password vaults or log into their accounts, instead seeing "404 Not Found" errors, which typically indicate a page does not exist.
#News #Tech #Security #LastPass #PasswordManager #BleepingComputer
#LastPass servers seem to be struggling a bit today.
LastPass claims that it will encrypt URLs in their users’ vaults next month. Yes, that’s addressing the issue they’ve first been warned about back in 2015 to my knowledge. Yes, they plan to fix it for existing password entries as well. Maybe worth checking whether they’ll actually deliver.
They plan to start encrypting things like “equivalent domains” later this year. That’s an issue I received a bug bounty for in 2018 (this isn’t merely a privacy but also a “what if the server turns malicious” issue), good to know they finally want to do something about it.
This part sounds strange:
“LastPass says that due to restrictions in processing power in 2008, when that system was created, its engineers decided to leave those URLs unencrypted, lessening the strain on CPUs and minimizing the software's energy consumption footprint.”
That’s about mobile CPUs. And probably also about JS-based encryption implementations before WebCrypto or WebAssembly. And still: is it plausible that not encrypting a little bit of text (we are talking about 64 kB max even for heavy users) made any difference in 2008? Even considering that their “key derivation” back then was merely SHA256, I have a hard time believing that encryption was in any way significant for their CPU usage.
LastPass, the password management app that was bought buy GoTo a few years back (and which has suffered several major security breaches in recent years) has now spun off as a standalone company again. https://buff.ly/4blIONl #LastPass #PasswordManager #GoTo
LastPass users targeted in phishing attacks good enough to trick even the savvy
https://arstechnica.com/security/2024/04/lastpass-users-targeted-in-phishing-attacks-good-enough-to-trick-even-the-savvy/
#LastPass #phishing—as—a—service #attacks #FCC #Coinbase #CryptoChameleon #spoofing #shortenedURL
So?
Does everyone remember #LastPass?
Welp!?
It happened again, but this time on the user side of the house. LastPass users targeted by #vishing attackers.
VISHING: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
https://www.helpnetsecurity.com/2024/04/19/lastpass-vishing/
LastPass users targeted in phishing attacks good enough to trick even the savvy - Enlarge (credit: Getty Images)
Password-manager LastPass users... - https://arstechnica.com/?p=2018339 #multifactorauthentication #credentialphishing #security #lastpass #biz&it
Advanced #Phishing Kit Adds #LastPass Branding for Use in Phishing Campaigns
Threat actors using phishing kits are pretending to be LastPass in phone calls and emails to steal user credentials.
Actual phishing site: “help-lastpass[.]com”
Shortened URL Embedded in Email: shorturl[.]at/glvT0
Phishing Email Subject Line: We’re here for you
Spoofed Sender: Shows as LastPass Support <support@lastpass>
@amin I've been a long time #LastPass user. I don't stress about tracking, and I enjoy being able to get weekly, monthly, and yearly reports. I find it fun to see how genres/artists ebb and flow through different periods of the year and my life. For me it doesn't seem to be a detraction to enjoying the music or anything. I might prefer to self host something that does this, but I quit like Last Pass. Most of the ways I listen scrobble just fine with it. Idk. To each their own tho.
A password manager #LastPass calls “fraudulent” booted from App Store
The fake app was called “LassPass.”
No App Store is 100% safe. There are no exceptions. Always be careful what you download. Fake apps are everywhere.
Not sure what the goal of this app was, but safe to say it was probably on some scale of malicious as most fake apps are.
+ 
= $0 
