Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How did my LastPass master password get leaked?
877 points by gregsadetsky 30 days ago | hide | past | favorite | 515 comments

I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened.

LastPass blocked a login attempt from Brazil (it wasn't me). According to an email I received from LastPass, this login was using the LastPass account's master password. The email doesn't look like it's a phishing attempt.

What troubles me is that the master password was stored in a local encrypted KeePassX file.

I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that's the case, I'm in a world of hurt.

But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?

I'm really confused, and scared.

Thanks for your help.

P.S. The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). That's scary too -- what's the point of a 2FA you can remove...??



- the email was truly not phishing -- the same information regarding the login attempt appears in my LastPass dashboard. I also talked to LastPass support over the phone, and they confirmed seeing the same information.

- There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me.

Either the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised...? Or...? Is this a LastPass issue?

Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum.

Thatโ€™s what got me to write and publish this: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...

EDIT: "or whatever" means I couldn't remember the name of the php forum notorious for its insecurity, I thought it was something like 'bbulletin'. It was phpBB.

There's a level of irony in complaining about LastPass's security, followed by suggestion people run their passwords through random third-party software that you wrote. Even if your code isn't malicious (which I believe), it opens up so many potential attack vectors.

For anyone reading this, please use the official 1Password import functionality, not this: https://support.1password.com/import-lastpass/

There was no 1Password to LastPass importer at the time I wrote that (believe me, I looked because I have better things to do than write apps to benefit a commercial entity like agilebits otherwise), and of course the code is published on GitHub and released under the MIT license. It's very short and simple and rather easy to review. It's also a .NET executable, which is ridiculously easy to reverse-compile back to C# (not just assembly) so you can even check that I'm distributing an exe that does the same thing as the code I published.


I just revisited that link I shared, and I have to say, it takes some real chutzpah to turn around and accusing me of advising insecure practice when the link I shared literally talks about just that:

Due to the nature of this application, ๐˜„๐—ฒ ๐˜€๐˜๐—ฟ๐—ผ๐—ป๐—ด๐—น๐˜† ๐˜‚๐—ฟ๐—ด๐—ฒ ๐—ฒ๐˜ƒ๐—ฒ๐—ฟ๐˜†๐—ผ๐—ป๐—ฒ ๐˜๐—ผ ๐—ฑ๐—ผ๐˜„๐—ป๐—น๐—ผ๐—ฎ๐—ฑ ๐˜๐—ต๐—ฒ ๐˜€๐—ผ๐˜‚๐—ฟ๐—ฐ๐—ฒ ๐—ฐ๐—ผ๐—ฑ๐—ฒ, review it quickly, and compile it yourself to use this tool. However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. If you do opt to use the binary download, make sure to validate the authenticode signature like so: ...

I am extremely grateful to ComputerGuru and others who freely share code and binaries they used to scratch a specific itch like this. As for security, I'd never dream of running anything like this outside of an isolated, offline system and would destroy the instance immediately afterwards.

> There was no 1Password to LastPass importer at the time I wrote that

The details were hazy, but in 2016, there was a way to export your passwords from LastPass and import them into 1Password, though I don't think there was a way to do so on windows (which I believe is what your importer addresses).

After LastPass vulnerability in July 2016, I switched to 1Password.

Password managers generally use CSV, avoiding vendor lock-in. However, back when Lastpass doubled their subscription cost (yes, doubled, literally) I switched to Bitwarden. At that point, there was some issue with exporting passwords with a certain character (IIRC it was ; or #). I ended up changing the few passwords which quit working.

As for OP, my take is you clicked a bad link triggering a zero day vulnerability in your browser, or perhaps you logged in on Lastpass via a VPN or Tor? Its pure speculation though.

There is, I just did it recently. It's an unncrypted copy paste dump from lastpass into 1password

This was in reference to the OP not having an option in 2017 to import to 1pass.

If I recall, I had to sign up for LastPass premium to pull my passwords to my phone, and then use keychain to import them to 1pass.

I don't think that solution would work for Windows users back in 2016.

There was a 1password to lastpass importer at that time, I know because I used it

Just because you put a warning label on a bad practice doesn't mean it's a good practice.

Pumping your passwords through some random code on Github that has a "be smart" label doesn't make it a good idea.

Would be so easy to imitate you, reupload the code with an exploit. For giggles, if I was making this into a hijack I'd leave all your warnings in and even make them bigger and more obvious, confident in the knowledge that 99%+ of my stolen users wouldn't read the code or would just download the binaries sight unseen.

1) Clone random git repo on Kali, related to Kali usage.

2) Don't read the code.

3) ???

4) Forever don't know what or when it happened.

> Just because you put a warning label on a bad practice doesn't mean it's a good practice.

That is such a salient point, generally.

Funny how common it is though

Well, why shouldn't people who already use insecure software with vulnerabilities (LastPass) without the possibility to even audit the code also run some code written by other people they don't know?

BREAKING: There is no perfect security.

>Would be so easy to imitate you, reupload the code with an exploit.

Put your keyboard where your fingers are: do it by tomorrow morning and post here when you're done.

And there ya go.

Clearly we both agree it's an insecure practice, since you felt it needed a warning.

Now that you know there's an official LastPass importer for 1Password, I'm curious why you're defending your version rather than updating your blog post, unlinking your original HN comment and deprecating the GitHub repo.

I believe you're genuine and just trying to help. If there's an attack, it wouldn't be you doing it โ€“ it'd be someone else replacing the binaries on an old 2017 post without you noticing. WordPress is just as insecure as phpBB. Like the other commenter said, "Just because you put a warning label on a bad practice doesn't mean it's a good practice."

cut them a break. no body's gonna to update a 2017 blog post irl, and last I checked a majority of the bloggers just use Wordpress, not exactly their problem.

I agree that's the right response, maybe just give them some time to consider it. It can be tough to give up something you worked on.

There's a level of irony in complaining about malicious code, and still recommending a closed source password manager.

I can't parse this. Is your point that "closed source" is a synonym for "insecure"?

Closed source is a synonym for insecure if you accept secure means no blackbox processes.

Do you think bank ATM software/hardware, plus online banking and components should be open sourced?

Dingding Exactly!

Sorry, what do you mean by "to log in to their bbuletin or whatever php forum"?

According to LastPass, they don't have access to the master password // presumably it's not stored on their side. Is that accurate..?


After a bit of searching, I wasn't able to find any PHP forum software that LastPass lets you log in to. I could only find one official-seeming forum, and it uses a different login. So, I think this is FUD... I don't use LastPass, but accusing them of something like this (and using the phrase "or whatever") is pretty serious without proof.

They appear to have sunset their phpBB instance. It was the main hub and support portal on their website with up to thousands of active visitors at any given time. You can see it archived here:


Here's the archived phpBB login page. It asks for your LastPass login and password (not your forum account, your actual LastPass login and actual LastPass master password):


Here's a past HN discussion from the time with some guesses at how such a phpBB login using the master password could, theoretically, be implemented without knowledge of the password. Note that this doesn't imply it's possible to implement it in a way that would be resistant to their web server (running phpBB!!!!) being compromised: https://news.ycombinator.com/item?id=16016171

Unless Iโ€™m misremembering, the login to their general system was done by never sending the password over the wire. Instead they used js to do some sort of hashing type system locally.

But during the heartbleed attack when their systems were shown to be vulnerable, that was one of their arguments as to why it wasnโ€™t so bad.

They pretty heavily fumbled exactly this heartbleed response too. They claimed they "weren't vulnerable" because of this setup but they clearly were. If you exfiltrated an SSL key, which heartbleed allowed, you can serve whatever JS (including JS that just explicitly exfiltrated your passphrase) you wanted to end users.

LastPass is full of clowns. There's already two examples of their cavalier approach to what should be simple security in this thread and I'm pretty sure there are more.

> Instead they used js to do some sort of hashing type system locally.

Just the other day a co-worker brought up this idea as an offhand remark. After bouncing it off those present, it took him all of twenty seconds to see why it might do harm and will do little good.

You'd think a password manager would employ some security minded people who could shoot down ideas that bad immediately.

What were the counterpoints?

A weakness in your clientside hashing will make your site weaker to brute-force attacks, since it will reduce the number of hashes (or passwords) an attacker has to try (collisions in client-side hashes will too, but very negligibly for a good hash function). It's also impossible to recover from without relying on another form of authentication to re-establish trust. For many sites this means downgrading to single-factor.

Any hash upgrade mechanism can be abused by a (possibly MITM) attacker to change a user's password while leaving you and the user none the wiser that specifically this occurred. If you need to lock someone out while their phone is beeping at them over their bank account being emptied, while not even making it look like their password was changed, that sounds like a fun way.

Lastly it's virtually the same as plaintext, since any salt will be known by even just a passive attacker. A true MITM won't even have to brute-force the hash.

Conclusion: Might do harm, will do little good.

Thanks, that's pretty damning.

I don't think this is accurate. It appears that the phpBB instance performs a redirect to a SAML login, meaning the login page where you're being asked for your master password is the regular login page.

Now, the fact that they have a web-based vault access requiring entry of your master password? Pretty bad, considering you can't disable it, and it's automatically activated even when just using the browser extension (at least as of a few years back, when I asked them to fix that.)

I donโ€™t use Lastpass, but if what you are saying is correct, they could not have sent the OP an e-mail (assuming itโ€™s legit) informing them of the attempt to sign in using the master pass from Brazil, right?

Cryptography means lastpass doesn't need the master password to verify the password.

If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.

Itโ€™s a combination of people being very bad at generating, remembering, and entering passwords plus generally being unwilling to wait minutes or even seconds to generate the hash on their local computer.

> If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.

I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)

The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.

But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.

MD5 is long considered a broken, weak hash algorithm. Here is the MD5 hash of a password:


Password is 16 characters long, all lower case, no numbers, no special symbols.

Please tell me the password.

What percentage of people do you think actually use 16 character passwords?

Probably pretty low.

I use 64 character passwords, or if there is a length limit, always the longest possible. Thatโ€™s the beauty of using a password manager :)

Do you use 64 character master password?

One advantage about having memorized a bunch of poetry back in the day is I have a lot of secure long passphrases to hand

Aesop, my author, makes mention of two mice and they were sisters dear 1234567890123456789012345678901234567890123456789012345678901234567890

70 and little effort

I consider mine pretty long, and it's right around 30 characters.

56 billion md5 hashes per second for $1.80 per hour at OVH. (single Nvidia Tesla v100 GPU)

Still a no-go for plain old brute forcing all a-z combinations. But, if your password is some combination of actual words, common keyboard sequences, or anything else in a password dictionary, it's cracked pretty quick/cheap.

The best I could find is this


But can you show me the way how you'd go on about this? Really curious.

You can't. That's the point of the post. There is no known feasible pre-image attack on MD5.

You don't need access to a password to check it, just the hash (then they hash what you enter and compare the hash to the one they have). So both "They use it to log in to their whatever" and "They don't have access to it" can be correct.

If thereโ€™s a breached phpbb instance, the attacker can modify login.php to log plaintext credentials.

Is there an official counter for phpBB RCEs/vulnerabilities that revealed user passwords? This has been going on for decades now. It's getting ridiculous.

Welcome to frameworkless PHP where code & user files are stored in the same root and any PHP file requested by a web client is executed by the server.

In most proper frameworks, including PHP ones, the only thing responding to web requests is an entrypoint file (that gets passed the request metadata including URL) and the framework takes it from there. This means that with proper configuration, even requesting a malicious PHP file shouldn't actually execute it and instead hit the framework which will promptly respond with a 404 (of course, with PHP the danger is that in case of misconfiguration the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint, where as other languages typically don't rely on the webserver to execute the files and couldn't run a malicious file even if they tried).

But these stupid legacy applications are still around and haven't been updated to fix this design flaw, so any flaw in sanitizing uploaded files turns into a persistent RCE. I'm sure some people will pitch in and say this isn't a design flaw and you're using it wrong, and while I agree that it can probably be made secure with enough effort, why leave such a loaded footgun around when this is essentially a solved problem in all other languages?

In other languages a malicious file being uploaded to the web root will at best result in a stored XSS which can be further mitigated by having your file uploads on a separate domain, but in PHP it's fatal.

> the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint

This is properly solved by frameworks having this entrypoint be in a โ€˜publicโ€™ folder and that also being the webroot, so only index.php and nothing else is available for a direct match (unless /../ in the url works, which would be a huge security hole).

we miss cgi-bin/

good mention. an rtfm for everyone else.

There is such a counter, CVE databases.

If you would actually take a look, you would realize you are spreading FUD.

phpBB has been rewritten from scratch around 2008 with phpBB3 and hasn't had a single severe vulnerability since. That's 13 years.

Sure. But CVEs don't enumerate RCEs/vulnerabilities that reveal user passwords - they care about a superset of all of that. And when you look at the common vulnerabilities in phpBB3, "phpBB3 hasn't had a single severe vulnerability" seems like very selective language.

I am merely giving my unprofessional opinion that phpBB(1+) has only caused harm. A significant portion of leaks seem to be attributed to it. They really could have done better, and their reputation is forever dead.

To make clear: I am sure that the current version of phpBB works just fine and isn't as disease ridden as we all know it to be. However, the fact that all of these issues have existed for so long means that perhaps we need to take a look at the software as a product and determine that its performance has not been good enough, and to expect similar performance in the future.

This also happened to me back on Nov 10, 2021. I had an old LastPass account, wasn't using it, when all of a sudden i get an email:

-- Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. ---

Like you, it told me that the attempt came from Brazil, using an IP address starting with 160. I have no idea how they would've gotten that password. Made me wonder if LastPass had some issue, but nothing was in haveibeenpwned

What, really??

This is too crazy of a coincidence to be a coincidence.

This is exactly what's happening to me, and same IP prefix.

What does it mean?


How old of account was this? Can you contact me by email (email in my profile)?


Two theories:

- there is a problem with LastPass

- you and I both had the same Chrome extension installed that was actually compromised, and that extension was listening to/sending passwords typed into lastpass.com

I last used this account/master password back in 2017. Is that similar-ish to when you used your account?

posting another comment here too for visibility, but this _just_ happened to me as well....

Time Monday, December 27, 2021 at 1:41 PM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address

Not sure it's really in Brazil.

LACNIC says the IP range was transferred to AFRINIC. They then say that it is owned by:

Affiliated Computing Services (Pty) Ltd descr: P. O. Box 261333 descr: Excom 2023 country: ZA

But then further note that ownership is in dispute! We need someone to look it up in the current routing tables to see where it's presently being routed to.

I also saw that very weird thing -- Brazil vs AFRINIC.

Help/insight from ASN? BGP? networking experts would be appreciated..! Thanks a lot

Far from an expert,but https://www.dan.me.uk/bgplookup lists it as owned by AS202769, which is apparently "Cooperative Investments LLC" Scamalytics[1] states that much of their address space is VPNs, so the trail may go cold here.

[1] https://scamalytics.com/ip/isp/cooperative-investments-llc

That IP is present in a cn record for visit[.]keznews[.]com, whose whois record lists an admin contact in CZ.

Be very wary of geo-ip results, on the modern internet they are effectively useless.

Ignoring VPNs, why are they useless?

I wouldn't go so far as useless, but they frequently exhibit significant inaccuracy, no matter which vendor/service you use. It's not unusual for me to query 7 APIs and be told the user is in 7 different cities spanning 5 states. At least there's usually a quorum at the country level. Given the market ($$$) for IPv4, this feels like it's only getting worse as more blocks of IPs are being sold, leased, transferred, even between continents/RIRs and the geo providers are always a few steps behind.

For the IP posted above, I have 3 providers claiming it's in Sao Paulo, 3 who says it's in Joburg (this is as accurate as anyone's going to get right now) and one says it's in Chicago! If I'm trying to do something with these results programmatically, I don't have a majority or a plurality to pick as a "winner" and I have to try weighting specific providers, which is a whole new mess.

Anyway, there's a good idea brewing in RFC8805 but it'd require pretty much every AS to play along.

I've routinely seen edge cases where geo IP databases are just wrong, even from providers like Google and others.

My home would routinely show up as from a country a thousand miles away. Friends down the street would show up several states over. Customers I know which were a state over would appear from a different country. The databases are usually right, but they're still often wrong. Often enough to cause frustrations.

Why ignore VPNs? Im sure someone else can chime in but to my knowledge that's what makes them useless. You can't be sure someone isn't running VPN, then you can never be certain GeoIP is correct, thus it's useless.

Because everyone knows that VPN IPsโ€™ geoloc is useless, so I assumed that those were being ignored. Also because itโ€™s possible to see if an IP is (possibly) a VPN one by looking up the owner.

As with most things IP-related, this is only somewhat true. There are a lot of VPN providers that specialize in not getting their exit IPs marked as VPNs, so just because an IP isn't listed as a VPN by your intel provider of choice doesn't mean it's not a VPN. GDPR also means finding netblocks with super generic IP-whois is really easy.

Geo-ip is a perfect analysis trap, because it seems like it's probably a good idea so people put it into the roadmap. Then they spend forever tracking down all the ways it doesn't work (I bet you have customers in whatever geo you're thinking of blocking, there's a surprising amount of netblocks that are attributed incorrectly, etc), and then the sunk cost fallacy leads them to maintaining their creaky system. Imagine what you could have done with that effort in the meantime.

Now, let's put our badguy hat on. It takes effectively zero time to tell if your target is geo-blocking (compare your port results between several geos, or cheat with censys and shodan). Being blocked? Launch your attack from IP space in another geo. Pro-tip on that: nobody blacklists cloud provider IP space because of VDI solutions. You can migrate between stolen cloud accounts faster than the provider can suspend them, especially for reconnaissance and initial payload delivery.

Edit: see also, renting time on botnets, renting physical colo, compromising residential ISP equipment, and friends.

Perhaps this will help? https://bgpview.io/ip/

Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/ which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:


The full non-clickable URL:

I went through and answered the "questions", and it tried to take me to the actual phishing site:



Screenshots of the actual phishing site




And its url (non-clickable):


Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).

I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:

1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...

2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...

Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ยฏ\_(ใƒ„)_/ยฏ


That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!

The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.

Is it possible that I was phished 4 years ago, and they sat on the password? Sure.

But 2 other people in this thread being phished from the same exact same phishing server/group?

Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?

That's what's rather strange.

Hey guys I think that maybe this has to do with an exploit in the web browser LastPass extension about 5 years ago: HN POST: [0].

[0] https://news.ycombinator.com/item?id=12171547

Yeah, that's not impossible. Surprising that they sat on the passwords for so long, but this is quite possible. Thanks for the reference/link!

You don't necessarily know they sat on it. You only just got a notification of the failed login now.

That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.

Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.

If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.

It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.

Yeah, totally agreed and all great points.

I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.

One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:


So... it might turn out to be a much more recent vulnerability after all.

Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.

I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.

I agree, that could make sense.

So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.

Perhaps you can ask the other victims when did they register their accounts to see if that's true?

I've been trying to ask this to people posting reports, and although there are many "older" accounts (like mine, circa 2017 or older), at least 2 reports are from accounts created this year:



That would make "more sense" that our credentials weren't stored and unused for years, i.e. that this is possibly a new, recent breach.

This seems likely.

I feel like this sounds more like a zero-day exploit being used to target the LastPass login servers.

Great post, seriously.

How many extensions are you using again? :-)

Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I donโ€™t recognize. Iโ€™ll post a full list when Iโ€™m back at a laptop.

โ€œToo manyโ€ :)

The only ones I have that match up there are EditThisCookie and ublock (origin)

EditThisCookie was last updated November 22, 2020, so it doesn't seem likely from that.

ublock origin was updated December 2, 2021, but they haven't changed devs or anything that would make me suspicious.

Thatโ€™s not a phishing site. Thatโ€™s standard zero-click /smartlink monetization. Itโ€™s a lot to explain and Iโ€™m on mobile but it isnโ€™t anything to do with phishing.

But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.

I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.

the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP

I just tried logging into my LassPass (not used for a while) and I entered the password wrongly (I capitalised one letter) and got an email "Someone just used your master password to try to log in to your account from a device or location we didn't recognize."

Maybe it says someone used your master password even if they didn't? It gave the IP as Islington which is kind of correct.

I think that password case is a separate issue. If I remember correctly, many online services do "secretly" accept mixed cases for the same password (because users make more mistakes than they realize and it would be "annoying" to be too strict)

If you didn't receive a "Someone just used" email (with an IP that's completely geographically off from where you are) that's a good sign, of course.

I tried pushing back on just such a request once, pointing out it made of of the password "security" requirements pointless (use mixed case letters).

"But famous company X does this, it is really convenient for users!" was all the response I got. All I could do at the time was (internally) shake my head.

Oh! If the messaging is the same regardless of whether the right password is used then that changes everything!

When a wrong password is used, no email is sent out from my multiple experiments today.

I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.

Here's what I found from a quick google re: password case:



"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."

I don't think that's the case. I went back and looked at the auth logs and there are many "failed logins" and one "Login verification email sent", which is the only one I got an email for.

I am having the same issue!!! One of my important passwords was leaked and in free use by a bunch of people who were all accessing my evernote account (thankfully it had nothing important in it). I've been on a spree to change my passwords since then.

I have been wondering - is this because of the following lastpass bug?


Just happened to me one hour ago and got scared shitless.

  Time Monday, December 27, 2021 at 3:50 PM EST
  IP address
Actions taken, in this order:

  - Head to *Advanced Options* -> *View account history* to see if anything suspicious is going on (nothing so far)
  - Disable Lastpass MFA and use Google Authenticator (Authy)
  - *Account Settings* -> click on *Show Advanced Settings* -> *Destroy Sessions* (to see if anyone is actively logged in)
  - *Account Settings* -> click on *Show Advanced Settings* -> *Country Restriction* to my country only (luckily not in the US as the bot was)
  - Change Master Password
Also moments earlier:

  - Investigating all Mac processes
  - Disabled all Chrome extensions and deleted most (should have made a list)

Let's hope it's not as bad as it seems.

Edit#1 | Following IP addresses are reported in the thread so far:

One other thing to note is that by default lastpass allows reverting to your previous password for 30(?) days. The option is in account settings -> advanced -> "Allow master password changes to be reverted".

To be safe you would probably want to disable that then change your password again. Just don't lose your new password as you then can't revert.

See https://support.logmeininc.com/lastpass/help/recover-your-lo...

I last changed my master password in 2019, and it gave me the option to revert to previous password. So it's not just a 30 day thing.

That is concerning and directly contradicts the docs:

"You can revert to your previous master password only if the change had taken place within the last 30 days."

I guess it is possible it is another UX issue and would fail if you tried, but that still isn't very reassuring.

You received a "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email?

And your master password was secure/not used anywhere else, etc.?

Did we all (that's 8 of us now in the thread) get compromised a few years ago (using the LastPass extension?) and someone just mass attempted to try all of those passwords..?

Edit: since you're tracking IPs found in this thread (thanks!) my attacker's was . You also have 1 ip duplicated ( which was from the same user both times. You can also add which was just posted

"Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look."

Could be... I haven't rotated my password in a while. Could you link me to more info about the LastPass compromise that you mentioned?

p.s. My master password is definitely not dictionary material, and it's not used anywhere else, so I am 100% sure it's not a bruteforce / phishing attempt.

That's so extremely bad and really cannot be a coincidence at this point. We were all owned in the same way years ago...?

The compromise was mentioned here: https://news.ycombinator.com/item?id=29707325

So they had waited all these years, before they act on those Password? Seems like there should be some other explanation.

All of this IP space is cybercrime-related.

Most of it was initially obtained via fraud/corruption from AFRINIC and being currently announced by AS202425 (Ecatel, notorious crime host). Whoever is using it is up to no good.

The rest is owned and announced by ColoCrossing which could be considered a legit ISP by some metrics, but also has an extensive history of hosting lots of shady stuff.

- Disable Lastpass MFA and use Google Authenticator (Authy)

could you please explain this point? Isn't LastPass Authenticator equivalent to Google Authenticator, Authy or any other TOTP app? Or is there something that makes it less secure than other apps? Perhaps because it has cloud backups?

Honestly after the scare it just seemed stupid that I chose LastPass' own MFA for my LastPass account. Also if they really did get exploited, no idea what it means for their MFA solution.

When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones associated with the lastpass stuff thus making the old keys useless. Also obviously he should change his master password to a new one.

> When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones

wouldn't it be the same if you were going the other way around? E.g. switching from Authy to Lastpass Authenticator

Lastpass MFA is not at all like Google Authenticator. The codes in Lastpass Authenticator are optional and can be bypassed. It's not secure at all.

> are optional and can be bypassed.

How so? Are you saying that if I sign up for example to Dropbox and use Lastpass Authenticator for the 2FA, there is a way for me to log into Dropbox without retrieving the code from LastPass Authenticator? How would that work?

This is my worst nightmare and I wonder what the order of operations is in terms of downloading and unlocking a vault. This sounds like you need the master password to download and unlock the vault, so thatโ€™s a tiny bit of extra protection I guess (not much).

I wonder if password managers should be designed around, and encourage the use of, an undocumented PIN thatโ€™s appended to every stored password. You could use the same PIN for everything and if someone got your vault decrypted there would at least be a chance they didnโ€™t get the secondary PIN too.

Can't use the same PIN as a hacker would just add myhackurl.com/login to your vault and see what the PIN came across as. I think you'd also run into issues with password length as a lot of sites still have a restriction. I like the idea though and maybe a different implementation could work.

I mean a PIN that's not stored in the vault or auto-filled. It would be something extra that you add manually after the password manager fills in the password

So the password manager would put in 'password' and I'd manually type '1234' to make it 'password1234'.

That would not have stopped the vulnerability 'LastPass bug leaks credentials from previous site' (see Zdnet article posted elsewhere) though that's not a common vulnerability in software.

Isn't that what 2FA is for? An additional "PIN" that changes every couple of seconds.

Also, do not store your 2FA reset codes in the same account as your passwords.

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

For me it happened a couple weeks earlier:

> Time Tuesday, December 7, 2021 at 11:12 AM EST

> Location Ottawa, KS 66067, UNITED STATES

> IP address

adding for the login attempt on my account

Hey, this _just_ happened to me too....my password would be near impossible to guess and is not used elsewhere...

Just deleted my last pass account!

here's the info that came with the email

Time Monday, December 27, 2021 at 1:41 PM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address

Mine was from India, master password definetly unique and very strong. I'm still hoping for some bug that mass alerted every day login attempts instead of actually gaining access.

I'm hoping for an email bug / false positive too.

Also, incorrect login attempts (i.e. using the wrong password) does not send out an email.

If you do attempt to login with the correct master password from a different/new IP, then you'll get the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email.

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

Can you guys list out the browser extensions you are using and/or if you're using LP on mobile?

We need to find a common thread.

WHAT!! Same IP range for me.

How is this possible????

Is the date / time exactly the same? It seems like they might have emailed _everyone_ at this point. Maybe it's just a bug.

I have a LastPass account (also not used for some time) and have not received this email.

not sure, but this seems pretty bad! fwiw, i haven't used lastpass in at least a year. i've been using 1password.

How old approximately was your account? I used my master password the last time in 2017... were our master passwords compromised back then... and someone held on to them for that long? That seems improbable?

just checked my email. last pass account was created in 2015, not sure if the current leaked password has been in use that whole time, but it has definitely been quite a few years. moved over to 1passward in march of this year and likely have not used last pass at all since.

That's really so strange.

What is the probability that you, techknight (the other user in this thread) and me used the exact same compromised software back in ~2017 and had our master passwords stolen then? And for that person/bot (in Brazil) to try all of those master passwords now?

It's beginning to look like this is a LastPass issue, no..?

LastPass was my first thought, but I couldn't find anyone else having the same issue and decided it couldn't possibly be them. Now I'm not sure!

I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that

Hey, thanks -- just replied to your email.

Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...

I may have had 1Password and Adblock Plus which you had/have too.

But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?

One other breadcrumb: https://news.ycombinator.com/item?id=29706957

It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.

Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.

Yeah, all of us being phished years ago is a possibility (I just replied to your other comment)

I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.

How'd they get past the 2FA, though?

Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?

LP shoots an email as soon as someone attempts to login with the correct password from a new IP.

Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.

it certainly does look like a lastpass issue....

What prompted the move to 1password? Curious as I am deciding myself which service to use.

Not OP commenter but I personally would recommend using pass (https://passwordstore.org), Iโ€™m a little paranoid about all this fuzz, plus did you see the news in HN a few months ago about a password manager web browser extension having an exploitable vulnerability? Not sure if it was lastpass but Iโ€™ll try to search for itโ€ฆ

Edit: I found an old post from about 5 years ago on a vulnerability in LastPassโ€™s extension [0]

[0] https://news.ycombinator.com/item?id=12171547

I was so pissed at LastPass when the Firefox extension stopped working when Firefox Quantum was released, they didn't have an ETA for fixing it, their support is completely crap. I gave up no LastPass with 9 months left on my subscription and moved to 1Password. Also, LastPass UX is still awful to this day (I have to use it for work). Migrating from LastPass to 1Password was like migrating from Linux to Mac. It's more expensive, but it's sooooo much better and polished.

What browser extensions do you have installed?

I don't remember which extensions I had in 2017, unfortunately...

got one at 1528EST from 23[.]236[.]213[.]5 - OSINT shows it part of BLAZING_SEO_PROXY

pw was only ever used here and stored offline

That's a different IP range, but the fact that it's all happening at once (i.e. these unique, never used elsewhere LastPass master passwords being used to login) is rather strange..?

Or I am drawing a random line through a cloud of dots..? :-)

What other IPs are part of BLAZING_SEO_PROXY?

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

That IP is not from Brazil. It revert-resolves to keznews.com (Looks like it's registered in Prague)

If you try hitting it, it will redirect you to some website which might or might not be the same to every person

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

I feel this is like a Reddit detective moment. Almost everyone here is going to have uBlock Origin installed.

Yeah I agree. And a few users who were compromised confirmed not having uBlock. So yeah. False trail.

Are we sure that same email isn't sent out if someone tries to log into your account with the wrong password?

No email is sent when an attempt was made to login with the wrong password.

Logging in with the wrong password is logged in the Account History as "Failed Login Attempt"

Logging in with the correct password (or hash? TBD) from a new IP triggers the email and that's logged in the Account History as "Login Verification Email Sent"

Just checking the absolutely obvious, because I had a similar thing ... and then it turned out I had my VPN on. Thought I'd double check, in case someone was a silly as I am.

Thanks -- the original login attempt wasn't mine, so yeah. Not in this case.

That's too bad because that would have been a nice way to end this. Much good luck figuring this out, until further notice I would assume that anything that was in there is compromised so you better change your passwords.

Yes. Tor or a VPN was my first thought as well.

This has nothing to do with OP's problem but I figured this may be a good place to post about my bad experience with LastPass back in 2019:

When I moved to Bitwarden, I have deleted my account on LastPass. I have received a confirmation email regarding my account which states [0]:

> Your LastPass account has been permanently deleted and all of your data has been purged from our systems.

A few months later I receive a email stating that my premium subscription is expiring [1]. Clearely my account was not actually permanently deleted from their systems. Considering LastPass is a service used for storing passwords, I think this is unacceptable. How am I sure that they also still don't have my passwords that I had saved in their account?

I reached out to them via Twitter when this happened (because that is apparently how you get support in this day of age) and only then I was told that my account was actually deleted. I still have no way of verifying if this is in fact true or not.

[0]: https://i.imgur.com/P5yEqEl.png [1]: https://i.imgur.com/WyEueF6.png

You can never know for certain if your passwords are still stored somewhere or not, but I wouldn't worry about a billing email arriving after your account was deleted.

Many companies will retain billing/transactional data even if you delete your account. They might do this for regulatory compliance (eg.in Austria I need to store invoices for 7 years in case the Finanzamt wants to do an audit) or they might just do it as a protection against fraud or credit card chargebacks.

I would assume that "deleting an account" just means "delete your data" (ie. passwords and most personal data) and does not mean "delete all information related to me as if I had never done business with you".

It's very possible the billing system is separate from everything else.

It's most likely generated via Stripe (or some equivalent). And even though the account and associated information has been deleted from the Lastpass servers, they didn't delete it from all their vendors, forgetting that those vendors might send the end-user an email. A classic PM move, de-prioritizing any feature related to a churned user...

This article claims LastPass has responded to their request for comment: https://www.howtogeek.com/776450/lastpass-says-it-didnt-leak...

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. Itโ€™s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."

Finally, if it is indeed not Lastpass's fault and as they say they dont store master password on their server, then there must be a software all these victims have in common. And it has to be fairly common so we could get at least 20 report on a HN thread.

Side Note: Interesting all it takes was AppleInsider publishing, getting some sort of traction. And Lastpass had a response within two hours.

Edit: This still doesn't make sense though. Unless @gregsadetsky had his computer access full hacked. Otherwise I dont see how his master password could have been stolen. Many of similar reports were from dead account they had a long time ago and wasn't actively being used.

Yeah, what doesn't make sense is that the emails we all received says:

"Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

so either:

- the email was sent incorrectly i.e. our master passwords were /not/ used to login. In that case, why was the email sent?

- the email is correct i.e. someone does indeed have access to our master password (it was confirmed to me by one of the support agents -- that email is supposed to be sent out when the password is correct but used from a new IP) -- in that case, how is it possible that >20 people here were compromised?

In addition:

- many people here report never using their master password anywhere else

- and... not all accounts were old i.e. from 2017. A few accounts were from October/November 2021:



An extra consideration is that LastPass claim to be monitoring their systems constantly, specifically call out automated attempts ("fairly common bot-related activity"), so we can assume that monitoring includes "attempts to login with wrong passwords" or "attempts to login to accounts that do not exist". That information would be a good way to identify a credential-stuffing attack with confidence, i.e: they might be seeing millions of login attempts to accounts that don't exist + accounts that do with the wrong password...

If that is the case, then the email must be sent in error... which is definitely plausible, i.e: they have a logic mistake somewhere in their system which is incorrectly identifying some unsuccessful attempts as successful (which is triggering an event which triggers the email, the audit log entry etc).

Hopefully they make a better statement soon, because this is very terrible communication from a password management company.

That's possible, but the audit log shows the event that triggered the email and failed logins as two separate things.

The events are "failed login" and "Login verification email sent". The second one is what triggered the email and this event seems like it should only happen if you correctly login but their additional checks stop it from authenticating completely. The email has a button for "verify new device or location", which sure makes it seem like the login was successful.

I hope they just mangled up their event logger and it really should have been a failed login attempt but was logged as a valid login and triggered the email.

There have been several major breaches of security in recent months, such as the log4j vulnerability, that could have allowed malware to end up being spread to quite a few people. If your computer has been compromised, KeyPass files are among the list of items malware will attempt to send back. There are also secondary attacks which might have resulted in capturing their master passwords without needing to steal a KeyPass or similar file (such as key loggers). Given the scope of recent breaches it seems likely to me that there should be a sudden cluster of users whose passwords were individually compromised.

It does make sense if you consider that there can be more than 1 vulnerability and that some attacker targeting LastPass may use recent password from a fresh vulnerability mixed with older passwords from some previous breach.

I'm not actually following what does not make sense.

What's confusing to me is that my password was never used elsewhere (it was generated only to be used with LastPass and stored in KeePass). Other reports here say that their passwords were unique as well.

I just have a doubt right now about the possibiliy that this attack was using passwords from past breaches (which is what LastPass is saying)

There are several recent vulnerabilities which could have resulted in your computer being infected with malware without you knowing (like the log4j vulnerability). Because you're storing your passwords in a KeePass vault this actually increases the platform size for attack. This could have taken the form of several fairly simple attacks, such as key logging, clipboard (copy & paste) sniffing and quite a few other methods of stealing your master password purely because you've stored it somewhere other than your brain. Given the number of reported events in recent days, this looks more like individual compromisation events (malware/viruses locally on each affected users computer) than a single large breach.

It's also entirely possible this is all is due to an entirely new vulnerability which hackers have uncovevered which the security community has not recognized yet. This is less likely, but whether it is the case or not doesn't change the fact this likes like a higher than average incident rate for indivual compromises, rather than a larger single event.

But when they are talking about breaches they aren't just referring to other web sites being hacked. In theory, your computer may have been compromised some time during the last years.

It was just weeks ago some very popular package on NPM was found to collect credentials.

Again, not saying that's what happened but theoretically your computer was breached with some malware which collected credentials. I just meant it "makes sense" from a technical point of view. The likelyhood of this being the issue I am more unsure about.

Understood, and that makes sense.

> Unless @gregsadetsky had his computer access full hacked.

He stored the LastPass password in KeePass, right? KeePass has had vulnerabilities allowing JavaScript on any web page read secrets from the KeePass storage.

I'm not saying that's what happened, but I don't think it's safe to say that "had his computer access full hacked.".

There's also plenty of NPM packages and similar which has had vulnerabilities which could have extracted passwords from whatever storage is used. Then it doesn't matter if the account was dead or not.

Also, it's not safe to say that "there must be a software all these victims have in common". An attacker can specialize in LastPass and may have purchased several credential lists right? Maybe some credentials were extracted via some vulnerable NPM library, maybe some via KeePass vuln, maybe some from password stuffing.

We're just speculating here, but I think what you're saying is a bit too definitive based on what we know so far. To me, LastPass seems a bit like a mess so I would not be surprised if they are to blame though.

Yes and agree, pure speculation / inferring guesses. Based on the assumption the attacker would choose the easiest path. Although I did thought of Keepass leak, but most of the other incidents doesn't use KeePass though.

I just wish HN has a show newest comment first, it is bit hard to follow at the moment.

>LastPass seems a bit like a mess so I would not be surprised if they are to blame though.

Reading that. There is another possibility... no one was hacked..... it was just attacker trying to log in using the wrong password and the email Lasspass generated completely messed up.

I wonder how high the chance is of the master password itself having been reused, and of one of _those_ password sets getting compromised. Although I'd expect most people using a password manager would not be likely to reuse a master password.

On the other hand, my paranoia is now kicking in and I am on my way to change my (non-LastPass) master password, just in case past-me was very stupid a few years ago and then forgot about it...

So, in other words, they have no idea about what's going on. I'm not sure whether that's good or bad.

My master password was specifically for LastPass and it's a quite complex non-English language non-dictionary variant. There is no way that it's due to another breach or that it's a dictionary attack.

Please stop using this service. Use reliable, open source and auditable services. https://www.privacyguides.org/software/passwords/

There are 57 different categories on that page, direct link to the relevant content: https://github.com/pluja/awesome-privacy#password-managers

This list is also more narrow, not wider: awesome-privacy recommends Bitwarden, Keepass, and Padloc, while privacyguides recommends Bitwarden, Keepass, Psono, Password Safe, and Pass.

By "wider", I meant more categories, and not more items for this particular category.

This page does not provide any information why the recommended solutions (Bitwarden, KeePassXC) are more secure than the products it warns against (1Password, LastPass, Roboform, and iCloud Keychain).

Because Bitwarden and KeePassX are open-source and auditable?

Audited is better than auditable

Audited AND auditable is better (Bitwarden: https://bitwarden.com/help/article/is-bitwarden-audited/#thi...)

This. I cringe every time I see a coworker log into some site using LastPass, 1Password, or really any other cloud-hosted password manager.

Since your master password is stored in another password manager, would it be accurate to say you copy/paste it into LastPass? If so, something running on your machine could be scraping your clipboard.

This of course assumes that it wasnโ€™t really you from an IP that was just misidentified as being from Brazil.

For what itโ€™s worth, I stopped using LastPass after they sold out to LogMeIn and would recommend others stop using it as well.

Of note, LastPass just announced that they are splitting out of LogMeIn and becoming independent again: https://blog.lastpass.com/2021/12/lastpass-investing-even-mo...

Of course, you must reduce the risk to the parent company before the huge disclosure comes out </sarcasm>

Yes, I do copy/paste from my local password manager. A clipboard scraper is a possibility, yes.

I hadn't logged into that LastPass account for years, so it's definitely not me who attempted to login earlier.

Re: LastPass, is there another cloud-based tool that's generally considered as more trustworthy? Bitwarden? Thanks

Personally I just stick to local Keepass database files. Iโ€™ve never ventured into the cloud based services. If you are really worried about it, do you really need to use a cloud based password service?

Sure, managing the KeePass files by hand is certainly more cumbersome, but to me itโ€™s worth it for the security/ peace of mind gains. I have never put my DB or key files in the cloud. And when I need to sync them up over all my devices, I gather all the DB files and use the handy โ€˜mergeโ€™ functionality to get them into the same state.

TIL about the merge functionality! You can also use Syncthing to synchronise the databases between your devices; if you don't have public IPs for your devices, this essentially means that you can only synchronise when two devices are on the same network -- but this might not be a problem for you.

You can also use Syncthing and the merge function! It comes in very handy when two devices have made changes to the password database file and you end up with merge conflicts :D

Syncthing works great even behind a NAT, not sure how it works but it just works for me (might depend on your NAT though)

I've had zero success with nat hole punching in the past, on multiple networks. Maybe I'm just unlucky. :)

Some routers have UPnP disabled by default, maybe enabling that would help?

Same here, I use KeePass on several Windows machines, and on a couple of Android phones (using KeePass2Android). I use a cheap VPS as a central point for syncing - so I can make changes on any machine, then sync them over SFTP, which merges the changes into the database on the VPS. I can then hit sync on any of the other machines, and it will pull down the latest database over SFTP and merge in the changes.

It sounds a bit complicated reading this back, but in reality it's pretty straightforward.

why not just use dropbox? and secure dropbox using 2FA?

FWIW, I used to run nextcloud on a ec2 instance. Decided to just use dropbox instead. the webdav support on nextcloud was neat with keepass

My whole point was I like to be in total control my password database, and never have to decide whether to trust a third party provider or not.

Not saying Dropbox or lastpass isnโ€™t trustworthy. Just that itโ€™s a point of failure you can eliminate, if the lack of convenience isnโ€™t a huge deal to you.

I might take that back :) currently trending on the front page, a real article about Lastpass master passwords being compromised. https://news.ycombinator.com/item?id=29716715

So yeah, take Lastpass off the list, I donโ€™t trust them :)

I have the VPS for others things anyway, and I don't use Dropbox.

I absolutely agree. I love KeePass and use it for everything... this LastPass account was setup to share passwords with others at an org that I worked at.

The problem is... that LastPass password, the one stored in KeePass, is presumably the one that was leaked.

Which is what is spooking me -- if someone has access to my entire KeePass file, it's game over.

Wow, you were ahead of the curve here @gregsadetsky! Looks like real news articles are coming out about this now! https://news.ycombinator.com/item?id=29716715

I feel like the proverbial canary in the mine. Well, a dead canary...

So...when you say "...was setup to share passwords with others..." is there a chance that this also means the master password was shared with one or more others?

Sorry, no, that was a confusing way of phrasing it.

The LastPass account that was almost-breached today uses the "password sharing" functionality to share passwords (to certain sites) with other people in the same org.

I was just explaining that the only reason why I have a LastPass account was to share passwords. (not the master password, obviously -- I was sharing passwords to other sites)

I typically use KeePass for all of my (site) passwords and keepass stores all of this in a local encrypted file.

Yeah, hard to say. I donโ€™t think it means itโ€™s โ€˜game overโ€™ though. I think it just means you might need to go through the tedious process of walking through your whole DB file and update every password. And generate a new key file. Then and only then will you have peace of mind I think. Good luck!

Just configure keepass to sync with a file stored online when opening or saving the database and you have the same convenience. Syncing the main database file itself fails if different systems change the file without reloading in-between, but with sync configured it works perfectly.

Bitwarden is great, highly recommend, it's open-source which adds to its trustworthiness and has a good track record of respecting users.

+1, you can host your own server as well https://github.com/dani-garcia/vaultwarden

There's an official self-host open source version as well ( the one you linked is unofficial), but it's rather heavy ( multiple .NET services, MS SQL) and not adapted for small scales.

yes, we don't talk about that one

Is the unofficial one Security Audited?

Unofficial server so you probably should avoid the web application (or build it yourself from official sources). In theory it could contain malicious code that leaks your password.

I'm in this party too. bitwarden for yourself, friends and family...

I use 1Password, seems alright security wise, wonโ€™t definitely say one way or the other, but you could DYOR on it.

1Password has a cloud-based option these days, for better or worse.

And soon they'll _only_ have a cloud-based option with no option for local-only vaults.


Gotta get those sweet SaaS dollars and never mind the original goals or the user.

Bitwarden is fantastic

Why do you recommend others to stop using LastPass?

I just switched last night for unrelated reasons

1. BW supports inline Android 11 password fill. I find the UX much better with this feature

2. LP is a bit buggy, particularly on Android

3. LP is slow to add new features

4. I didn't expect this, but I really enjoyed BW's UI

5. On Android, I enjoy the three quick launch buttons they provide

6. LP creates new logins in folders of it's choosing by default. Not a fan

But in general, BW it just "works" better/faster for me

LastPass has suffered a few security breaches and the overall quality of the product hasnโ€™t improved. 1Password is a superior product with no security breaches.

From my interaction with LastPass support (I'm a premium user), they've outsourced to some cheap company where agents have no clue how anything works. It took weeks to get through to somebody who even understands the problem and their reply was essentially "yeah we know it's broken, it's broken because of security".

Left a really bad taste in my mouth. I wouldn't be using them at all if I didn't have to for a client.

I remember reading a blog entry, a few years ago.

Someone received a phishing email from "their bank."

They responded to the email, and got someone on the horn, immediately.

But their bank (the real one), sent them to a horrifying voice jail.

The point was that the crooks gave better customer service than the real bank.

Barclays recently tried sending me a new credit card because they were changing to Mastercard or something.

I got an email one day that my new Barclaycard was activated. Called support, and they swore to me it was a phishing email (it was definitely from Barclay's official domain). Would not listen to me at all and kept trying to get me to hang up. I asked if I could tell them the email MessageID and they could verify the authenticity. They said no.

About 10 minutes into trying to convince them it was not a phishing email, I refresh my dashboard and there was a $600 purchase at a Long Island Walmart. That shut them up really quickly and they transferred me to their fraud department who asked me for the MessageID at the bottom of the activation email and confirmed it was real...

I asked if I could set up any additional security, and how could they activate a new credit card? Did they have my online password? Apparently no, you can just call on the phone and activate it, no authentication required. They told me I could set up a "voice password" for my account for all phone support and I did just that.

I called them back 30 minutes later, got through to support to where I could change anything about my account. Asked them if my "Voice Password" was enabled. "Yes it is." "....Okay, no one has asked me for my voice password yet, and here you are about to change my address". They still didn't really understand the seriousness, so I told them "I'm not <my name> I'm a hacker trying to steal his money." and they understood.

The worst part? I couldn't cancel that credit card until they physically sent me one to activate. No way to visit a branch and get one. It ended up getting stolen out of the mail THREE TIMES before they finally sent it with a signature required.

It makes sense economically. Crooks will steal ~100% of your bank balance in one day. Bank itself earns 1-2% per year.

Yup. The blogger was just being cranky about their bank.

+1 -- happened to my account today as well. Haven't logged into or used this account in years. Password is unique and has never been used elsewhere.

Deleted my account.

Email Text:

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account ...@gmail.com Time Monday, December 27, 2021 at 11:53 AM EST Location Sรฃo Paulo, SP 01323, BRAZIL IP address

Yikes, seriously... We're at 13? independent reports.

Would you mind sharing how old was this account? Was it from 2017, or before?

Trying to find some common thread between all of us i.e. which exploit it might have been.

Same thing for me. I last changed my master password on Oct 4 2021. password never used elsewhere and stored only in my head, which makes me suspect a bad chrome extension.

``` Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account xxx@xxx.com Time Monday, December 27, 2021 at 12:06 PM EST Location Berlin, BE 12529, GERMANY IP address ```

Itโ€™s unlikely to be due to a browser extension. A browser extension that can steal your master password can steal all the other passwords as well, it doesnโ€™t need LastPass for that. More importantly, an extension can only steal your master password when it is used โ€“ yet several people reported not having used LastPass for a year or more. Itโ€™s still not impossible that an extension has been stealing master passwords for years only for them to be used now, itโ€™s merely unlikely.

Judging by the reports here, the source of the leak appears to be LastPass after all. Given that most people write about old accounts, my original suspicion was https://palant.info/2018/07/09/is-your-lastpass-data-really-... โ€“ from all I know, LastPass never investigated whether that websiteBackgroundScript.php issue was already being abused. It was obvious enough that someone might have discovered it independently of me.

If on the other hand you changed your master password recently (and someone had a login attempt on a brand new account) then this theory is moot. While I am aware of a number of LastPass design flaws (see https://security.stackexchange.com/questions/45170/how-safe-...), none of them could be the culprit here. It must be something new then. The weird thing: LastPass must have stored unencrypted passwords somewhere, because reversing 100,000 rounds of PBKDF2 wouldnโ€™t have allowed such large-scale attacks.

>Given that most people write about old accounts, my original suspicion

No - there are now reports of same thing happening with recent changes to password


Yes, Iโ€™ve already seen this. Iโ€™ve written https://palant.info/2021/12/29/how-did-lastpass-master-passw... discussing the possibilities here. So far the most likely suspicion is that LastPass infrastructure is compromised and a pass-the-hash attack is going on.

So they are using your "newer" password from Oct 2021? Because all the previous incident seems to relate to very old password usage dated back in 2017.

If so then it is big, very big. Could it be log4J?

Edit: 12 hours later still no update or response from LastPass.

At least another reported incident in this thread is from someone who registered their account in November of this year...!


(I ask them to confirm whether they mean November 2021 and further down in the thread, they confirm that)

And yes, if it's a recent attack -- that's very troubling. (and would be more probable than an attacker sitting on passwords for 4 years)

Maybe you could share the list of extensions you use, unless you consider it too private?

I haven't gotten any email like this myself and in my organization with 20 LP users no one else has as well it seems. I am using uBlock Origin and LastPass only.

Meta: Do not use LastPass for the whole password. My method http://lukasz-madon.github.io/Password-management/

+1 for healthy paranoia.

I am surprised that LastPass have not yet addressed this. Even if it isn't a widespread incident, the fact that this is being reported by multiple people seems worrying enough for a password manager to respond promptly.

I agree. I contacted the support agent I talked to again with a link to this thread and all of the similar IP addresses that tried to login, presumably with the knowledge of our master passwords.

I also sent off a random email to the Verge, and tried tagging LastPass on Twitter.

Does anyone have tech media connections who could try to squeeze a word out of LastPass?

Looks like not getting any media attention. But There are now more than a dozen incidents which is quite worrying.

Some twitter "expert" insist most of these incidents here were phished. But I read many of them hasn't even touch the password for years. And report of new account compromised suggest this isn't something done by phishing attempt. Not to mention most people here tends to be on a higher level of security and tech knowledge level.

Edit: Well Appleinsider [1] picked up the story, the only bad thing is this expose Hackernews the site to a much wider mainstream audience.

It is also interesting to see how news spread out online in real time.

[1] https://appleinsider.com/articles/21/12/28/lastpass-master-p...

Thanks for the link re Apple Insider! Glad it's gaining some traction. Would really hope to learn more / have an investigation into this and some (non deflecting) answers from LastPass.

krebsonsecurity might want to take a look? Sounds like right up their ally.

Good idea, I'll contact them.

May be a dumb question, but how much are we trusting Lastpass that whoever tried these logins actually used the correct master password? The posted statements sound a bit ambiguous, maybe they're mistaken? Does it show as a login attempt if somebody uses your correct account email address and the wrong password?

Of course if Lastpass is sending ambiguous or mistaken communication about whether someone else has your master password, that's a really bad sign for them as a company too.

On the "bright" side, if somebody had your KeePassX file and master password to that, I would think they'd be doing things a lot worse than trying to log into your LastPass account from Brazil. If they had that data and were serious about LastPass for some reason, they'd probably at least break into your email too and try and intercept those warning emails. Keep an eye on email, banking, credit card, hosting systems, any other higher-value accounts that might have credentials in that file for any signs of suspicious activity. If there's none, then a successful exfiltration of that data seems unlikely.

Unfortunately, the email sent from LastPass specifically says "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

LastPass support did confirm that the IP from Brazil did have the master password.

I also tried to login with a wrong password and that shows up as "Failed Login Attempt". This is different -- the person on the other side did have the master password.

Re: KeePassX, I agree. It's a catastrophic scenario if true, but it does seem improbable.

I thought that LastPass didn't send your master password over the wire, rather it uses client-side code to take your Master Password and turn it into a hash which is then sent to LastPass for comparison[1]. If that is the case, how can LastPass claim to know that your master password was used? At best, they can claim that the hash sent to the server matches your password's hash but that is not the same as your master password being used.

Given the widespread nature of this issue, I'd guess someone has discovered a flaw in the LastPass login process which is allowing a bad hash to pass the master password hash check: that contradicts what the support agent said, but I'd assume they're mistaken, rather than LastPass are lying in their documentation about how their system works.

[1] https://support.logmeininc.com/lastpass/help/about-password-...

Very interesting theory!

What's a bit surprising is how "low effort" the rest of the attack was: presumably if they found this flaw to bypass passwords, they then attempted to login (which caused an email to be sent out), but LastPass stopped them because they (i.e. the folks on the Brazil IP range) were logging in from a new IP.

So this would be a case of one protective layer (the new IP detection) compensating for a vulnerability in the other one (the password protection).

That would be "re-assuring" in a certain way (as the passwords themselves did not leak -- presumably!).


Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.

Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.

Again, really great point re: our passwords hashes floating around, rather than the passwords themselves.

I wonder if haveibeenpwned.com would somehow have information about this. I just pinged them on twitter.

If Lastpass was zero knowledge then this wouldn't make sense. The master password or some derivative of it should decrypt your passwords on the local device.

I use Keeper and despite it being cloud based, that's exactly how it works.

Your test of a login attempt with a wrong password was a good idea, but did you do it from a location they would not recognize? That's what you need to do to rule out that the Brazil message was not merely a wrong password login attempt.

I'm a bit skeptical that if someone tried a login with the correct password but from an unrecognized location that they would block it by default. People do travel and do change devices. It would really suck if you were far from home and needed to use one of your passwords and couldn't login because your are not at your normal location.

What I've seen from other services when logging in from a new location is either

1. They send an email or text to the email or phone number associated with the account, which must be acknowledged before the login is allowed, or

2. The login is allowed but they send an email or text telling me that there was such a login and that if it wasn't me how I can kick the person out and re-secure the account.

This item from their support site suggests that they do #1 [1].

[1] https://support.logmeininc.com/lastpass/help/best-practices-...

LastPass does send out an email every time that there is a new login attempt with the correct password from a new ip address. An included link from that email must be followed for the ip to be approved. Then, you can actually login from that ip. (and yes, that's annoying re: travel/ip changes...)

When a wrong password is entered, no email is sent.

I tested the above (using a new ip with correct password -> email; wrong password -> no email) and it also aligns with what my "Account History" shows. There's a list of bad password attempts, and there's a separate list of "Login Verification Email Sent" i.e. the password was correct (presumably -- or maybe its hash -- that's one theory going around) but it was from a new, un-verified-so-far ip.

I've had that exact thing happen before when logging on using my phone's hotspot. It did really suck, and what I ended up doing is remoting into my PC at home. I feel like they care a lot more about false negatives versus false positives.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact