Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is difficult for me to believe that this could be true unless their web application has also been hacked.

And if that were the case then this is really getting into criminal negligence territory (especially the way they've been disclosing it).



When I read their most recent email updating about the situation today or yesterday, I did get a definite chill down my spine. I've not used LP for a year or so, but my data (much of it now old) is still stored there, mainly left as a backup as I'd heard some people had some weird issues migrating to other password managers.

I had made a mental note some months back when this first happened I should really go through everything important in my vault and update all passwords to sleep more peacefully at night. I had also made a mental note at the time that if this situation were going erupt into something much worse, it would almost certainly be over the Christmas period when many people are not at work or their computers and it would be the perfect moment for causing maximum chaos and destruction. Looks like I now really need to prioritise that tomorrow. Really not what I wanted to be doing on Christmas Eve...


I'm not too worried because anything important that I have in LP is protected by 2fa. It's notable that the author says his accounts are protected by 2fa, but I don't understand how LP being hacked would allow an attacker to defeat that.


Just for your consideration, I'd bet good money that the 2FA only protects against login credential stuffing, but the vault data is only protected by your master password and can be attacked offline and indefinitely


I mean the individual accounts are protected by 2fa. I have an account or two where I know the password has been leaked but they're so unimportant that I can't be bothered to change the passwords. They still can't get in without my approval.


A lot of sites don’t limit total 2FA attempts, so a determined actor could still get in eventually.


How difficult is it to brute force 2FA?


he said his seed phrases were in lastpass. There is no 2fa protection for private keys if the assets are in his crypto wallet and he's custodying them.


Right, should've remembered reading that. Am I the only one who thinks that's a crazy thing to put in LP?


He said there wasn't much value in the wallets. Doesn't strike me as crazy to keep a small amount in something convenient. You see a similar convenience/security trade off made by big players, with immediate transactional needs satisfied by online/hot wallets and reserves held in offline/cold wallets.


That's true.


Kind of?

I can see it both ways. It is putting all your eggs in one basket. The flip side is your vault is supposed to be protected enough that shouldn't be an issue.


Another comment rightfully points out that the vault itself is only protected by a password. I don't think that's protected enough if it's on cloud storage.


LastPass allows you to delete your account without entering your master password. If their infa is compromised, you don't want to enter your master password to lastpast again it case the hacker planted something in lastpass' client code to snoop entered master password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: