LastPass Login Attempted Activity Blocked – More Information
Just got this email from LastPass. I'm not satisfied with their explanation though.
As part of our ongoing commitment to security, we regularly monitor our services for actual, suspected, or attempted malicious or unusual activity. When our systems detect unusual login activity from different devices or locations we send an automated email for you to confirm the activity. Recently, you may have received one of these emails from us.
If the login attempt was you, and if you haven’t done so already, please make sure to verify your device and/or location. You’ll continue to receive emails like this when, for example, you log in from new devices or locations in our effort to keep your information secure. We also encourage you to reference our blog for best practices for keeping your account secure.
If the login attempt was not you, allow us to explain what happened. We recently received reports of an uptick of users receiving blocked access emails. Our investigation found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
At this time, there is no indication that your LastPass account or your credentials were breached or compromised. However, out of an abundance of caution, we recommend, if the login attempt was not you, that you reset your Master Password.
Lastly, it is important to remember that LastPass utilizes a zero-knowledge security model that is designed to ensure that customer data remains protected. When a LastPass user creates their Master Password, it’s used to generate a unique encryption key. The Master Password and the encryption key stay local on the user’s device – they are never sent to or shared with LastPass.
We apologize for any concern or inconvenience that these alerts may have caused. LastPass was built with security in mind and includes various features, including notifications for failed logins, trusted device verification, account recovery, and more. Read more about them on our blog.
Thank you for being a valued LastPass customer. Im sorry, but im really missing concept of any cloud/online password manager. I believe this one was hacked some time ago. Obviously the whole thing being online increases attack surface. Im using KeePassX, when i know i will move/use it on other machine i just transfer it via gdrive or whatever and delete that afterwards. So... Unless you change your machines constantly or travel all the time and use different machines whats the real benefit of using online password manager? Its not a "nasty" question, im just curious of benefits and hope to get enlighted by people who use it. > im really missing concept of any cloud/online password manager ... im just curious of benefits and hope to get enlighted by people who use it. Since you are curious, here are two reasons: 1) I regularly use multiple devices, and it is convenient. For example, lately local business require online orders/reservations. If you set up an account up using your laptop, then you can immediately login to the account on your phone. 2) I trust the math behind online password managers. For example, see this white paper describing 1password
https://1passwordstatic.com/files/security/1password-white-p...
In particular, see pages 10-11 (two-secret key derivation 2skd) and page 18 (How Vault Items Are Secured). As long as the 2skd protocol is implemented correctly, then it should not matter if the password manager is hacked. Presumably the few dollars a month you pay for the service is used to pay someone to carefully check this code. Edit: In theory 2) reduces the "attack surface" to just the code implementing the 2skd protocol For me, it’s multiple machines. 2 iPhones, 3 iPads, 3 laptops, a couple of raspberries, and a couple of work machines. I tried to do it with a synced KeePass DB, but getting it to synch properly was nightmarish. I use Resilio Sync which used to be proprietary and it's been seamless. I do sometimes have to make sure the active device I'm on is synced before accessing the database but most of the time it's fine. I use my phone, laptop, and desktop as devices. With Resilio, there's a nifty option to have an encrypted store for devices you don't trust to read but trust enough to store (think like your parents computer or work computer) SyncThing may also work for a open source solution, but doesn't have that nifty latter option I stated above, at least not out of the box. Please don't use KeePassX. The development stopped already in 2016. Switch to a more active alternative. See: https://www.keepassx.org/index.html%3Fp=636.html Thank you very much for bringing me up to speed. And as well to others who provided me with their responses, i kind of get it if you have many machines and even though i'd still try to find best way to sync i understand and appreciate your point of view. I will do read up on links on vaults provided and everything else. Thank you again. Fwiw I also received this email, even though I deleted my account (faced with the now infamous error message "something went wrong: A"). I did not receive a confirmation that my account was deleted, the only evidence of that is that I can't log in anymore. Why are you not satisfied? Do you have additional data on why this could be a real vulnerability on their end? Considering the many reports in https://news.ycombinator.com/item?id=29705957 of login attempts using the master password it seems like the full story has yet to be told. Saying that they "were likely triggered in error" does not say much to me, and the inclusion of the word "likely" sounds like they themselves don't know what triggered it. Which answer would make you happy? I don’t understand the hype lately about LastPass. Sure, that's a fair question. > We recently received reports of an uptick of users receiving blocked access emails. This is abrogating responsibility for what happened. A better sentence would be: "We recently started receiving reports of users receiving blocked access emails in error." > Our investigation found that some of these security alerts, which were sent to a limited subset of LastPass users "Some of these" "limited subset", you're trying to minimize the issue and not sounding like you really understand what went wrong! Stop. Better: "Our investigation found that these security alerts, which were sent to 7% of users, " > were likely triggered in error. LIKELY, LIKELY?? Do I need to explain that "likely triggered in error" could just as easily be translated as "we don't know what's going on but we sure hope nothing bad happened" Better: "We identified that in edge cases where two users had usernames where one was a fully contained subset of another (e.g. bob fits inside johnbobpierson) we would inadvertently send account alerts to both users when the user bob had a failed login attempt to their account." > As a result, we have adjusted our security alert systems and this issue has since been resolved. "adjusted our security alert systems" seriously just makes this all sound like "we were sending alerts when someone tried to login to your account more than 5 times per hour, we raised it to 50 times per hour so yall would shut up" Better: "We corrected the identified bug and have checked our code base to ensure that the same error pattern is not repeated anywhere else in the code. We fired the the security firm doing code audits and the CEO is looking for a pen to sign a contract with a new one" Ok I got a bit tongue in cheek in the end, but, seriously this statement does not make me feel like they are "taking it seriously" and a post from a password manager which you are trusting with your life with must scream that at you. The original response was essentially blaming affected users, saying it was credential stuffing. Now they changed their story. If there is any credibility to the credential stuffing story, they should ask all users that received the email change password, not just say change it out of an abundance of caution. Obviously something changed as the emails just started going out recently. Maybe it was a recent code change introducing a bug on their end, that's fine software has bugs, but they could explain it. Maybe attackers are doing something different, which is triggering an old bug causing incorrect emails. Or maybe LastPass still doesn't really know and is just giving a potential reason, like they did earlier saying it was credential stuffing. I'd already stopped using LastPass years ago and deleted my account when this current mess started, so they weren't really going to win me back anyway. But the (current) response to this incident leaves plenty of unanswered questions.