Hilarious! And yeah, the unencrypted data that came with this dump could definitely be used to identify which users might just be using a password manager because someone hollered at them to do so versus someone taking their security seriously. Please give your dog X6h#f109b$f10o a pet for me.

@@KathyZant Great. Now I have to reset my dog's name.

I have a password that was more then double from the guidelines , so am not worried , but it's thte feeling that i got from this that made me to switch over to a other password manager, deleted lastpass , it's about trust and that is gone.

Thank you, Maestro! I hope you have a blessed and happy 2023! Looking forward to working with you more!

Oh no. Sorry to hear it. Definitely not a good way to start the year, but it's good that you are taking swift action to protect your digital life.

Smart moves, @serdunk. I'm sorry you had so many issues with LastPass. I hate throwing companies under the bus for a breach because it can happen to anyone. How they handle it really matters. And this was not handled with the customers' best interest at heart. It's sad, really. BitWarden is something many of my security-conscious friends use, and it looks to be very promising. Thanks for your comment.

An important distinction: the initial compromise happened months ago, but the disclosure at that time led us to believe that the breach was inconsequential. We found out later that the initial breach was QUITE consequential and that LastPass did not disclose that vaults were compromised for 5 months. Unfortunately, many users did not use a complex 12-character master password. I highly recommend this read: blog.1password.com/not-in-a-million-years/

In most jurisdictions, companies are required by law to disclose breaches. My concern, and the concern of many other security researchers, is how they've trickled out information rather than letting customers know immediately that malicious actors had gotten access to customer vaults. They dropped that information right before Christmas and didn't respond to multiple requests for clarification from reporters. More info: www.wired.com/story/lastpass-breach-vaults-password-managers/

Happy New Year! Thanks for watching.

Exceptional tip, Ana. Thanks for sharing.

@@KathyZant how to remember these extra long passwords though? I switched to 1Password which also has a master password. It's set to ask me for it after 4 hours -- my friend has hers set to never --- maybe I shouldn't worry with leaving it to be logged into all of the time -- guess I don't have that much critical stuff. I've got one that is 15 characters that I can remember but, dang, typing it in without making a mistake is a challenge at times (esp. when my reading glasses are in the other room).

@@jjnlucky The best part of having it ask you regularly is that it will help you remember it. Writing it down on the printout that 1password gives you and storing it with your other sensitive documents (in a safe or safe place) makes sense, too. Passkeys are starting to roll out which will make a lot of this frustrating nonsense obsolete soon. I'll do a video on that VERY soon, I am super excited about it.

@@bigjonradio I read that too. Very concerning. Also read that they were instructing employees to refer to this breach as an incident and not to use the word breach. Just boggles me.

I wouldn't worry so much about the email being exposed. If you go to haveibeenpwned.com and put in your email, you can see how many other breaches have exposed your email to malicious actors. I'm going to bet that your email is there. There's not much an attacker can do with your email except phish you, and it's incredibly important to remain vigilant against those attacks.

Hi James. Should your credentials ever be in a breach, that email address is useless to attacker's scripts to attack other accounts. So joeblahblah+amazon@gmail.com would be useless in an attackers script going after your PayPal account. Another viewer had a great suggestion too about double-blind passwords. For example you have a strong 16-character password stored in your PW manager, but you have a phrase that you always add to your passwords only known to you. So you use your password manager for the most complex part, but 4 digits are always in your head and no one else knows those. Should the password manager vault be compromised, it would be useless to attackers' scripts. It's rare (unless you are a celeb, politician, CEO, or apparently a LastPass dev, lol) to get spearphished in a targeted attack. Most people are exposed simply because they're in a breach and a script looping through stolen credentials does the work. So it's not hard to put a speedbump on a script.

@@KathyZant Thank you!

@@2much2see2 You're welcome!

We're not hearing any signs of intrusion into LP systems, just a leak out from their systems to malicious attackers. As such, the CSV you download is going to be ok. Download and import into your new PW manager, then start prioritizing those immediate changes (email, banks, cellphone, etc.) and work down from those highest priority accounts. Adding 2-factor authentication while you're at it is a great next step.

Sounds like you're doing passwords right! That being said, I'd use anything other than LastPass. Some of the other information that has come out includes the fact that most of the identifying information they have (including how you're using your passwords) was not encrypted. The sites you're using, whether or not it was an auto-generated password, and more. BitWarden or 1Password; please do consider using a password manager OTHER than LastPass.

The most secure data is in a physical vault buried in your backyard under 6 feet of dirt, not connected to the internet. But that security comes with a price. All security is a continuum and we just have to make decisions on what is going to work for us in both ease of access and strong security. If I didn't have mobile access to my passwords, I'd have issues, so I have to be able to access from both my computer and phone. But if that works for you, it's definitely more secure. And yeah, I fought Pw managers for a long time for these very reasons. Thanks for the questions!

@@KathyZant do you have suggestion on any good local password managers that's simple to set up? Do i need my own hosting server rack for somethign like? i am not super techy to host my own server and the upkeep of IT infrastructure. but if it's something that can be installed on my laptop easily and does the job....i'd give it a test & see :)

For local password management, take a look at keepass.info/ I know a few people who use this. Of course, storing locally means you have to ensure you've got good backups!

You're welcome!

In this particular instance, your "good password" for a master password is the only protection you have. If you had a strong and long, random, only used once password for your master password, the likelihood of your vault being compromised is low, but no zero. 2FA won't help here because that only secures the LastPass login, not the vault itself and attackers got the data behind that login, if you know what I mean. To be safe, change passwords on the accounts that matter most first, and as you have time change the rest. Some people have argued that "well they have had this data for 5 months, so if you haven't been hacked yet, you aren't going to be." I would point to the Twitter dump of 200M+ email addresses that was over a year old that just showed up. Hacker gonna hack, hackers are also incredibly patient and persistent.

@@KathyZant thanks for clearing this up. It means a lot. Take care

@@Lcvds thanks for watching. If you have more questions, let me know, I'll do my best to answer.

Unfortunately, no. While 2FA is wonderful, if the vendor has a breach where an attacker gets access to the data itself (as in this case), 2FA does nothing. It's like they got the files downloaded from LastPass' system and 2FA doesn't matter. They just have to brute force the master password to unlock the vault. To add insult to this, data has come out showing that a majority of data wasn't encrypted including customer info, URLs, and how passwords were generated, most recently used... all of that unencrypted data can help attackers figure out where to target phishing campaigns and more. It is, in so many ways, a terrible breach with wide reaching ramifications.

1Password has something similar, called "Watchtower" that is integrated with haveibeenpwned.com. LastPass used to have a service called Sentry that integrated with PwnedList, but PwnedList got hacked at one point and shut down. They say they've got Dark Web and breach monitoring, it would be interesting to learn how that works.

You're not alone! A lot of people are going through the same process. It's a good time for security checkups, closing old accounts you don't use, and rotating passwords anyway, but definitely a lot more fun to do it when you choose to rather than being forced to. Thanks for watching.

The export function that is built into the LastPass app is just one method of connecting to your vault. The vault itself is a database (or part of a database) stored on a server somewhere. The hackers got into the raw database(s) that contain customer vaults. As such, the export feature in the app is of little importance. To use the export feature, someone would need to have an app installed and be logged in as a particular user pointed at a specific vault. These hackers got the vaults. They're likely not using apps to address the vaults and rather are likely attempting access from some command line access. Once they've got the access figured out from the command line, they'll script something to brute force in directly to the vaults and not use the LastPass app at all.

@@KathyZant I understood that they also got to the source code. Were there any updates to the app since the breach? If they cause people to lose faith and export their information in the clear ( csv file) and this is transmitted parallel to the download / export, then they wouldn’t have to go to the trouble of cracking the passwords , they’d be delivered. Since last pass isn’t open source, who can tell. The whole db heist could just be a diversion. I would just go to my websites or whatever and do a password recovery for each.

@@KathyZant BTW excellent video!

Based on the research found in this reddit thread, it looks like federated azure logins were stored separately and appear to be safe. That being said, I'd definitely investigate your set up to ensure that you are indeed using the federated logins and not a master PW. More details in this thread. I hope this helps. www.reddit.com/r/Lastpass/comments/zvv0tk/lastpass_breach_question_about_azure_federated/

@@KathyZant I'm the one who setup our environment so it's definitely federated access and with no Master Password

Well then let's hope that the hackers have fun with those passwords. (Still change them, and use something else!)

You can get LP to email you your password hint. Otherwise you can try an account recovery. You may also be able to reset the LP Master Password if you log in from a 'known' browser with the LP extension installed.

Unfortunately no. And LastPass has not been forthright in letting us know what happened initially. Maybe they didn't know that customer vaults were stolen at the time? But the timing of the disclosure that they were stolen, right before the Christmas holiday, has me wondering if this was done in an attempt to lessen attention on the extent of the breach. We're also finding out that LastPass had stored 32 out of 38 pieces of information for each user/pass pair unencrypted. So, we're finding that the URL of the site, password creation time, last time changed, last access time, whether or not the PW was auto-generated, along with your personally identifiable info (name, email, etc.) unencrypted, so hackers have that. That information can be used to phish, brute force, and more. It's just a bad situation all the way around. If you are a LastPass customer, assume your vault is in the attackers' hands and that your credentials are vulnerable. Start changing the passwords you stored in LastPass, starting with your email, cellphone, banks, and work down in priority from there. Also, while you're at it, add two-factor authentication to your most important accounts to protect them.

Assume all. All personal, family & enterprise account vaults.

At this point the biggest concern is that LastPass is likely not going to recover from this. The best option is to switch companies and change all passwords. The attackers got a hold of the backed up vaults, so it is just a matter of time before master passwords are brute forced. In this situation, two factor authentication won’t help us with our vaults.

I just posted an updated video with more details about this breach. I highly recommend watching. kzbin.info/www/bejne/gJCxkpeieMR-rJI

I think that the goal with long multiple random dictionary words has always been to provide something that can be memorized. I typically go with the randomized approach, but long 16+ characters and randomized. Unfortunately, we've seen that many people are using very crackable passwords, even to this day. The five most common passwords are 123456, 123456789, picture1, password and 12345678, according to 2020 research from NordPass. And less than 30% of people are using two-factor authentication on key accounts. It will be good when passkeys is more implemented. Passwords are rather broken these days, and 2FA is just adopted enough by end users.

Passwords are part of a SYSTEM. Long complicated passwords are essentially impossible to brute force, but also impossible to memorize, so people write them on something. That breaks the security of the system even though the password itself is essentially unbreakable. Consequently, a pair of ordinary words, unrelated to each other and to you (not your favorte color or your cat's name) enhances the security of the system. MFA or 2FA goes a long way to reducing risk of your password being compromised BUT at added inconvenience and assumes you will always have your device at hand.

Gary, take a look at DiceWare. Usually only a dictionary of 7000 words, but random passphrases can be generated by rolling 5 dice! My feeling is set passphrases with 5 or 6 words to increase entropy. Add in special characters between words, capitalise one or more words, add in numbers. Humans are less likely to come up with truly random words/phrases!

Weaker passwords can be brute forced faster, more complex/stronger passwords would take longer. To be as safe as possible, assume your passwords are compromised and move off of LastPass, change passwords, and add two-factor authentication. This breach happened in August, so attackers have had the vaults for 5 months already. Assume the worst and take steps to protect yourself. I recorded an updated video here with more details about the compromise: kzbin.info/www/bejne/gJCxkpeieMR-rJI

@@KathyZant yeah that's the best appoach , changed the most important passwords ia have, but i have a lot of webshops , wil look at the video thanx.

I am so angry at these morrons , have a lot to change right now , the most important one first what is the info worth of meeting the minimal guidelines of master password?, 5 months is a long time why did they wait so long before taking action and inform the clients about this ,33 milion poeple where using lastpass

Switching is definitely the best option.

@@KathyZant i am going to ask lastpass if there's internal protection in de fault to prevent brute force iterations.

@@ronaldhofman1726 The problem is that the attackers got copies of the vaults. So LastPass doesn't have control over those vaults anymore. There's no way for LP to protect further. Also, the fact that LP is not answering reporters questions (see the Wired article in my subsequent video) leads me to believe that they're not being forthright about this attack.

Smart move, Rip. Thanks for the watch!

Less a commercial and more of a PSA to protect yourself from companies that make bad decisions. Thanks for watching!

I feel you. It is definitely a single point of failure. Security is a continuum, however, between freely accessible to everyone and buried 6 feet in the ground and not connected to the internet. We've all got to make our decisions and none of those decisions will be black and white. For many people who are using dictionary words, pets names, or even their zip codes as passwords (I've seen some bad ones), a password manager is definitely a step up. But LastPass has shown disregard for customer privacy & security and a blatant disregard to responsible disclosure. Betting that we will see some legal ramifications here as well as further breaches. Eventually, passkeys will replace the password, but we're all quite early to that game. It will be a few years before passkey usage is widespread. Passkeys uses public/private key encryption and solves a lot of the problems with passwords, and even 2FA. But yes, eventually there will be security issues with passkeys, too.