LastPass 客户的 password vaults 也被盗了

用 LastPass 的各位把密码都改一遍吧 :wulian:

4 个赞



2 个赞

黑卡从业者大喜:一锅端了 :cry:

6 个赞


1 个赞


6 个赞



2 个赞

Bitwarden是open source的,讓人放心一點。而且可以免費用,除非需要設置duo security等較進階的2FA。

1 个赞

能不能问下这个比last pass好在哪里呢?

2 个赞


2 个赞

i don’t know about lastpass, but bitwarden

  1. open source
  2. it can’t leak your real password b/c zero-knowledge storage. (everything is encrypted. so even if it is hacked, it is useless. ur passwords can be decrypted only using ur master pw, which is not stored by bitwarden)

6 个赞


1 个赞

1password 这方面似乎靠谱得多,设置个 sms 验证,就算偷了 vault ,知道 master pass 也打不开

2 个赞

email received 12月1号

Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: Notice of Recent Security Incident - The LastPass Blog.

We thank you for your patience while we work through our investigation.

The Team at LastPass

1 个赞


1 个赞

他们最新的消息是“ These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass

大神分析下,他们说的靠谱不?没有个人的master pass,不用怕?

理论上是不用怕,但是保不齐有些人master pass也是个弱口令,或者撞库能撞到,那就相当于一锅端了

Bitwarden 这个 zero-knowledge 其实 lastpass 也做到了

Self-hosted 我觉得不能说更安全,你自己的服务器如果被盗了,那跟这次 lastpass 被盗也没啥区别。而自己的服务器安全程度估计还不如 lastpass,只能说目标比较小,可能不会被盯上

现在password manager service都是zero knowledge,我觉得区别就是公司靠不靠谱,你选择相不相信这个公司。比如如果你相信苹果security比这些小公司做的好的话,那你可以把密码放keychain里

5 个赞


1 个赞


1 个赞