LastPass 客户的 password vaults 也被盗了

a66 · 2022 年12 月 22 日 23:14

用 LastPass 的各位把密码都改一遍吧

时空空 · 2022 年12 月 22 日 23:23

大新闻？

MaginXieN · 2022 年12 月 22 日 23:24

他家隔阵子就一个大新闻，早弃用了

AirontheG · 2022 年12 月 22 日 23:25

黑卡从业者大喜：一锅端了

RandomPerson · 2022 年12 月 22 日 23:26

有啥更好用的替代品吗

hahaandhehe · 2022 年12 月 22 日 23:29

bitwarden?

catkinkk · 2022 年12 月 22 日 23:34

我还在用keepass，文件存在本地

Apocalypsor · 2022 年12 月 22 日 23:40

还是Enpass香，vault都用onedrive来同步

JoshL · 2022 年12 月 22 日 23:49

Bitwarden是open source的，讓人放心一點。而且可以免費用，除非需要設置duo security等較進階的2FA。

RandomPerson · 2022 年12 月 22 日 23:51

能不能问下这个比last pass好在哪里呢？

大芝士 · 2022 年12 月 22 日 23:54

可以自己host

hahaandhehe · 2022 年12 月 22 日 23:58

i don’t know about lastpass, but bitwarden

open source
it can’t leak your real password b/c zero-knowledge storage. (everything is encrypted. so even if it is hacked, it is useless. ur passwords can be decrypted only using ur master pw, which is not stored by bitwarden)

bbblucky · 2022 年12 月 23 日 00:01

而且你可以使用自己的服务器，不用他们提供的cloud服务，被盗可能性就更低了

privater · 2022 年12 月 23 日 00:21

1password 这方面似乎靠谱得多，设置个 sms 验证，就算偷了 vault ，知道 master pass 也打不开

BobG · 2022 年12 月 23 日 00:24

email received 12月1号

Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: Notice of Recent Security Incident - The LastPass Blog.

We thank you for your patience while we work through our investigation.

Sincerely,
The Team at LastPass

catkinkk · 2022 年12 月 23 日 00:24

被盗一般是后台被盗了

BobG · 2022 年12 月 23 日 00:32

他们最新的消息是“ These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass”

大神分析下，他们说的靠谱不？没有个人的master pass，不用怕？

椰树椰汁 · 2022 年12 月 23 日 00:45

理论上是不用怕，但是保不齐有些人master pass也是个弱口令，或者撞库能撞到，那就相当于一锅端了

Bitwarden 这个 zero-knowledge 其实 lastpass 也做到了

Self-hosted 我觉得不能说更安全，你自己的服务器如果被盗了，那跟这次 lastpass 被盗也没啥区别。而自己的服务器安全程度估计还不如 lastpass，只能说目标比较小，可能不会被盯上

现在password manager service都是zero knowledge，我觉得区别就是公司靠不靠谱，你选择相不相信这个公司。比如如果你相信苹果security比这些小公司做的好的话，那你可以把密码放keychain里

大芝士 · 2022 年12 月 23 日 00:51

说得很好，我基本同意
所以我现在重要密码用本地keepass

divinebaboon · 2022 年12 月 23 日 01:16

上次lastpass被黑了之后我就用bitwarden了，挺不错的