Do you use LastPass? Security Bulletin. (1 Viewer)

[Gromett]

I received the following email.

Link to blog post.

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

blog.lastpass.com

 

[U.Toadifact]

That's odd. I received a very similarly worded email today, but the company said to be affected was Plex TV.

Thing is, I have no Plex TV account. Please tread carefully.

 

[Phill D]

I have had nothing from lastpass

 

[U.Toadifact]

I would expect a genuine email from a company with whom I have an account would address me by name.

 

[DBK]

"Dear valued customer" is the giveaway I think. But otherwise it is well written and no obvious spelling errors although the use of the word "expeditiously" at the end grates a bit.

Presumably the danger is in clicking on the link?

^{_{Subscribers  do not see these advertisements}}

 

[donkey]

I would expect a genuine email from a company with whom I have an account would address me by name.

So something like: Dear Mr U Toadifact????

Geoff

 

[U.Toadifact]

So something like: Dear Mr U Toadifact????

Geoff

Why not? Mind you if my name was Charlie Farley I might still smell a rat.

 

[Langtoftlad]

I have just received a similar email [similar story but slightly different details] from Plex.
I am unaware that I have/had a Plex account...

Dear Plex User,​

We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.​

What happened​

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.​

What we're doing​

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.​

What you can do​

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.​

We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so.​

Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.​

For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset ​

Thank you, The Plex Security Team​

 

[U.Toadifact]

I have just received a similar email [similar story but slightly different details] from Plex.
I am unaware that I have/had a Plex account...

​

Dear Plex User,​

We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.​

What happened​

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.​

What we're doing​

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.​

What you can do​

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.​

We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so.​

Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.​

For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset ​

Thank you, The Plex Security Team​

That's the one.

 

[Langtoftlad]

However google "plex security breach" and there are a load of hits, many from reliable sources

And Lastpass
https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

So who knows


Edit:
Seems I do have a current Plex TV account - so I've signed in [not via the email link obviously] and changed my password

^{_{Subscribers  do not see these advertisements}}

 

[U.Toadifact]

Odd that it has been sent to non account holders.

 

[Brains]

The LastPass version seems to have only gone to Lastpass users, so would appear to be genuine.
However there does not seem to be a security breach.

I change my master password from time to time in any case, and all the passwords (I have over 300 of them !) are LastPass generated long sequences, even for the sites where i don't care who has my log in (such as the BBC or Google Maps as no money is involved)

I have no idea what my passwords are for any site, except the LastPass one.
Been using it for years, brilliant app (and usually fairly secure)

 

[Gromett]

U.Toadifact Brains Langtoftlad DBK

Oh Ye of little faith.

I did check this out before passing it on to you.

But if you don't believe me OR the DIRECT on the lastpass.com website blog that I linked maybe you will believe a 3rd party trusted news site?

LastPass developer systems hacked to steal source code

Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company's source code and proprietary technical information.

www.bleepingcomputer.com

I have had nothing from lastpass

Give it time OR check your spam box.

 

[DumfriesDik]

Oh dear, not a great email is it? I wonder what the implications might be. I know that they can not reveal your master password, it took me ages to remember what it was and LastPass couldn't help.

 

[Coolcats]

I received the following email.

View attachment 656302

Link to blog post.

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

blog.lastpass.com

Almost the same wording as Plex that recently issued a security notice

^{_{Subscribers  do not see these advertisements}}

 

[Brianmor]

This is a copy from a Davey Winder report from Forbes

​

CYBERSECURITY

LastPass Hacked: Password Manager With 25 Million Users Confirms Breach​

Davey Winder
Senior Contributor
Co-founder, Straight Talking Cyber
Follow
Aug 25, 2022,11:08pm EDT
0
New! Click on the conversation bubble to join the conversation Got it!

LastPass has confirmed hackers stole partial source code
SOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES
One of the world's biggest password managers with 25 million users, LastPass, has confirmed that it has been hacked. In an advisory published on August 25, Karim Toubba, the LastPass CEO, said that an unauthorized party had stolen "portions of source code and some proprietary LastPass technical information."

What was accessed during the LastPass network breach?​

The breach appears to have been of the development servers, facilitated by a compromise of a LastPass developer account and took place two weeks ago. Incident responders have contained the breach, and LastPass says there is no evidence of further malicious activity. Toubba also confirmed that neither has evidence been found of any customer data or encrypted password vaults being accessed

I've been reading PCPro for the last 15 years with Davey Winder being their chief security writer so I tend to believe in what he writes, so it sounds ds genuine to me

 

[Brianmor]

I've just been in my Lastpass account, and into the support section where there is confirmation of their security breach.
Not all their 33 million customers have received an email yet, me included.
I've changed my master password just to be on the safe side.
Thanks Gromett

 

[DumfriesDik]

I've changed my master password just to be on the safe side.

Smart move - thanks for the nudge, done!

 

[Justus3]

Not used last pass since keychain on OS came out much better all round.

 

[Gina M]

I received a similar email yesterday. I didn't open it just deleted it. Same as I got a text from Royal Mail saying my parcel was delayed, what parcel? deleted that too!!

Gina

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

For those who want to be really secure can I recommend you use a YubiKey. This is a USB dongle with a touch switch on it.

This is you two factor authentication. For those of you not aware of what this is.

2 factor authentication is about having two methods of proving who you are. This is usually proven by "something you know" and "something you own".
Your username/password is the something you know bit.
The something you own is these days usually your mobile phone. But the Yubi key is a much better option.

The problem with phone authenticators is that if your phone gets hacked they have access to your username/password and 2nd factor of authentication.
With a yubi key, it is something they physically need in their hands, they need it plugged into the computer being used and they need to be able to physically press the button. It is not hackable.

I use my Yubi key to authenticate a bunch of services. From google youtube/gmail/etc, twitter, lastpass, github and many others.

Without my physical key it is impossible to log into these services even if they could guess my email address and password.

This is the one I use. It supports NFC so most modern phones you don't even need to plug in it just swipe it over the back when requested. I keep mine plugged into my main desktop PC, unless I am going somewhere then it goes on my key chain.
Do NOT keep it with your mobile device in case you lose your device.

 

[Gromett]

Oh dear, not a great email is it?

It is a great email I thought. They are telling you they have been exploited and how serious it is.

There is no company that is immune to this, even the greatest and best have problems.

Full disclosure like this is a very, very good sign and shows we can trust them.

 

[SpeedyDux]

It won't be long before we have to use three factor authentification. Then, four factor authentification. And so on.

Why not add a super-password-manager on top of the existing encrypted password manager. With a retinal scanner.

It becomes a PITA for non-geeks!

Much simpler to have a universal no-fault 100% compensation system for all victims of hackers and frauds. I would go further and use drone strikes and Special Forces to track down and neutralise the cyber criminal gangs.

 

[Gina M]

For those who want to be really secure can I recommend you use a YubiKey. This is a USB dongle with a touch switch on it.

This is you two factor authentication. For those of you not aware of what this is.

2 factor authentication is about having two methods of proving who you are. This is usually proven by "something you know" and "something you own".
Your username/password is the something you know bit.
The something you own is these days usually your mobile phone. But the Yubi key is a much better option.

The problem with phone authenticators is that if your phone gets hacked they have access to your username/password and 2nd factor of authentication.
With a yubi key, it is something they physically need in their hands, they need it plugged into the computer being used and they need to be able to physically press the button. It is not hackable.

I use my Yubi key to authenticate a bunch of services. From google youtube/gmail/etc, twitter, lastpass, github and many others.

Without my physical key it is impossible to log into these services even if they could guess my email address and password.

This is the one I use. It supports NFC so most modern phones you don't even need to plug in it just swipe it over the back when requested. I keep mine plugged into my main desktop PC, unless I am going somewhere then it goes on my key chain.
Do NOT keep it with your mobile device in case you lose your device.

So, you plug it in to any device you are on before you log on/open?

Gina

 

[Gina M]

A bit pricey, although Amazon offering it to me for free if I apply for their Amex card!!

Gina

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

It won't be long before we have to use three factor authentification. Then, four factor authentification. And so on.

Why not add a super-password-manager on top of the existing encrypted password manager. With a retinal scanner.

It becomes a PITA for non-geeks!

Much simpler to have a universal no-fault 100% compensation system for all victims of hackers and frauds. I would go further and use drone strikes and Special Forces to track down and neutralise the cyber criminal gangs.

No not really. 2 factor is perfectly fine if done correctly. It is what the high level intelligence community use.

A no fault 100% compensation scheme is open to abuse. Why should companies be held responsible for users poor security hygiene.

Seriously it is not rocket science.

 

[Gromett]

A bit pricey, although Amazon offering it to me for free if I apply for their Amex card!!

Gina

It depends on how much you value your security today. Is that price more than you would pay to secure your motorhome or house?

 

[Gromett]

So, you plug it in to any device you are on before you log on/open?

Gina

Not necessarily before. But you need to insert it when you want to use it.
There is a gold metal touch pad on it. When you are asked for your authentication key plug it in (if it isn't already in) and touch the gold pad.
That is the entire procedure.

 

[drpeej]

For those who want to be really secure can I recommend you use a YubiKey. This is a USB dongle with a touch switch on it.

This is you two factor authentication. For those of you not aware of what this is.

2 factor authentication is about having two methods of proving who you are. This is usually proven by "something you know" and "something you own".
Your username/password is the something you know bit.
The something you own is these days usually your mobile phone. But the Yubi key is a much better option.

The problem with phone authenticators is that if your phone gets hacked they have access to your username/password and 2nd factor of authentication.
With a yubi key, it is something they physically need in their hands, they need it plugged into the computer being used and they need to be able to physically press the button. It is not hackable.

I use my Yubi key to authenticate a bunch of services. From google youtube/gmail/etc, twitter, lastpass, github and many others.

Without my physical key it is impossible to log into these services even if they could guess my email address and password.

This is the one I use. It supports NFC so most modern phones you don't even need to plug in it just swipe it over the back when requested. I keep mine plugged into my main desktop PC, unless I am going somewhere then it goes on my key chain.
Do NOT keep it with your mobile device in case you lose your device.

I echo this. I have several Yubikeys. Brilliant device

 

[SpeedyDux]

No not really. 2 factor is perfectly fine if done correctly. It is what the high level intelligence community use.

A no fault 100% compensation scheme is open to abuse. Why should companies be held responsible for users poor security hygiene.

Seriously it is not rocket science.

Because of relentless pressure to move all financial and government services (including the NHS) online. That includes people with IQs of 75 or less, and people who can't afford to upgrade their security. You can't have it both ways if you want online systems to become universal.

^{_{Subscribers  do not see these advertisements}}