11/30/2023 0 Comments Lastpass breach 2015It’s possible that they’ve been as appropriately transparent as they could be about what’s been happening along the way. It’s very possible - likely even - that this was just a series of unfortunate events at LastPass. Some percentage of those attacks will likely be successful, much like the LastPass engineer was fooled, I would assume. Conceptually, you would get an email that looks very legitimate, addressing you by name and including other accurate personal information in an attempt to fool you. What’s more likely to happenīy that I mean the combination of information that was compromised, like your name, email address, and knowing what services you have accounts with, can be used to mount what is likely to be a very convincing phishing attack. It’s unlikely because the other breached information is more likely to be used successfully with much less effort on the hacker’s part. The reason there’s such a strong focus on your master password is that if it’s weak, it’s conceivable a hacker could mount a successful brute-force attack on the encrypted blob and decrypt it. Only you know it, and it’s only used on your device when you sign in to LastPass. And LastPass does not know, nor do they store, your master password. Without the decryption key - your master password - they cannot access the contents of your vault. In other words, the attacker did NOT gain access to the information you and I store in our LastPass password vaults.Īll they got was an encrypted blob that contains that information. The attacker did not gain access to the unencrypted contents of any vaults. It’s the last one that has everyone concerned. URLs of websites for which passwords had been saved.IP addresses from which customers were accessing LastPass.While it’s unclear how many LastPass users are affected, they do go on to list the types of information stolen: That allowed the attacker to steal some information.The attacker gained access credentials from that employee to the information stored by LastPass.That technical information was used to successfully phish a LastPass employee.Technical information was stolen, but no actual customer information was compromised at that time.In August, someone hacked into their network.While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. Here’s the key paragraph from the LastPass blog post:īased on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. Unless you don’t have a strong master password as described above, your information remains secure, and you can take your time to make a reasoned choice. The most important thing to know is that you don’t have to do anything, or switch immediately, or switch in a panic. If your LastPass master password is not appropriately strong, consider changing the passwords of all “important” accounts stored in your vault as soon as possible, and all accounts eventually.Īnd if, like me, you’re beginning to lose faith in LastPass, it might be time to consider a switch.The contents of your password vault are not at significant risk. If your LastPass master password was appropriately strong, you don’t need to do anything. Unique: it’s only used as your master password What to do.A mix of character types (A-Z, a-z, 0-9, symbols).Related Appropriately strong master password:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |