Search
Items tagged with: lastpass
The hacker also stole an encryption key for a portion of the encrypted backups by accessing a cloud storage database shared by both LastPass and GoTo.
#news #tech #technology #security #privacy #Lastpass #breach #hacking
https://www.pcmag.com/news/lastpass-sibling-company-goto-loses-encrypted-backups-to-hackers
Episode 356 – LastPass ducked up, now what?
Josh and Kurt talk about the LastPass saga. There’s a lot of great explanations about what happened, but there hasn’t been a lot of info on how to start cleaning up this mess. We rehash…Open Source Security
So: LastPass updated the PBKDF2 defaults three times in total. Each and every time they failed to update the security settings for existing accounts, at least for some of them. So in year 2022 we still have accounts that have the default from 2010 configured, even though it was completely inadequate even back then already.
Not just that. LastPass could do a simple database query and notify the affected users. But so far people are left to figure it out on their own. Nobody knows how many people are affected but unaware of it because the official LastPass statement essentially says “nothing to worry about, it’s all safely encrypted.”
#LastPassBreach
And now that I’ve seen it I also found a Reddit comment from a person who went into their account settings and also found 500 iterations there. And another person saying the same thing on Hacker News.
So LastPass didn’t merely mess up upgrading accounts from 5,000 to 100,100 when they increased the default in 2018. They also failed to upgrade people when they went from 500 to 5,000 iterations before that. Anyone have an idea when that even was?
Sue them. Sue them to the ground. This is gross negligence.
#LastPassBreach
#Encryption alone is not #security, but its implementation, and some do it better and others just badly. If the single point of #failure is vulnerable, the rest is usually useless 😉
Please do not fall for #buzzwords and the associated #advertising promises 🙏
PS I highly recommend @bitwarden for all your credential manager needs, and please pay them to host it for you.
#OpenSource #passwordManager #LastPass
cc @keepassxc
I think those people have not been at this long.
All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.
And if you are a company storing millions of passwords, you better believe you are being attacked constantly.
Given that world, I want a company that:
- is transparent and lets their users know immediately when something is up and gives as many details as they can.
- can actually detect incidents and has a solid process to follow in dealing with them and communicating about them
It merely means they either a) can't detect incidents or b) are hiding them from you
If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.