![]() LastPass confirms senior developer using home computer was hacked LastPassĮven now, in the same statement that assured customers that LastPass had listened to concerns about communicating more comprehensively, the bombshell disclosure was contained in a separate 'additional details' document. The security incidents were not, the statement read, "caused by any LastPass product defect." Maybe not, but corporate security processes and controls appear to have fallen even shorter than corporate comms. However, the red flags started waving for me when the statement confirmed that a threat actor had "targeted a senior DevOps engineer by exploiting vulnerable third-party software." Wait, what?īy doing so, we were informed that the attacker delivered malware that could bypass security controls and gain access to those cloud backups. That's fair enough file under lessons learned. ![]() This confirmed that LastPass needed to catch up regarding communication regarding the security incidents being comprehensive and frequent enough. "Trust is paramount in the world of password management," I concluded, "and there can be little doubt that trust is being tested hard right now." MORE FROM FORBES LastPass Password Vaults Stolen By Hackers-Change Your Master Password Now By Davey Winder The final LastPass hack attack bombshell dropsĪnd then, on March 1, yet another update to the December 22 incident disclosure dropped. This gave the attacker a head start on any attempts to decrypt vaults, as users had been advised that no further action was required up until this point. This wouldn't help anyone with a weak master password in terms of the stolen vaults, of course, so those customers were advised to change all their passwords as soon as possible.Īt this point, I stated that if I were a LastPass user, I'd be looking for alternatives given the drip feed of breach information, especially since it took so long to determine that customer vaults had been stolen. At this point, I recommended that users change their master password, which would also re-encrypt their password vault, based on better safe than sorry. With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. Unless, of course, they used brute-force methods to try known passwords from other breaches. This meant the attacker now had customer password vaults but not the means to open them. “An attacker would need both your 1Password account password and secret key to decrypt the data within it,” the company said.LastPass attacker stole customer password vaults The firm added that “this means that even if our servers were breached, all the attackers would have is encrypted gibberish that is useless and unreadable”. Responding to concerns relating to its own product on social media, 1Password confirmed that “all 1Password vault data is end-to-end encrypted” on user devices, distancing itself from the idea that it could also suffer a similar attack. Some took to social media to ponder the potential exposure of rival password managers, that also use cloud storage, to similar attacks. The LastPass revelations appear to have sparked a domino effect among users of similar password management services. “In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” the company said. LastPass issued a similar warning for users, noting that it expects customers to be targeted by phishing attacks, credential stuffing, and other brute force attacks “against online accounts associated with your LastPass vault”. “Be VERY careful about password reset alerts in these next few months,” the advice read. It is believed that hackers will likely use this breach as a means to target users and encourage them to change passwords and click on malicious links. Scott-Railton cited a separate thread on the incident which warned that although encrypted data was stolen in this incident, the websites that customers visited were not, meaning that users "should expect to get phishing emails” in the coming days and months.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |