Lastpass breach 20159/7/2023 With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. Unless, of course, they used brute-force methods to try known passwords from other breaches. This meant the attacker now had customer password vaults but not the means to open them. Thus, LastPass’s breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.” explained Devin Egan, co-founder and CTO of LaunchKey, at Infosecurity magazine.Īgain, in my opinion, this entire situation proves that we need to re-think the way we store our passwords, and maybe we should change the approach in a near future.LastPass attacker stole customer password vaults Unlike a site that stores passwords one-way hashed, a password manager encrypts the users’ passwords with a way to decrypt them so they can be used later. “Password vaults in the cloud are potentially dangerous as a breach like this could expose every password to every site for a wide range of users,” “As LastPass themselves recommend, users need to enable additional factors of authentication on these systems as protecting this data with a password alone is not secure. Keeping passwords in the cloud, or keep or passwords locally? OK, so it seems that maybe they will be able to brute force the password since they have all the information to do it, but it’s not the only problem, because criminals have user’s email addresses that they can use to run phishing campaigns, tricking users with emails such “Update your LastPass master password”, or “Update LastPass to the new version”, etc.Īnother consideration to do is that maybe the way people are storing their passwords are not ideal, which is the better choice? They incidentally have a list of LastPass users by e-mail address.” said Tod Beardsley, Rapid7’s security engineering manager. “what this means is that attackers seem to have all they need to start brute forcing master passwords”, “So far, the attackers do not seem to have access to the passwords encrypted with that master password. However, if you have reused your master password on any other website, you should replace the passwords on those other websites“. “You do not need to update your master password until you see our prompt. LastPass customers who are not using multi factor authentication must verify their accounts via email when logging in from a new device or IP address. Users having a weak master password are at risk, so it’s better to update their password. That’s great, but now the evil is done, and I would say that they lost credibility and they are risking losing many clients, since no one knowing this will risk keeping their passwords in LastPass. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed,” is the official statement from LastPass published on its website. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. “We are confident that our encryption measures are sufficient to protect the vast majority of users. It seems that encrypted user vault data haven’t been accessed. The popular cloud-based password management service LasPass has been compromised, exposing user account email addresses, password reminders, server per use salts, and authenication hashes. The cloud-based application, LastPass has been compromised but encrypted user vault data doesn’t look to have been accessed by hackers.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |