![]() ![]() Client-side encryption saved every password from being stolen, but as previously mentioned, all it takes is a weak master password or a phishing attack to unlock that data for an account. This is just about the worst possible security incident imaginable for a password manager like LastPass - nearly all data in the company's possession has been copied. ![]() For example, if someone has a password for Bank of America's website, they might have an account there, and would be an excellent target for phishing emails that look like account alerts from the bank. Someone with the leaked data would be able to see all the websites that were associated with passwords, then use that for more targeted phishing. Names and billing addresses can be used in more attacks, and the website addresses for stored passwords were not encrypted. Related: Online Security: Breaking Down the Anatomy of a Phishing EmailĮven without the master password, the leaked data could be damaging for some LastPass users. However, if someone's master password can be obtained (for example, with a phishing email mimicking a LastPass login page), it could be possible to unlock the encrypted data and see all of someone's passwords. ![]() The company claims the actual passwords are still safe, because they use 256-bit AES encryption based on a person's master password. The worst part is that the hacker successfully copied vault data from LastPass, though the company called it "a backup," so it's not clear how old the data is. LastPass just disclosed the full scope of the attack, following an "ongoing investigation." The hacker was able to access a cloud storage environment using data from the August security breach, which included "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service." Credit card information was apparently not accessed. Later in December, LastPass confirmed a hacker was able to use that data to "gain access to certain elements of our customers' information." The company didn't clarify what "certain elements" meant, until now. LastPass suffered a security breach back in August, when a hacker gained access to development environments and was able to steal source code and other proprietary information. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |