![]() Don't bother eating at restaurants ever again if you feel that way, I guess. People who just lump "password managers" into one group are fundamentally assuming that one bad password manager means that all password managers are automatically bad, we just somehow don't know it yet. Just because one restaurant has a bad health inspection score and is constantly making everyone who eats there sick does not mean all restaurants are bad. > the critical password from the poor security of password managers It also wouldn't suprise me if there were other breaches that were never made public, at LastPass, 1Password, or any of these companies. I'm not surprised LastPass is reluctant to share more information they want this to go away as soon as possible so that business can continue as usual. Their entire business reputation relies on being 100% secure, which is impossible. ![]() I know that 1Password is the darling in this space, but breaches are a matter of time. Not to mention the vulnerability from rogue employees, social engineering, etc.Įntrusting _any_ company with the secrets to your digital life is a bad idea in general. Even in the best case scenario that they do follow all best modern security practices for storing the data at rest, there are countless exploit opportunities while the data is in transit, especially considering the clients are web browsers, with their own security issues. I was specifically talking about _online_ password managers in that quote. And I would very much like not to worry about maintaining accounts, updating passwords, etc. I was a LastPass user for many years, many years ago, and trusted them, but have since moved all my passwords offline. There have been some usability improvements in recent years in this area, to the point where it could reach mass adoption, but the change needs to start with developers. The way forward is to get rid of passwords altogether and make passwordless authentication the norm. Many non-technical people don't bother or care at all. They're too confusing and a chore to use for the general public, even if users are educated about their importance, and would like to secure their accounts. Password managers are an entire section of software that shouldn't exist. To think that any company could handle this responsibility is naive at best. They're major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market. Sure, but password managers available over the internet are especially vulnerable. Specifically, the bad actor used Identity and Access Management roles from the AWS S3 backup, tripping Amazon’s warning systems for unauthorized use.> I’m sure LastPass tried really hard to protect data. It was only when the hacker used the data from the AWS S3 backups that the password manager’s researchers caught on to what was happening. This now-decrypted corporate vault contained decryption keys for server-side encrypted Amazon Web Services (AWS) S3 production backups of customer vaults, critical LastPass database backups, and access to other cloud storage resources.Īlthough this breach was tied to the August incident, it remained undetected for this long because LastPass admits the modus operandi was different for both attacks, although they were related. Only four people were allowed access to this internal-use vault, but unbeknownst to this engineer, the keylogger captured all the multi-factor authentication credentials and relayed them to the hackers. The keylogger captured the engineer’s Master Password for a LastPass vault used by other staffers. However, besides the one anonymous source, nothing ties Plex to the LastPass breach. An anonymous source told Ars Technica the hackers exploited a vulnerability in Plex installed on the engineer's computer, allowing them to install keylogging malware. LastPass' blog post says the hackers targeted one of its DevOps engineers. LastPass explains it's now clear this attack is linked to the August breach, but that begs the question how an attack of this magnitude flew under the company's radar. ![]() The breached information includes plaintext data, encrypted text, website data like usernames and passwords, secure notes, and information for filling forms. Barely two months have passed since this revelation, and LastPass now confirms the bad actors certainly have access to customer vault data. It involved a breach of an employee's personal computer, which allowed access to backups of LastPass users' vaults. After an investigation, management maintained that user data was safe until another related security incident came to light in December 2022. To recall, LastPass suffered a breach in August last year, which allowed hackers to steal the password manager's source code.
0 Comments
Leave a Reply. |