More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • GreenBottles@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest

    • CoderKat@lemm.ee
      link
      fedilink
      English
      arrow-up
      13
      ·
      edit-2
      1 year ago

      I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.

      If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.

    • hatchling@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.