But targeting high-value employees in a valuable organization is a familiar attack model. Admittedly, this was a persistent and seemingly well-resourced attacker. My trust in LastPass has now been broken into little pieces. This is why even minor breaches should not be overlooked," Javvad Malik, lead security awareness advocate at KnowBe4, said. "This attack is a textbook persistent attack where the attackers increased their foothold in stages and without rushing the process. "Trust is paramount in the world of password management," I concluded, "and there can be little doubt that trust is being tested hard right now."ĪDVERTISEMENT MORE FROM FORBES Hacker Reveals Microsoft's New AI-Powered Bing Chat Search Secrets By Davey Winder A textbook persistent attack, experts say This gave the attacker a head start on any attempts to decrypt vaults, as users had been advised that no further action was required up until this point. This wouldn't help anyone with a weak master password in terms of the stolen vaults, of course, so those customers were advised to change all their passwords as soon as possible.Īt this point, I stated that if I were a LastPass user, I'd be looking for alternatives given the drip feed of breach information, especially since it took so long to determine that customer vaults had been stolen. At this point, I recommended that users change their master password, which would also re-encrypt their password vault, based on better safe than sorry. With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. Unless, of course, they used brute-force methods to try known passwords from other breaches. This meant the attacker now had customer password vaults but not the means to open them. LastPass attacker stole customer password vaults
0 kommentar(er)
