GoTo, "the company behind the LastPass Password manager has revealed a second attack on user data that involved the hackers using information stolen in the first LastPass attack, information obtained from a third-party site, and a vulnerability in software installed on the computer of a LastPass engineer to once again breach the company security.Īccording to the company, "Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from Augto October 26, 2022." LastPass senior engineers didn't use MFA on their accounts? Hopefully the era of usernames and passwords will end in the next year or two. Whatever security measures users had in late October is what hackers have to break.ĭashlane, on the other hand, has never been breached, and they are proactively working on passkeys to eliminate the need for usernames and passwords. In fact, they didn't even notice it had happened until after the October event. LastPass should have detected and stopped the intrusion in August in real time, while it was happening. After experiencing at least 8 breaches in the last decade, you'd think LastPass would already have strong security protocols. In fact, this is probably the first time LastPass has ever rapidly increased security in response to recommendations by the online security community. Even though LastPass offered users the maximum 100,100 iterations and recommended users set their password settings to that value, the default LastPass setting was only 5,000 iterations! LastPass now uses 600,000 iterations as the default: but it's too little, too late! LastPass should have always used the maximum value as default, not some pathetically low number and leave it to users to increase security. In part, the bulletin states that in January 2023, the Open Web Application Security Project (OWASP) increased its recommended number of Password Based Key Derivation Function (PBKDF2) iterations from 100,100 to 600,000. This regards the second breach on October 26, 2022, in which employee credentials stolen in August were used to access customer vaults, unencrypted URLs, and a host of proprietary data. It's March 2023 and LastPass has just now sent out a Security Bulletin suggesting how users might better secure their accounts. So, I've requested a class action on behalf of premium users whose accounts renewed between the August breach and the December disclosure who are outside the refund window and would never have renewed had they been made aware of the extent of the breach. LastPass referred me to the terms and conditions, stating that the 30 days were past and they would not issue a refund. The desktop browser extension is especially helpful in changing passwords, as it will enter the existing password and then generate a new, computer-randomized password using the length, and type of characters, I can set.) (BTW Dashlane is serving us very well so far. If not, I may pursue a class action on behalf of users whose accounts automatically renewed in the time between the August 2022 breach and the Decemdisclosure. Thank you for processing our refund to the original method of payment. but LastPass' default setting for that is only 5000 iterations! Because of LastPass' seemingly cavalier manner the way it handles security, and the deceptive and long-delayed communications we users have received about the gravity of this compromise, we have zero confidence in LastPass as a secure data management tool. LastPass can argue that its suggested "best practices" should protect users, such as the 100,100 iterations of the PBKDF2 algorithm. Had we known the seriousness of the breaches that LastPass stored users' IP data in unencrypted form and that LastPass failed to quickly detect and isolate the initial breach in August that led to the second breach, we would never have renewed. It was not until a month later that LastPass disclosed the extent of two data breaches: including access and compromise of users' vaults and unencrypted URLs. Our LastPass Families subscription renewed automatically on November 19, 2022. We have both logged out of our LastPass Families accounts and uninstalled LastPass from all our devices. "My Darling Bride and I request a refund of our renewal fee from November 19, 2022. After reading more about the data breach and how casual LastPass has been about it, I sent this email to LastPass Support:
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |