![]() And whether LastPass will be held liable. It’ll be interesting to see if anyone can establish a clear link between LastPass and the crypto thefts. And with the obfuscation in the crypto world, it’s probably impossible to tell how massive the crypto heist is. If LastPass customers had changed ALL their account passwords in December, including migrating cryptos to new wallets, they’d be safe now. Image source: stockphoto-graf/Adobe What should you do now? KrebsOnSecurity explains that hackers were working offline, with direct access to those encrypted vaults:Ĭryptocurrency symbols are shown on physical coins, including bitcoin, ethereum, litecoin, and XRP. That’s because LastPass didn’t have uniform, up-to-date security practices in place for all of them. So, how could the hackers possibly break into accounts belonging to more than 150 people? They brute-forced their way into them. ![]() LastPass advises users to minimize risk by ‘changing passwords of website you have stored.’ Every single website. With these default settings in place, ‘it would take millions of years to guess your master password using generally-available password-cracking technology.’ LastPass says there are no recommended actions customers should take at this time if the above applies to your account.īut you’re at risk if your account doesn’t use these defaults. LastPass also notes that since 2018 it has implemented new security features, including ‘a stronger password-strengthening algorithm that makes it difficult to guess your master password.’ Image source: Mehmet/Adobe How they might have hacked your LastPass accountĪt the time, LastPass also said it would take millions of years to guess someone’s master password, which guards all the other passwords you have secured in your vault. But you also should.Ī bitcoin coin concept in front of a screen showing a market price chart. There’s no reason to panic, LastPass seems to indicate. Now, the Thursday before Christmas, LastPass issued a notice of a recent security incident where hackers stole a copy of “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Here’s what I wrote back in December, when LastPass issued that tardive Christmas update about the August 2022 and November 2022 hacks: He was able to recover $1.5 million of that. He stored the seed phrases for years in his LastPass account before that. That’s nearly a year after the hackers went after LastPass. The anonymous Connor lost $3.4 million worth of crypto on August 27th, 2023. ‘I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.” ‘I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,’ Connor said. Monahan concluded in late August that the only common thread was the use of LastPass to protect the seed phrases. They are also deeply integrated into this ecosystem, employees of reputable crypto orgs, VCs, people who built DeFi protocols, deploy contracts, run full nodes.’ ‘The victim profile remains the most striking thing,’ Monahan wrote. She explained that the victims were not your average internet users who recycle weak passwords with their services. The blog explains that MetaMask lead product manager Taylor Monahan was the first to link the crypto heists to the LastPass breach. Popular security blog KrebsOnSecurity has a very detailed rundown of events that explain how the hackers were seemingly able to crack the LastPass vaults, despite their encryption. They believe hackers stole the unique 12-word seed phrases protecting crypto wallets from LastPass accounts after cracking each vault’s master password. And LastPass likely wouldn’t acknowledge it either way.īut security researchers who have been investigating recent crypto heists seem to believe that’s the only thing that makes sense. ![]() There’s no definitive proof that the LastPass security breach is tied to the cumulative $35 million in crypto heists. The link between LastPass and crypto heists It’s probably also a good idea to ditch LastPass for 1Password or Proton Pass, no matter how long the process takes. If it wasn’t clear back in December, you should change all your passwords stored in LastPass and ensure that your accounts have not been compromised.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |