Notice of Recent Security Incident.......LastPass

With each new announcement the breach becomes more and more serious.
You have a point with them shifting liability. Firms rarely have to pay for the damage to customers.
It recently got more serious, and I did not think that was possible. The quote below comes directly from this article:

https://www.csoonline.com/article/3...he-best-and-worst-among-recent-responses.html

The damage may have been done, Grimes says. “LastPass had always said they protected customers' stored data, but when that data was breached, it was revealed that while LastPass did possibly protect customers' stored passwords, they did not protect customer login names, website links, and other customer-specific private information. This gives the hacker in possession of the information a complete map of the sites the user visits and what their logon names are. At the very least it could lead to customized spear phishing attacks that appear to be from websites the victim frequents. On top of that, the breach revealed that LastPass was still allowing weak master passwords.”

The implications are that the attacker knows the websites that everyone visits, and can use that to prioritize decrypting the vaults of those who visit high value websites - financial institutions, the DoD or other government institutions, healthcare and large corporations (for stealing sensitive personal data or ordinary ransomware), etc. Including known usernames is also a huge boost to the attacker.

Not only did LastPass fail to protect its customers' secrets, they put the bullseye squarely onto those who are the highest value / highest priority targets.

The list of potential high value targets and the types of potential threats is very large. Those are the ones who needed strong, reliable, well-architected security the most. They trusted LastPass to provide that security. LastPass let them down.
 


The list of potential high value targets and the types of potential threats is very large. Those are the ones who needed strong, reliable, well-architected security the most. They trusted LastPass to provide that security. LastPass let them down.
Amen to that !

And that is why they will never, ever, see any of my money again.
 
It recently got more serious, and I did not think that was possible. The quote below comes directly from this article:

https://www.csoonline.com/article/3...he-best-and-worst-among-recent-responses.html



The implications are that the attacker knows the websites that everyone visits, and can use that to prioritize decrypting the vaults of those who visit high value websites - financial institutions, the DoD or other government institutions, healthcare and large corporations (for stealing sensitive personal data or ordinary ransomware), etc. Including known usernames is also a huge boost to the attacker.

Not only did LastPass fail to protect its customers' secrets, they put the bullseye squarely onto those who are the highest value / highest priority targets.

The list of potential high value targets and the types of potential threats is very large. Those are the ones who needed strong, reliable, well-architected security the most. They trusted LastPass to provide that security. LastPass let them down.
All of this stems from one tech basically working from home on his personal Plex server. He's one of only four people with the level of access he had. Why they don't have a dedicated machine for this crap is beyond shocking.
 

Members online


Latest posts

Top