114

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious…

all 21 comments
sorted by: hot top controversial new old
[-] just_another_person@lemmy.world 43 points 1 year ago

Well, I mean...what did you think they were going to do with that data?

[-] thefartographer@lemm.ee 14 points 1 year ago

Dive into it like Scrooge McDuck, obviously

[-] just_another_person@lemmy.world 7 points 1 year ago* (last edited 1 year ago)

A fine idea. This guy hax.

[-] quams69@lemmy.world 23 points 1 year ago

You're telling me it's a bad idea to aggregate all of your passwords through a third party? Who could have seen this coming

[-] rastilin@kbin.social 7 points 1 year ago

Apparently very few people, somehow. Because the internet was filled with people explaining how it was actually much safer than writing them down in a book because "what if someone goes through your desk?". I'm told it's much safer to entrust your passwords to a third party over the internet.

[-] Raisin8659@monyet.cc 16 points 1 year ago

TLDR;

In November 2022, LastPass, a password manager service, suffered a data breach in which hackers stole password vaults containing encrypted and plaintext data for over 25 million users. Since then, there has been a series of cryptocurrency thefts targeting individuals in the tech industry, totaling more than $35 million. These thefts primarily targeted individuals deeply integrated into the cryptocurrency ecosystem, including employees of crypto organizations and venture capitalists.

Researchers, led by Taylor Monahan, CEO of MetaMask, have identified a common factor among these victims: they had previously used LastPass to store their "seed phrase," which is a critical private key for accessing their cryptocurrency investments. Armed with this seed phrase, attackers can instantly access and transfer the victim's cryptocurrency holdings.

The LastPass breach exposed vulnerabilities in its security, particularly related to the master passwords and encryption settings. LastPass users who stored important passwords, especially for cryptocurrency accounts, are urged to change their credentials immediately and migrate their crypto holdings to offline hardware wallets. Alternatives like 1Password, which offer additional security layers like a Secret Key, are recommended.

While the research suggests a strong link between the LastPass breach and the cryptocurrency thefts, it's challenging to definitively prove causation. Nonetheless, security experts advise taking immediate action to protect digital assets.

[-] Zeron@lemmy.world 14 points 1 year ago

And this is why you don't want cloud based password storage systems. If you want to use a password manager, use something entirely local like KeePassXC. The database it creates is so small you could fit it on a floppy so it's immensely portable.

[-] SkyeStarfall 26 points 1 year ago

Cloud based systems can be perfectly sound. You can read how other managers do it, which are also audited by security experts. It's just LastPass being bad.

And sure, local can be more secure, but you're then at higher risk of losing access to it, should the worst happen.

[-] GigglyBobble@kbin.social 1 points 1 year ago

They are a real treasure trove though. Those crypto token thefts show there's much money in that. I wouldn't bet my most sensitive data they covered every single attack vector - external or internal. You managing your password locally may be much less secure but it's also much less likely you're directly targeted.

[-] MaxHardwood@lemmy.ca 2 points 1 year ago

The accounts they're breaking the encryption on were never configured properly. These are old accounts from when LastPass had weak defaults and neither the user or LastPass updated those settings on old accounts. Those settings have always existed though and could have been improved by the user.

[-] ExcessiveAardvark@lemmy.world 15 points 1 year ago

The problem is more that LastPass' system is bad. 1password (and probably others) mitigate a possible hack by having the keyring encrypted by something in addition to the password.

[-] Synthead@lemmy.world 8 points 1 year ago

If you used weak passwords, gave them to a third party, the third party had their data stolen, and you didn't rotate them, it's your own fault.

[-] TheFrirish@jlai.lu 6 points 1 year ago

it's a bad idea to have all your passwords centralized but for me it's still an upgrade in security compared to remembering a few different passwords. I understand security is very important but I want to be able to appreciate convenience and not have to write all my random passwords on a book that I would have to bring with me all the time and look at every time I want to type a password. there's no such thing as bulletproof security. I'm quite happy to have reduced my attack vectors to nearly one single point so I can focus on defending that one single point.

[-] treadful@lemmy.zip 2 points 1 year ago

Password vaults are great! Giving them to a central authority is... a little risky though. LP has a pretty decent history other than this, so I don't fault anyone for using them. But after that breach, it's probably good to consider those creds burned and recycle them.

A good self-hosted alternative might be something like Keepass on Syncthing. Though a downside of that is that you might be even less likely to know of a vault exfil than a service like LP.

Either way you go, it's good to recognize the limiations and act accordingly.

[-] Xavier@lemmy.ca 4 points 1 year ago

These online password manager services are all half-baked scams that get away scot-free in any event of a breach (whichever the ones they just cannot silently hide away).

Only when/if they offer a minimum compensation backed by third party reputable Surety Insurance of at least US$5000 for every single breach for each compromised password/key/wallet/service for each effected customers would I even consider take a gander at their “unbreakable/unhackable” password manager service.

Until such a day arrives, I will continue to use FIDO2 hardware keys (Yubikey), asymmetric certificate pairs (gpg2, SSH, TLS, etc…) and the good old remember all my darn long passwords in my brain for symmetric ciphers (rjindael, serpent, chacha20, etc…) with the added help of Argon2id whenever implemented/available.

I sure hope companies becomes financially liable and accountable for all their privacy/security breaches unlike the last few decades of no consequence or just getting away with a negotiable fine.

this post was submitted on 06 Sep 2023
114 points (100.0% liked)

Technology

59276 readers
2202 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS