LASTPASS HACKER NEWS PASSWORD
For this reason, the only way his Bitcoin could have been stolen is if malicious parties gained access to his master password and therefore the private keys for his Bitcoin vault. The lawsuit goes on to allege that Doe has “never knowingly transmitted unencrypted sensitive personally identifiable information or information that is otherwise confidential over any unsecured source” and is "thoroughly diligent" with securing his personal information. The evidence for this is stated to be that in November 2022, Doe had around US$53,000 worth of Bitcoin stolen from his blockchain wallet, allegedly via the use of private keys he had stored using LastPass. It also states that the personal data of victims is “no longer hidden but is, instead, in the hands of cybercriminals who have already fraudulently misused such data”. This information includes company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses used to access LastPass services. The lawsuit goes on to accuse LastPass of “failing to invest in adequate data security measures that would protect Plaintiff and the Class from the unauthorized access to, and copying of, their private information”, meaning that those affected by the breach are at an “especially high risk of ransom threats and blackmail attempts” due to the information exposed. However, according to LastPass, “master password never known to LastPass and not stored or maintained by LastPass”, meaning they could not have been accessed in the breaches. This would allow malicious parties access to any number of users’ accounts, including those that store banking or payment information. The plaintiff has accused LastPass of “likely stor” the master passwords of users – the sole way of unlocking users’ password vaults and accessing their login information – meaning users’ passwords would have been accessed during the cyber attack. The lawsuit also alleges that bad actors could “wreak financial havoc on the lives of LastPass users” affected by the breach. The suit, which was filed by an anonymous plaintiff referred to as ‘John Doe’ with the United States District Court of Massachusetts, alleges that LastPass failed to “exercise reasonable care in securing and safeguarding highly sensitive consumer data”. We haven’t found anything unusual yet, but we’re still looking at it.An anonymous plaintiff has filed a class action lawsuit against password management company LastPass after the company suffered two data breaches within four months in 2022. That’s why we’re making all these moves.Ī lot of the services on the servers that were involved have also been locked down as a precaution, and we’re still investigating on that end as well. The only thing we’re worried about is people that have weak ones. The real message needs to be that if you have a strong master password, nothing that could have been done would have exposed your data. In retrospect, we probably overthought this a bit and we’re maybe too alarmist ourselves. We think by taking those steps, we’re locking down any chance that somebody that guessed one of the master passwords would have any shot of getting in. Siegrist: When signing in, we’re forcing every user to prove to us that they’re coming from an IP that we’ve seen them come from before, or prove that they still have access to their e-mail. But if you used a dictionary word, that is within the realm of someone cracking it in a reasonable time frame. If you made a strong master password, you are pretty much in the clear–it’s not really an attackable thing. The threat is that once somebody has that process down, they can start running it relatively quickly, checking thousands of possible passwords per second. When you do all of that, what you’re potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website. Siegrist: You can combine the user’s e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. What does all of this mean in terms of what was actually in that data and what someone could glean from it? PCW: We’re talking about blobs, hashes, and salts–a lot of phrases folks aren’t used to hearing. But we haven’t had any of those before, and we’ve been watching this a long time. Could this be just some kind of weird glitch? It could. We’re trying to look at what is the worst possible case and how we can mitigate any risks coming out of that.
0 kommentar(er)
