This allowed the hacker to gain access to credentials and keys, which they then used to access LastPass’ third-party cloud storage service in November 2022. The August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee. In August and November 2022, LastPass suffered two connected data breaches that resulted in confidential customer information to be compromised. The password management company also stated that “sensitive vault data, such as usernames and passwords, secure notes, attachments and form-fill fields” had remained safely encrypted due to LastPass’ zero knowledge architecture. The company also noted that it would take “millions of years to guess master password using generally-available password-cracking technology” if customers followed its best-practice guidelines for creating master passwords. LastPass maintained, however, that it would be “extremely difficult to attempt to brute force master passwords” due to the hashing and encryption methods used to protect customers. For this reason, the only way his Bitcoin could have been stolen is if malicious parties gained access to his master password and therefore the private keys for his Bitcoin vault. The lawsuit goes on to allege that Doe has “never knowingly transmitted unencrypted sensitive personally identifiable information or information that is otherwise confidential over any unsecured source” and is "thoroughly diligent" with securing his personal information. The evidence for this is stated to be that in November 2022, Doe had around US$53,000 worth of Bitcoin stolen from his blockchain wallet, allegedly via the use of private keys he had stored using LastPass. It also states that the personal data of victims is “no longer hidden but is, instead, in the hands of cybercriminals who have already fraudulently misused such data”. This information includes company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses used to access LastPass services. The lawsuit goes on to accuse LastPass of “failing to invest in adequate data security measures that would protect Plaintiff and the Class from the unauthorized access to, and copying of, their private information”, meaning that those affected by the breach are at an “especially high risk of ransom threats and blackmail attempts” due to the information exposed. However, according to LastPass, “master password never known to LastPass and not stored or maintained by LastPass”, meaning they could not have been accessed in the breaches. This would allow malicious parties access to any number of users’ accounts, including those that store banking or payment information. The plaintiff has accused LastPass of “likely stor” the master passwords of users – the sole way of unlocking users’ password vaults and accessing their login information – meaning users’ passwords would have been accessed during the cyber attack. The lawsuit also alleges that bad actors could “wreak financial havoc on the lives of LastPass users” affected by the breach. The suit, which was filed by an anonymous plaintiff referred to as ‘John Doe’ with the United States District Court of Massachusetts, alleges that LastPass failed to “exercise reasonable care in securing and safeguarding highly sensitive consumer data”. The password service states that your data was still encrypted at the time of the breach, and so long as you used its recommended best practices for choosing your master password – a set of characters that are never known to LastPass directly – you shouldn’t need to take any action right now in light of the incident.An anonymous plaintiff has filed a class action lawsuit against password management company LastPass after the company suffered two data breaches within four months in 2022. ![]() ![]() ![]() In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored. However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. There are no recommended actions that you need to take at this time. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. If you use the default settings ( password best practices) it would take millions of years to guess your master password using generally-available password-cracking technology.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |