![]() However, this post makes me antsy because if this CS agent didn’t understand the 2FA q, it’s hard to trust that the “all but the url is encrypted” agent understood that question. That was reassuring re the per password “note” field (as opposed to what they call “secure notes” which are in a different area of the app.) I really appreciate the user on here who said they talked with LP customer support who said the only thing not encrypted is the URL. In other words by getting access to that backup they stole, they bypassed 2FA for all users simultaneously. The attackers have the vault already and just need to decrypt it. I’d think the 2FA is meant to protect getting access to the account at all. I don’t think they did understand the question. I use 1Password instead as a much more secure option, because 1Password encrypted website URLs and uses a Secret Key to make the vault encryption strong even if a weak master password is used.) (Fortunately, for me personally, I've never used the free LastPass Premium account that was provided to me through my organization. That is a HUGE privacy violation and a HUGE risk for phishing, doxing, and other harms. All the websites for which I have saved passwords.So the threat actor (and anyone else the info is shared with on the dark web) now knows, for example: Website URLs saved in LastPass vaults (LastPass doesn't encrypt the website URLs).IP addresses (from where customers accessed the service).I don’t know really, I’m very far from a security expert so I can’t say whether this is just paranoia/overkill.īut I’m open to anything that suggests this is isn’t as bad as I’m making it sound.This is unbelievably bad. That’s just one, probably extreme example, but with the types of plaintext data they already have (your lastpass account email, possibly the card details you used to pay for any lastpass subscription), it just seems to me that simply changing your passwords for the most important sites, really isn’t enough.Īlso consider what you may have saved in secure notes, and how significant that information is. Phone numbers, mothers maiden names, whatever. ![]() What they could pull out of an insignificant site, with lax security, could be used to open up more possibilities to compromise the sites that really matter. For instance you may have card details, or other personal details saved in the smaller fish sites that you didn’t change the passwords/usernames for. Now obviously it depends on the site, the password, whether it has 2FA and the strength/vulnerability of the 2FA, but in the weakest cases, I worry about things like social engineering. So they know the site, they know your email/username, and there’s just the password that you changed standing in the way. So the attackers know your online profile, if you look like you’ve got some juicy assets behind those encrypted credentials then they’ll likely get round to investing in cracking your original password eventually (or someone else will, maybe some years down the line). What I find so worrying about going this way, is amount of relevant ‘meta’ data that wasn’t meta at all that was exposed in plaintext. That, plus other password providers (I switched to a combination of 1Password and KeePassXC) seem a lot more secure to me (1PW's Secret Key mechanism makes it a lot less attractive to try to compromise 1PW servers, to compromise 1PW an attacker really needs to compromise an endpoint). The way that they lied and failed to own up to the problems in a reasonable timeframe, and the decisions they made to make things more convenient but less secure, I just can't trust them anymore. I don't believe that they have security and honesty and caring about the users as a core tenet. If they were a good company, making a good product, but just made some bad design choices (storing urls and other data plaintext, bad opsec, etc.), then that's one thing.īut. ![]() Lastpass has problems as a company and is fundamentally unreliable. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |