LastPass hacked again… have fun with that
Not a repeat from August 2022, this time hackers got into a LastPass employee’s home computer which had a decrypted vault only available to a handful of company developers. According to Ars Technica said hacker got access credentials for a devops engineer and accessed the contents of a LastPass data vault that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
So, it’s safe to assume at this point if you use LastPass it’s probably time to change all your important passwords.
I don’t have a link to where Ars Technica got their info from, and it’s not on the LastPass site as of this writing, but from the comments section it appears this could be profoundly bad. Really, change your bank / credit card / fark.com passwords.
Also probably worth noting that although the data is probably encrypted pretty decently and you probably have time, most people use passwords in a fairly limited range. For an example I was able to brute force a friend’s password protected college homework from 15 years ago in six hours because she knew it didn’t contain any symbols or numbers using one computer and 16 hours or so of time (she’d forgotten her password.) Someone going after billions in crypto is probably going to bring more resources to bear than I did with my one computer.
Sure it’s AES-256 (and brute forcing that is a wee bit more difficult than 15 year old docs,) but how sure are you at this point one of the developers didn’t leave something else there… they’ve been not exactly doing a bang up job at security lately it seems.[Ars Technica]