Technology

68864 readers

4214 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

970

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user (www.theverge.com)

submitted 2 years ago by [email protected] to c/[email protected]

184 comments fedilink hide all child comments

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 24 points 2 years ago (2 children)

From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.

For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.

It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.

[–] [email protected] 7 points 2 years ago

That’s valuable in and of itself, because it allows them to spear-phish those users.

I'm sorry, this is the first time I'm hearing the term spear-phish and I love it. It's hilarious.

[–] [email protected] 6 points 2 years ago* (last edited 2 years ago) (1 children)

LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes

Wait a moment... now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.

[–] [email protected] 1 points 2 years ago

Geez I do this in 1 password.