![]() ![]() What this is saying is that the vaults are safe, so long as your master password follows their best practices, is not easily guessed, crackable, reused elsewhere, etc. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.īut wait, surely LastPass factored this into their threat model and these vaults are useless in the hands of the attacker? This is the first LastPass breach notification that clearly states that customer vaults have been stolen. So I get it, another breach - what makes this one different? That said, we were already mid-migration away from LastPass prior to this latest incident, but our decision is only further solidified by recent events. Rather than recap the details of the breaches, this post will focus strictly on "how does this affect me/my organization" and "is LastPass still safe to use?"ĭisclaimer - Recon is (as of this post) a LastPass customer. The latest incident appears to be a follow-up to the previous intrusion from back in August. As you have no doubt heard, LastPass has suffered yet another breach which makes at least 3 separate incidents this year alone. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |