Other than that, attackers can now perform offline brute-forcing on the user’s master password.
This is a very severe leak, since it means that immediately attackers have access to the website URLs, which can be used in some cases for performing privileged operations in the name of the victim or for phishing and blackmail purposes. Encrypted Website usernames and passwords – The actual usernames and passwords saved by LastPass, encrypted with the user’s master password (which is not stored on LastPass’ cloud servers).These URLs may contain extremely sensitive information, such as parameters that are used for logging in, resetting passwords etc. Unencrypted website URLs – URLs saved by the LastPass browser extension, which provide a partial history of the website that the LastPass user has visited.These credentials allowed the attackers to copy a backup of customer vault data. What exactly was breached this time?Īs claimed in this latest update, the attackers were able to use the previously-leaked technical data to target another LastPass employee which had more credentials and keys. However – a few days ago (December 22nd) LastPass issued an update to this security incident, claiming that more information was compromised. This specific statement about user data was reiterated many times. However – while source code and technical information was stolen, no user data was compromised and no services were interrupted. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers.
0 kommentar(er)
