ITX Mike

Aaaaaaaaaaaaaaaand... they got the #LastPass vaults (all of them? Some of them?). Still encrypted, but... They know what sites you had stored and your main email address so... That's not great. #InfoSec #MSP #SysAdmins #SysAdminNightmares

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

The LastPass Blog
Dec 22, 2022 at 8:08pmWeb
Show threadITX MikeDec 22, 2022
The one thing they REALLY weren't clear on is linking vaults to customer accounts and their email addresses. You have to assume that's there...
Show threadITX MikeDec 22, 2022

Since this post is getting boosted - here's my HotTake on this...

https://msps.io/@mspsadmin/109559357286468256

ITX Mike (@[email protected])

OK, so my #hottake on the #LastPass breach. It's bad - they got vaults (all of them? Some?) But they are fully encrypted. Do we trust AES256 (with a decent key) or not? LastPass has been very forthcoming. They have sizable security teams. Sure you can selfhost whatever solution you like - but how secure/monitored is your NAS, Lab Server, whatever? LastPass is a huge target. The hack was complex - they had to get a multipart key to even get to the encrypted backups 1/ #InfoSec #SysAdmin #MSP

MSPs.io
Show threadMinecodes Dec 22, 2022
@mspsadmin
I have an LastPass account, but there are no active account and my email addresses are already leaked.
Show threadWernerDec 22, 2022
@mspsadmin I've asked "everyone" over and over if a pwd manager isn't putting all your eggs in one basket. No one would really answer me on that.
Show threadITX MikeDec 22, 2022
@worldwidewerner It absolutely is... the trick is how secure is the basket if it gets stolen. LastPass seems to have put a fair amount of effort into that.