Rob PomeroyDec 22, 2022

On the LastPass breach.

So threat actors made off with "company names, end-user names, billing addresses, email addresses, telephone numbers, and ... IP addresses".

They also got "customer vault data ... that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields".

That's not great, whichever way you look at it.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

#LastPass #Breach #SecurityBreach

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

The LastPass Blog
Show threadGreg Kutzbach Dec 22, 2022

@robpomeroy As a reminder to everyone.. use a strong master password.

To @robpomeroy, does using 2fa in any way influence a hacker’s process to brute force the encrypted data? Perhaps as some sort of salt?

https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014

What is the LastPass master password? - LastPass Support

The master password is the password that you are prompted to create when you initially sign up for your LastPass account. When you log in to LastPass, you need your email address and master password to access your account. It is very important that you create a very strong master password that you will not forget.

Show threadRob PomeroyDec 22, 2022
@dasgrog I don't know but I would think probably not, since OTP codes rotate and couldn't therefore provide static salt. I imagine the 2FA is used in authentication but not in decryption.
Show threadGreg Kutzbach 

@robpomeroy Here’s the opinion of Nicolas Chaillan… remove trust in SaaS for critical infrastructure. I don’t think most orgs can responsibly manage most infrastructure. This one brings a big sigh from me. Need to discuss.

https://www.linkedin.com/posts/nicolaschaillan_lastpass-hackers-stole-customer-vault-data-activity-7011815153495134208-Q33S?utm_source=share&utm_medium=member_ios

Nicolas M. Chaillan on LinkedIn: Lastpass: Hackers stole customer vault data in cloud storage breach | 29 comments

There you have it folks. I am now telling folks to stay away from multi tenant SaaS stacks for critical capabilities. This market will die due to cyber… | 29 comments on LinkedIn

Dec 23, 2022 at 12:25amWeb
Show threadRob PomeroyDec 23, 2022
@dasgrog My view has always been "Company X is probably better at this than me." But perhaps Company X and I suck, equally... 😏