This makes network scanning after intrusion almost not necessary. The data can be used for phishing additionally, for corporate networks, the attacker probably has a good idea of what technologies are in use and the URLs to get to them. The worst part of this breach is the unencrypted URL field associated with every vault entry. What can the hacker do with that unencrypted data? Account information (your email address, etc.).Attributes and metadata such as autologin, is it a favorite, item type (database, password, secure note, etc.), when was the last time it was accessed, etc.I addressed the unencrypted fields in my LastPass Guide (Appendix A), for reference here is what is not encrypted: LastPass Data Not Encrypted The hackers got the encrypted vaults and data from fields that were not encrypted. I suspect several password managers have been hacked without even realizing it. LastPass had tools in place to detect data exfiltration. They had the integrity to disclose it publicly.Most cybersecurity professionals are taking a well-reasoned approach that we need to take action but let’s do it right.įirst off, I must compliment LastPass on two things: By now, almost everyone has heard of the LastPass breach.
0 kommentar(er)
