“The way LastPass has handled this breach to date is a master class on how not to do things,” Katell Thielemann, VP analyst at Gartner, said via email. While LastPass CEO Karim Toubba maintains the encrypted fields and master passwords remain secured, cybersecurity professionals take issue with that claim and criticized the company for how it’s responded to the incident thus far. “Unless they accidentally were logging peoples’ master passwords, which is about the only thing that can make this worse.” “This is about as bad as it gets,” Chester Wisniewski, principal research scientist at Sophos, said via email. The unencrypted data provides an adversary the specific companies and URLs they could impersonate via phishing or social engineering campaigns to dupe users into sharing their master password. This includes encrypted passwords and usernames, and unencrypted data, such as the websites customers access via LastPass, email addresses, phone numbers and the IP addresses customers use to access the platform. Most of the data held by the password manager is now compromised after an unknown threat actor accessed and copied the company’s cloud-based storage vault.
LastPass users and business customers should be on high alert and change all passwords immediately, following a subsequent breach that exposed password vault data, according to cybersecurity analysts and threat researchers. Downstream impacts mounted as the year came to a close, months after the password manager claimed the threat contained. A seemingly run-of-the-mill breach at LastPass in August produced one of last year’s most alarming security incidents.
0 kommentar(er)
