Lastpass didn’t do a good job at letting the public (and customers) know of how bad the breach actually was.
To summarise, in August 2022 Lastpass suffered a data breach where customer data and source code was stolen. There is also a blog post by Lastpass themselves. The Verge published an article which includes a great summary of the breach.
Update 2: More clarification on cracking section, added unencrypted URLs to the what was stolen section, and added a link to a Hashcat benchmark for Lastpass from 2013. Update: Fixed a few mistakes and added more clarification. Following this, I will use a wordlist attack to bruteforce the vault which has a weak and guessiable password. To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack vault passwords and get access to sensitive log-in credentials.
0 kommentar(er)
