These episodes are rich in info and you might even shoot him up a question as he has mentioned the fallout with LP will last quite a while. He mentions that some user's of LP(who've contacted him) had 1, yes 1 as the number of iterations in their settings. I'd highly recommend listening to Steve Gibson's Security Now podcast. Especially if your in that group of 5,000, some of this info is not easily or AT ALL changeable. If you had notes, credit cards, passports, driver's licenses, social security no.s, I see someone has mentioned TOTP codes or their secret keys etc. The advice here is to change important sites(mostly which involve money like banks) and progressively others. If you had password reuse the former can be easily spotted as passwords in ECB are hashed to the same value unlike in CBC that uses an encryption key + a random initialization vector resulting in same passwords being hashed to different strings. This means that LastPass users should go through their vaults and take extra steps to protect themselvesincluding changing all of their passwords. The LastPass Authenticator is a unique one-tap authentication experience that can be used as an application on iOS, Android, and Windows Phone operating. Even if you had 2FA it's no use here! Attackers can full speed try to crack your passwd vault as the master pass is only what's protecting it! This is bad if you were an old/early adopter of LP and had 5,000 iterations for hashes and most likely your passwords were hashed in ECB(search for the Linux Tux being hashed in ECB mode) and NOT CBC mode. You could have been a customer who deleted their account in the last two years but you vault maybe part of what was exfiltrated.
Do you mean your vault itself? LP isn't being open how their backups work.
0 kommentar(er)
