In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored. " However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. Their latest blog update today, interesting, the last paragraph in bold states: How utterly embarrassing for LastPass and it's CEO. I took the Excel export and zipped it with 7zip with a long password for local storage in case I didn't import something I need to refer to the original complete LP export later. Then go into the trash and do the same and permanently delete everything. You can do this by listing all entries clicking the first checkbox, scrolling down to the bottom, hold SHIFT, then click the last check box and select the delete option at top. Then made a much smaller spreadsheet of critical sites to change pw on since the last LP hack which I'll get to over the coming days.ĭeleted all Lastpass entries (want to keep the account in case I go back). Deleted all the old/defunct entries (all of which I could care less if someone got my pw if the site/account is even still active!) Imported into Bitwarden. The autofill seems to be a bit more reliable/smoother on both Chrome Windows and Android than LP.ĭid an export from LastPass (1,100+ entries!). The only slight downside is if you have multiple logins for a site, the icon to click to select the login is in the upper right browser bar instead of right to the right of the login fields on the site. Autofill work well in Chrome and on Android. Is similarly full featured but without the history of major security hacks. Don't need their paid plan like I needed ($36 a year) for LastPass, which is nice. Instead of celebrating Christmas with my family, I will be changing passwords on hundreds of accounts, thanks LastPass!Īfter some due diligence, I've migrated to Bitwarden. LastPass misrepresented their service and exposed your sensitive information. Join the inevitable class action lawsuit. To ensure you are not continuing to be exposed to LastPass abysmal practices into the future, force them to delete everything they have on you. This breach contained the personal and vault data of previous customers. Be careful how you store this, it's all your secrets in plain text.ĭemand deletion of all your data through GDPR, or similar request forms. Prioritize your most sensitive accounts: banking, telecom/phone providers (beware SIM jacking attacks!), credit cards, payment processors, cryptobrokers/wallets, e-commerce, insurance, government portals, etc. This is especially urgent if you had a weak masterpassword around the time of the breach. It can be finicky however to sync across platforms/devices.Ĭhange all passwords and enter the new passwords in your new password manager. Keepass + Syncthing (or other cloud storage synchronization for the encrypted vault file) is a commonly recommended self-managed solution that puts you in full control. While these apparently vouch they encrypt the whole vault INCLUDING website URLs, you are fundamentally not in control.Ģ.2. Some people recommend other cloud-password managers like Bitwarden and 1Password. Setup a different password manager solution.Ģ.1. This is rather to hedge against LastPass lying even more about threat actor access. To be clear: this will not help you with the stolen encrypted vaults which are only protected by your previous master password. My recommended steps are very conservative but I deem it be necessary at this point: This will result in decreased operational security as whole teams are fired during bankruptcy, processes deteriorate and disgruntled employees head for the door. LastPass will unlikely survive the litigation, class action lawsuits and customer exodus that will follow. They waited the day before Christmas to announce this with obfuscating language to minimize reach of this bad news. LastPass waited 5 MONTHS after the August 3rd breach to advice us of this issue. LastPass lied in their marketing about Zero Knowledge vaults: website URLs are UNENCRYPTED, this is sensitive information and exposes you to large-scale automated targeted phishing, doxing, social engineering and blackmail attacks. LastPass can no longer be trusted with your secrets: Website URLs saved in LastPass vaults (LastPass doesn't encrypt the website URLs) IP addresses (from where customers accessed the service) The "threat actor" (and anyone else the info is shared with on the hacker forums) now has copies of: LastPass is disingenuous with their security notice blog post to save their own skin: SENSITIVE INFORMATION IS LEAKED. I recommend a specific course of action as steps to secure your privacy and accounts in the most conservative way possible.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |