More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user - eviltoast

cross-posted from: https://lemmy.world/post/4636459

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • GenEcon@lemm.ee
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    How does this happen? Isn’t the database encrypted? Did they use a weak masterpassword?

    • GlitzyArmrest@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It is encrypted, but LastPass allowed weak passwords until 2018, and also allowed low iterations on their vaults. On top of that, because the hackers have access to the entire vault, they can do local brute force attacks, bypassing any rate limiting LastPass had in place to prevent it. They’re using massive mining rigs (or servers with a lot of GPU power) to run brute force attacks with thousands of guesses per second.