this post was submitted on 07 Sep 2023
988 points (99.0% liked)

Technology

59605 readers
3514 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

you are viewing a single comment's thread
view the rest of the comments
[–] merc@sh.itjust.works 153 points 1 year ago (3 children)

Nearly every victim was a LastPass user.

But every victim was a cryptocurrency user.

[–] sturmblast@lemmy.world 19 points 1 year ago (2 children)

I'd be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest

[–] CoderKat@lemm.ee 13 points 1 year ago* (last edited 1 year ago) (1 children)

I'm sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren't as original as they think.

If you have millions of password vaults, I'm sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it's more likely they haven't changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.

[–] hatchling@lemmy.world 7 points 1 year ago (1 children)

This is incorrect information. Notes are encrypted, just not their "type". Unfortunately the most direct source for this is a reddit link, but here it is anyway.

[–] sturmblast@lemmy.world 1 points 1 year ago

okay thanks for that I was going off of an earlier report

[–] LufyCZ@lemmy.world -5 points 1 year ago

This doesn't say anything about crypto.

It says everything about the users themselves.