More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • PM_Your_Nudes_Please@lemmy.world
    link
    fedilink
    English
    arrow-up
    23
    ·
    1 year ago

    From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.

    For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.

    It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.

    • can
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      That’s valuable in and of itself, because it allows them to spear-phish those users.

      I’m sorry, this is the first time I’m hearing the term spear-phish and I love it. It’s hilarious.

      • PM_Your_Nudes_Please@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        It refers to targeting phishing attacks. With traditional phishing, scammers simply cast an ultra wide net and catch whichever one’s happen to respond. They don’t really care who it is, because they’re playing a numbers game. Even if only 0.1% of people respond, sending out a thousand phishing emails means you still got a response.

        But with spear phishing, it’s a targeted attack. They’ll call you at your desk with a spoofed work number, and pretend to be the CEO’s assistant. The CEO needs you to go buy gift cards for a big sales event coming up. Don’t worry, it can all be expensed later, but he needs the cards now and doesn’t have time to deal with vendors and purchase orders. And now you’re reading gift card numbers to a scammer, because they knew enough about your workplace to be able to reasonably impersonate the CEO’s assistant.

        It can also be used to refer to targeted attacks against company leaders or notable figures. Maybe someone has a fat crypto wallet, so someone targets them. Or maybe they try to trick the CEO into giving away a trade secret. Regardless of the reasons, the attack is still the same basic principle; Find a target, meticulously research them enough to be able to fool them, then attack. Most people will be good at avoiding regular phishing. But very few people are prepared for a coordinated and laser-guided spear phishing attack.

        • can
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          Thank you for the realistic depiction of how it can happen.

    • jarfil@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      1 year ago

      LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes

      Wait a moment… now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.