By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Zack Whittaker, reporting for TechCrunch:
In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses. It’s not clear how recent the stolen backups are.
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
In one sense this is a triumph for secure password managers. Even if we get hacked, the hackers can’t access your passwords. That’s true for LastPass. But they did get hacked, badly, so for LastPass this seems devastating. It’s a second-order disaster for an attacker to steal users’ encrypted vaults, but it’s stills a disaster. Anyone who uses LastPass who hasn’t spent today moving to something else — me personally, I use, trust, and very much enjoy iCloud Keychain — either hasn’t heard about this breach or is an idiot.
★ Friday, 23 December 2022