One for the FOH Cyber Security Troopers.

[Bijan]

9 minutes ago, BrightonCorgi said:

Don't use anything Google.  Close your google account, make sure to do a google takeout - https://takeout.google.com

Run this to see how much Google has on you; scary stuff. 😢

For sure I have done it and I have the full backups out of takeout.

My point is if someone gets all your files they can upload them to Google or elsewhere and get good OCR of all the contents, with little effort.

[BrightonCorgi]

7 hours ago, El Presidente said:

.....and Apple    

 

.....and Facebook

 

.... and Tik Tok

 

....and add any social media platform here

Well...  On a phone don't use any of them that require an app.  Apple you're stuck with unfortunately.  Social media is mostly bad.

[Bijan]

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Tl;dr they leaked everything except the master passwords that they never had. And so customers' stored passwords are only as safe as their master passwords are strong.

"What Does This Mean? Is My Data at Risk? 

 

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.  

 

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password. 

 

What Should LastPass Customers Do? 

 

As a reminder, LastPass’ default master password settings and best practices include the following:  

 

Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.  

To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here. 

We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack). 

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time. 

 

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored. "

[BrightonCorgi]

Passwords are on their way out.  FIDO and/or MFA with bio-metric recognition and/or device registration will become the standard. 

[usleepicreep]

Hopefully no one uses latepass!


Sent from my iPhone using Tapatalk