While I agree with your main point, I think confirmation that the URLs weren't encrypted and that they can all be tied to your Lastpass signup information is far from "best case"
> The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that *contains both unencrypted data, such as website URLs,* as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data
That's real bad - think blackmail material for important people.
I missed that part. What is the problem about URL exposure?
EDIT: all three replies to this comment are about sex-shaming people via their email address, ip, home address. hardly pearl clutching. go to DefCon some day, you'll see how that information is basically for sale legally, let alone on the darkweb.
i don't have a horse in this race because i use my own password storage software but the amount of FUD in this thread is cray cray.
Since they're tied to people's account details, address and similar, I'd imagine quite aggressive blackmail opportunities going forward if the data gets to the hands of criminals.
Think postal letter named and addressed, giving your email, and the adult (or other embarrassing) sites you were a member of listed on the letter, along with details of a bank account to make immediate payment to...
Also, you may be able to identify people working for certain high profile orgs (defence contractors, etc) and target them further if you can gleam from URLs they have access to internal systems by specific URL.
I might be misunderstanding, but if the url was adobe.com, then it would be possible to find the corresponding password from that adobe breach for the same email address (not trivial, but if someone moves in the right circles I assume they could get a whole host of the big breaches in a searchable format).
A subset of users might have reused the breached password(s) for their lastpass master password.
Not sure if you could also feed the breached passwords into the brute force tool to give it a headstart, in case they did a slight variation on a breached password for the lastpass master password.
With a list of names, billing addresses, email addresses, telephone numbers, IP addresses (sounds like it's a list since the user first started to use LP) along with URLs having a 99.9% probability of the individual having an account at the URL... that can be pretty much catastrophic. Create a list of OnlyFans subscribers, or if there is a subdomain used for OF creators you can compile a list of them. Any service that uses unique subdomains (like the users username) means you can connect usernames with individuals and so on.
Some URLs will be for internal corporate networks, things that should be protected by VPN but aren't, or publicly-accessible projects with poor security.
It would be really interesting to crawl through this data and filter out all the boring usual stuff, and see what else shakes out.
It's also somewhat helpful for spear-phishing or other social engineering. If you know which services a particular person is using, it's easier to fool them into giving up access to one or more of them.
Probably that now it is known that people with a lastpass account of email address X also have an account at login.furriesindiapers.com or something really insane like dailywire.com
Any information that helps an attacker craft a more targeted attack is useful to the attacker. With URL exposure the attackers now have a comprehensive list of services that a person depends on and where further data about them is stored.
> that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
panarky|3 years ago
"Zero Knowledge" should join "Full Self Driving" in the malicious marketing hall of fame.
mace01|3 years ago
That definitely cannot be true since they were storing URLs in vaults unencrypted. Seems like a class action lawsuit waiting to happen.
https://www.lastpass.com/security/zero-knowledge-security
zacharycohn|3 years ago
That's real bad - think blackmail material for important people.
intelVISA|3 years ago
Dykam|3 years ago
FatActor|3 years ago
EDIT: all three replies to this comment are about sex-shaming people via their email address, ip, home address. hardly pearl clutching. go to DefCon some day, you'll see how that information is basically for sale legally, let alone on the darkweb.
i don't have a horse in this race because i use my own password storage software but the amount of FUD in this thread is cray cray.
g_p|3 years ago
Think postal letter named and addressed, giving your email, and the adult (or other embarrassing) sites you were a member of listed on the letter, along with details of a bank account to make immediate payment to...
Also, you may be able to identify people working for certain high profile orgs (defence contractors, etc) and target them further if you can gleam from URLs they have access to internal systems by specific URL.
jjulius|3 years ago
"It's already out there so we shouldn't bother preventing it from spreading further," is a terrible argument.
alexhjones|3 years ago
A subset of users might have reused the breached password(s) for their lastpass master password.
Not sure if you could also feed the breached passwords into the brute force tool to give it a headstart, in case they did a slight variation on a breached password for the lastpass master password.
phillipseamore|3 years ago
thaumaturgy|3 years ago
It would be really interesting to crawl through this data and filter out all the boring usual stuff, and see what else shakes out.
It's also somewhat helpful for spear-phishing or other social engineering. If you know which services a particular person is using, it's easier to fool them into giving up access to one or more of them.
sockaddr|3 years ago
randerson|3 years ago
poglet|3 years ago
unknown|3 years ago
[deleted]