I signed up for LastPass in like 2012 and stopped using it around 2015 or 2016. I had a very strong copy/pasted master password but I still haven't logged in to see what my iterations were at (probably 100).
The attackers can't hurt me if I close my eyes, right?
"may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings"
What does MFA settings mean in this context?
Does enabling MFA protect users from these type of attacks?
Is MFA used as a part of the encryption key used to protect data?
TOTP is a popular MFA mechanism that is composed from a shared secret and settings (often communicated by qr code). Utilities like LastPass can generate TOTP codes for you if you share the config. The statement reads like any MFA config shared is potentially compromised and should be replaced.
[+] [-] brewdad|3 years ago|reply
[+] [-] CommitSyn|3 years ago|reply
The attackers can't hurt me if I close my eyes, right?
[+] [-] runamok|3 years ago|reply
1. Check their password iterations to evaluate how urgent the rest of these steps are: https://support.lastpass.com/help/how-do-i-change-my-passwor...
2. If iterations are 100100 and your password is not a dictionary word (or quite short) you are probably ok but...
3. I'd still identify any high value passwords like email, financial, cryptocurrency, etc. and rotate them.
I am guessing the iterations are stored in the vault so would point out the low hanging fruit to the hackers.
All the other things LP is doing doesn't really matter since the customer vaults are already exfiltrated and do not use any sort of MFA offline.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] poglet|3 years ago|reply
What does MFA settings mean in this context? Does enabling MFA protect users from these type of attacks? Is MFA used as a part of the encryption key used to protect data?
[+] [-] richardjennings|3 years ago|reply