Viewing a single comment thread. View all comments

what-the-puck t1_j1i21l7 wrote


Every saved website URL is unencrypted.

Now the attackers have the owner's LastPass email address, all IP addresses used to log in (which for most people is an accurate geographic region), and for everyone who paid their full billing info including name, address and phone number.

And with URLs the attackers can tie all of that to every single service the person has a password for.

That's a goldmine in and of itself. Their utility bills tell you where they live with certainty. Their financial accounts tell you who their bank is, their mortgage company, their insurance company, their health insurance company, etc. Their company accounts tell you who they work for, even if they just have webmail or timesheets saved. Many people now have accounts for their doctor's office, and for different services that offer medical tests (scheduling).

Political affiliations. Hobbies. Clubs. What languages they speak. Deep dark secrets. There's a reason the backup was stolen.

Knowing all that, and previous password leaks, the attackers can (and already are undoubtedly) do Password Spraying attacks against the backup and will gain access to some accounts. It's inevitable, AES256 is too weak and stolen accounts too valuable.