Submitted by BasedSweet t3_10z1kx5 in technology
rlaxton t1_j83gpkh wrote
Reply to comment by zevelj in Millions of passwords stolen from LastPass earlier than company disclosed: Report by BasedSweet
Everything in the vault is encrypted using your master password as far as I know.
zevelj t1_j83styi wrote
They say that URLs for sites stored is not encrypted, but passwords are. So just wondering what else isn't
gurenkagurenda t1_j83s6ne wrote
Well, all the directly sensitive content. LastPass has always been bad about storing metadata in the clear. It doesn’t make it easier for an attacker to get your password, but it does let them narrow down who to try to attack.
spsteve t1_j85swbk wrote
It does if a site did something stupid and included something useful in the url that lp has stored.
Edit: it also makes phishing much easier. That Metadata can be used like this:
You have an ms account and an Adobe account. I know because I have your Metadata. I send you a sophisticated phish saying that Adobe is no offering to link to your ms account for single sign in. Just enter your Adobe and ms ids on this form...
It might not hit you but it would get a lot of users.
Deckma t1_j86v4s8 wrote
That's what they wanted us to believe. Unfortunately that's not true.
You can see the vault structure of popular password managers here: https://i.imgur.com/QAvoPmb.jpg
URLs we're not encrypted in Lastpass. And almost all the meta data and field names were not encrypted.
Viewing a single comment thread. View all comments