As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s). We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
...lokaal syncen via wifi [...] toch het beste. Dan hoef je je niet af te vragen wat er waar is van dit soort berichten.
Ook lokaal kun je op allerlei manieren kwetsbaar zijn.
Ik weet van 1P dat het end-to-end encypted is, een hacker heeft niets aan je master password. Je hebt ook de secret key nodig die je nooit online gebruikt. Superveilig
Voor mij zou het gelijk klaar zijn.
Maar hoe dan bijvoorbeeld? Als je op de een of andere manier malware binnenhaalt?
Bitwarden salts and hashes your master password with your email address locally, before transmission to our servers. Once a Bitwarden server receives the hashed password, it is salted again with a cryptographically secure random value, hashed again, and stored in our database. […]The utilized hash functions are one-way hashes, meaning they cannot be reverse engineered by anyone at Bitwarden to reveal your master password. Even if Bitwarden were to be hacked, there would be no method by which your master password could be obtained.
Van boeuf bourguignon kun je ook geen koe meer maken.
De password manager legt de oorzaak van deze hackpogingen bij zogenoemd ‘credential stuffing’. Daarbij gebruiken hackers e-mailadressen en wachtwoorden van andere inbreuken. Vervolgens proberen zij hiermee ‘op goed geluk’ in te breken in LastPass. Vooral die gebruikers die hun master password voor meerdere andere sites gebruiken, lopen hierdoor groot gevaar.
People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. (wiki)
Een snippet extra info over die 'hack':