While many of us unplugged from the internet over the holidays to spend time with loved ones, LastPass, the maker of a popular security program for managing digital passwords, delivered a most unwanted gift.  It recently published details about a security breach in which cybercriminals obtained copies of customers’ password vaults, potentially exposing millions of people’s online information. From a hacker’s point of view, this is equivalent to hitting the jackpot. When you use a password manager like LastPass or 1Password, it stores a list containing all the usernames and passwords for the sites and apps you use, including banking, healthcare, email, and social networking accounts Huh. It keeps track of that list, called a vault, in its own online cloud so you can easily access your passwords from any device. LastPass said the hackers stole a copy of the list of usernames and passwords for each customer from the company’s servers. This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But besides the obvious next step — to change all your passwords if you used LastPass — there are important lessons we can learn from this debacle, including that security products are not foolproof, especially when they Store our sensitive data in the cloud. First, it’s important to understand what happened: The company said the intruders gained access to its cloud database and a copy of the data vault containing millions of customers using credentials and keys stolen from a LastPass employee. LastPass, which published details about the breach in a blog post on December 22, attempted to reassure its users that their information was likely to be secure. It said that some parts of people’s vaults – such as the website addresses for sites they logged into – were unencrypted, but sensitive data including usernames and passwords were encrypted. This shows that hackers can know the banking website that someone uses but do not need the username and password to log into that person’s account. Most important, the master password that users set to unlock their LastPass vaults was also encrypted. This means hackers would have to crack the encrypted master password to get to the rest of the passwords in each vault, which would be difficult to do as long as people used a unique, complex master password. LastPass CEO Karim Touba declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive Vault data encrypted and secure. Is. He also said that it was the users’ responsibility to “practice good password hygiene”. Many security experts disagreed with Mr. Touba’s optimistic spin, saying that every LastPass user should change all of their passwords. “It’s very serious,” said Sinan Eren, an executive at security firm Barracuda. “I think all those managed passwords have been compromised.” Casey Ellis, chief technology officer at security firm BugCrowd, said it was important that the intruders had access to lists of website addresses that people used. “Let’s say I’m following you,” said Mr. Ellis. “I can see all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary. We can all learn from this breach to stay safe online. While many of us unplugged from the internet over the holidays to spend time with loved ones, LastPass, the maker of a popular security program for managing digital passwords, delivered a most unwanted gift. It recently published details about a security breach in which cybercriminals obtained copies of customers’ password vaults, potentially exposing millions of people’s online information. From a hacker’s point of view, this is equivalent to hitting the jackpot. When you use a password manager like LastPass or 1Password, it stores a list containing all the usernames and passwords for the sites and apps you use, including banking, healthcare, email and social networking accounts Huh. It keeps track of that list, called a vault, in its own online cloud so you can easily access your passwords from any device. LastPass said the hackers stole a copy of the list of usernames and passwords for each customer from the company’s servers. This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But besides the obvious next step — to change all your passwords if you used LastPass — there are important lessons we can learn from this debacle, including that security products are not foolproof, especially when they Store our sensitive data in the cloud. First, it’s important to understand what happened: The company said the intruders gained access to its cloud database and a copy of the data vault containing millions of customers using credentials and keys stolen from a LastPass employee. LastPass, which published details about the breach in a blog post on December 22, attempted to reassure its users that their information was likely to secure. It said that some parts of people’s vaults – such as the website addresses for sites they logged into – were unencrypted, but sensitive data including usernames and passwords were encrypted. This shows that hackers can know the banking website that someone uses but do not need the username and password to log into that person’s account. Most important, the master password that users set to unlock their LastPass vaults was also encrypted. This means hackers would have to crack the encrypted master password to get to the rest of the passwords in each vault, which would be difficult to do as long as people used a unique, complex master password. LastPass CEO Karim Touba declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive Vault data encrypted and secure. Is. He also said that it was the users’ responsibility to “practice good password hygiene”. Many security experts disagreed with Mr. Touba’s optimistic spin, saying that every LastPass user should change all of their passwords. “It’s very serious,” said Sinan Eren, an executive at security firm Barracuda. “I think all those managed passwords have been compromised.” Casey Ellis, chief technology officer at security firm BugCrowd, said it was important that the intruders had access to lists of website addresses that people used. “Let’s say I’m following you,” said Mr. Ellis. “I can see all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary. We can all learn from this breach to stay safe online. More details can be found on OUR FORUM.

The Irish Data Protection Commission (DPC) has launched an inquiry following last month's news reports of a massive Twitter data leak. This leak affected over 5.4 million Twitter users and included both public information scraped from the site as well as private phone numbers and email addresses. The data was obtained through the exploitation of an API vulnerability that Twitter had fixed in January. In a statement on Friday, the Irish privacy regulator said, "The DPC corresponded with Twitter International Unlimited Company ('TIC') in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance." It also added that it believes "one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users' personal data." The DPC, which serves as Twitter's lead EU watchdog, wants to determine if the social media giant has fulfilled its obligations as a data controller regarding the processing of user data and whether it has violated any provisions of the General Data Protection Regulation (EU GDPR) or the Data Protection Act 2018. Two years ago, the DPC fined Twitter €450,000 (~$550,000) for failing to notify the DPC of a breach within the 72-hour timeframe required by the GDPR and for inadequate documentation of the breach. In November 2021, the DPC also fined Meta €265 million ($275.5 million) for a major data leak on Facebook that exposed the personal information of hundreds of millions of users worldwide. In July 2022, the private information of more than 5.4 million Twitter users was put up for sale on a hacking forum for $30,000. While most of the data was publicly available, such as Twitter IDs, names, login names, locations, and verified status, the leaked database also included non-public information, such as email addresses and phone numbers. This data was collected in December 2021 through a Twitter API vulnerability disclosed through the HackerOne bug bounty program, which allowed anyone to submit phone numbers or email addresses into the API to link them to their associated Twitter ID. After BleepingComputer shared a sample of the stolen user records with Twitter, the company confirmed it had experienced a data breach linked to attackers using this API bug, which was fixed in January 2022. BleepingComputer found that the bug was exploited by Pompompurin, the owner of the Breached hacking forum, who also harvested the information of an additional 1.4 million suspended Twitter users using a different API. This brought the total number of Twitter profiles scraped for private information to almost 7 million. Stay in the loop by visiting OUR FORUM.