Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Password Manager. Show all posts
Password Security
Browser Vulnerabilities Cyber Threats Cybersecurity awareness Data Breach Prevention digital safety Identity Protection Online Privacy Password Manager Password Security

Why It’s Time to Stop Saving Passwords in the Browser

 


As convenience often takes precedence over caution in the digital age, the humble "Save Password" prompt has quietly become one of the most overlooked security traps of the digital age, one of the most overlooked security threats. The number of users who entrust their most sensitive credentials to their browsers each day is staggering. 

In a bid to relieve themselves of the constant burden of remembering multiple logins every day, millions of people are willing to trust their browsers. As seemingly innocent as it may seem to simplify daily life, this shortcut conceals a significant and growing cybersecurity threat that is rapidly spreading across the globe. The very feature that was designed to make online access effortless has now become a prime target for cybercriminals.

These thieves are able to retrieve the passwords stored on local computers within minutes — often even without the user's knowledge — and sell them for a profit or further exploitation on dark web marketplaces. 

By storing encrypted login information within a user's profile data, browser-based password managers can be reclaimed when needed by storing them in their profile data, automatically recalling them when necessary, and even syncing across multiple devices that are connected to the same account. In addition to improving accessibility and ease of use with this integration, the potential attack surface is multiplied. 

As soon as a single account or system has been compromised, every password saved has been exposed to attack. During an age where digital threats are becoming increasingly sophisticated, experts warn that convenience-driven habits, such as saving passwords in the browser, may end up costing the users much more than the few seconds they save at login time when they save passwords in their browser.

Even though browser-based password storage remains the default choice for many users, experts are increasingly emphasising the advantages of dedicated password managers - tools that can be used across multiple platforms and ecosystems independently. 

Many browser managers do not sync with their own environments; they only sync with their own environments, such as Google and Chrome, Apple and Safari, or Microsoft with Edge. However, standalone password managers surpass these limitations. It is compatible with all major browsers and operating systems, so users will be able to access their credentials on both Macs and Windows computers, as well as Android phones and iPhones, regardless of whether they are using a MacBook or a Windows computer. 

These managers act as independent applications, rather than integrated components of browsers, so that they provide both flexibility and resilience. They provide a safe and secure means of transferring data from one device to another, allowing users to be independent of any single vendor's ecosystem. Modern password managers have more to offer than simply storing credentials. 

Families, friends, and professional teams can use them to share secure passwords among themselves, ensuring critical access during times of crisis or collaboration. Additionally, encrypted local copies of stored data are maintained on the computers, so that users can access their data offline even when their phone or Internet connection is disconnected. 

Using this capability, important credentials are always readily available whenever and wherever they are required, without sacrificing security. Contrary to this, browser-based password saving has continued to attract users around the world — from small business owners trying to maximise efficiency to workers at large corporations juggling multiple logins — because of its ease of use. This convenience is not without its dangers, however. 

Cybercriminals use browser-stored credentials daily as a means of exploiting them via stealer malware, phishing attacks and tools that retrieve autofill information, cookies, and stored sessions. Once these credentials have been obtained, they are quickly circulated and sold on dark web forums and encrypted Telegram channels, allowing attackers to gain access to sensitive corporate and personal data. 

Many consequences can result from a harmless click on the “Save Password” button that can affect not just an individual but entire organisations as well. Despite this appearance of efficiency, there is a fundamental flaw beneath this efficiency: browsers were never intended to serve as secure vaults for passwords. The main purpose of browsers is still web browsing, and password storage is only an optional feature. 

When it comes to strengthening in-browser security, it's crucial to ensure the encryption keys are only held by the device owner by enabling on-device encryption, which is available through services like Google Password Manager. This feature integrates directly with the device's screen lock and creates an additional layer of protection that prevents people from accessing passwords stored on the user; device. 

As a consequence, it comes with a trade-off as well: users who lose access to their Google accounts or devices may be permanently locked out of their saved credentials. Another essential measure is enabling password autofill features on browsers, a feature that remains one of the most easily exploited browser conveniences. 

It is possible, for example, to toggle off "Offer to save passwords" in Chrome by going to "Settings" > "Autofill and passwords" > "Google Password Manager." 

Using Microsoft Edge, users can achieve the same level of protection by enabling the option "Autofill Passwords and Passkeys" in the "Passwords and autofill" section of Settings, while Safari users on macOS Catalina 10.15 and later can use the File menu to export and modify passwords in order to limit their exposure.

In addition to the above adjustments, implementing two-factor authentication across all accounts adds a second line of defense, which means that even if credentials are compromised, unauthorized access remains unlikely, even with compromised credentials. 

In order to further reduce potential risks, it is important to review and eliminate stored passwords tied to sensitive or high-value accounts. However, browser-stored passwords are a fraction of the information that is silently accumulated by most browsers. A browser, in addition to storing login credentials, also contains a wealth of personal and corporate data that can be of invaluable use to cybercriminals. 

By saving credit card information, autofilling information like addresses and telephone numbers, cookies, browsing history, and cached files, we can gather a detailed picture of the user's digital life over the course of a lifetime. Using compromised cookies, attackers may be able to hijack active sessions without using a password, while stolen autofill data can serve as a weapon for identity theft or phishing schemes. 

Inadvertently, bookmarks or download histories could reveal sensitive client-related materials or internal systems. In essence, the browser functions as an unsecured vault for financial, professional, and personal information, all enclosed in a convenient layer that is prone to easy breach. 

It would be much safer and more structured to use dedicated password managers such as 1Password, Dashlane, Bitwarden, and LastPass if they were made from the ground up with encryption, privacy, and cross-platform protection as their core design principles. These tools transcend the limitations of browsers by providing a much more secure and structured alternative. 

In addition to safeguarding passwords, they also ensure that the user remains fully in control of their digital credentials. They provide the perfect balance between convenience and uncompromising security in today's connected world. As digital life continues to become more entwined with convenience, protecting one's online identity has never been a higher priority than it has ever been.

To attain a higher level of security, users must move beyond short-term comfort and establish proactive security habits. For instance, they should update their passwords regularly, avoid reusing them, monitor for breaches, and use trusted password management solutions with zero-knowledge encryption. There is an important difference between the use of browser-stored credentials versus secure, dedicated platforms that take care of themselves. 

In a world where cyberthreats are evolving at a rapid pace, users must have a feeling that their data is safe and secure, not only that it is also easy to use and simple to operate.
Read more »
Password Manager
Browser Clickjacking Attacks Credential Cyber Security Passkeys Password Manager

Passkeys under threat: How a clever clickjack attack can bypass your secure login

 


At DEF CON 33, independent security researcher Marek Tóth revealed a new class of attack called DOM-based extension clickjacking that can manipulate browser-based password managers and, in limited scenarios, hijack passkey authentication flows. This is not a failure of cryptography itself, but a breakdown in the layers surrounding it.


What is being attacked, and how?

Clickjacking is not new. In its classic form, an attacker overlays a transparent frame or control on a visible page so that a user thinks they are clicking one thing but actually triggers another. 

What Tóth’s technique adds is the targeting of browser extensions’ UI elements specifically, the autofill prompts that password managers inject into web pages. The attacker’s script controls the page’s Document Object Model (DOM) and applies CSS tricks (such as setting opacity to zero or overlaying fake elements) so that a user’s genuine click (for example, “Accept cookies”) also activates that hidden autofill element. The result: the extension may populate fields transparently, then the attacker reads the filled data. 

In many of Tóth’s tests, a single click was sufficient to trigger data leakage credentials, TOTP codes (2FA), credit card information, or personal data. In some setups, passkey workflows could also be subverted using “signed assertion hijacking,” if the server did not enforce session-bound challenges. 


How serious is the exposure?

Tóth examined 11 popular password-manager extensions (such as Bitwarden, 1Password, LastPass, iCloud Passwords). All were vulnerable under default settings to at least one variant of the attack. 

Among the risks:

Credential theft: Usernames, passwords and even stored TOTP codes could be auto-populated and exfiltrated. 

Credit card data: Autofill of payment fields (card number, expiration, CVV) was exposed in several tests. 

Passkey hijack: If the relying server does not bind the challenge to a session, an attacker controlling a page could co-opt a passkey login request. 

Some vendors have already released patches. For example, Enpass addressed clickjacking in browser extensions in version 6.11.6. Other tools remain at risk under certain configurations. 


Why this doesn’t mean cryptographic failure

It is critical to clarify: the underlying passkey standards (WebAuthn / FIDO protocols) were not broken. Instead, the attack targets the implementation and environment around them namely, the browser’s extension UI interaction. The exploit is possible only when the extension injects visible elements into the page DOM, and when an attacker can manipulate those elements. 

In other words, passkeys are strong in theory. But every layer above — browser, extension, site must preserve integrity or risk defeat.


What must users and organizations do

Users should:

1. Update your browser and your password-manager extensions immediately; enable auto-update.

2. Disable inline autofill where possible; prefer manual copy-paste or invoke filling only through the extension’s menu.

3. On Chromium-based browsers, set extension site access to “on click,” not “all sites.”

4. Remove or disable unused extensions.

5. For high-value accounts, prefer platform-native passkey or hardware-backed authenticators rather than extension-based credentials.


Organizations should:

• Audit extension policies and restrict or whitelist extensions.

• Enforce secure best practices on web apps (e.g., session­-bound challenges with passkeys).

• Encourage or mandate the use of vetted and updated password-management tools.


This disclosure emphasizes that security is a chain, and your cryptographic strength is only as strong as its weakest link. Passkeys are an important evolution beyond passwords, but until all layers: browser, extensions, applications are hardened, risk remains. Act now before attackers exploit complacency.


Read more »
Vulnerabilities and Exploits
Browser Clickjacking links Login Credentials Password Manager Vulnerabilities and Exploits

Password Managers Face Clickjacking Flaw, Millions of Users at Risk



For years, password managers have been promoted as one of the safest ways to store and manage login details. They keep everything in one place, help generate strong credentials, and protect against weak or reused passwords. But new research has uncovered a weakness in several widely used browser extensions that could expose sensitive information for millions of people.


Details about the flows

Security researchers recently found that 11 different password manager extensions share a vulnerability linked to the way they rely on the Document Object Model (DOM). The DOM is part of how web pages are structured, and in this case, it opens a door to a technique known as “clickjacking.”

Clickjacking works by tricking users into clicking on invisible or disguised elements of a web page. For example, a malicious site may look legitimate but contain hidden layers. A single misplaced click can unintentionally activate the password manager’s autofill function. Once that happens, the manager may begin entering saved credentials directly into the attacker’s page.

The danger lies in how quietly this happens. Users often close the site without realizing that their passwords or even stored credit card information and personal details like addresses or phone numbers may already have been copied by attackers.


The scale of the issue

The affected list includes some of the most recognized password managers in the industry. An estimated 40 million users worldwide could be impacted. While some companies have already addressed the issue through updates, not all providers have released fixes yet. For example, RoboForm has patched its extension, and Bitwarden has rolled out a new version. However, others remain in the process of responding.


Protecting yourself

There is no universal fix for clickjacking, but users can take important steps to reduce risk:

1. Be cautious with links: Avoid clicking on unfamiliar or suspicious links, even if they appear genuine. It is always safer to type the website address directly or use trusted bookmarks.

2. Update your tools: Make sure your password manager extension is up to date. Updates often contain security fixes that block known vulnerabilities.

3. Change autofill settings: If you use a Chromium-based browser, switch your password manager’s autofill to “on-click.” This ensures that details are only filled in when you actively choose to do so.

4. Disable unnecessary autofill: Consider turning off automatic completion for personal information like email addresses in your browser settings.


The bottom line

Password managers are still an essential tool for safe online habits, but like any technology, they are not immune to flaws. Staying alert, practicing careful browsing, and keeping your software updated can substantially lower the risk. Until every provider has addressed the vulnerability, users should take extra precautions to keep their digital identities secure.



Read more »
Vulnerabilities and Exploits
Clickjacking Attacks Credential Theft Password Manager User Security Vulnerabilities and Exploits

Major Password Managers Leak User Credentials in Unpatched Clickjacking Attacks

 

Six popular password managers serving tens of millions of users remain vulnerable to unpatched clickjacking flaws that could allow cybercriminals to steal login credentials, two-factor authentication codes, and credit card information. 

Modus operandi

Security researcher Marek Tóth, who presented these findings at DEF CON 33, demonstrated how attackers exploit these vulnerabilities by running malicious scripts on compromised websites. 

The attack works by using opacity settings and overlays to hide password manager autofill dropdown menus while displaying fake elements like cookie banners or CAPTCHA prompts. When users click on these decoy elements, they unknowingly trigger autofill actions that expose sensitive data. 

Tóth developed multiple exploitation variants, including DOM element manipulation techniques and a method where the user interface follows the mouse cursor, making any click trigger data autofill. The researcher created a universal attack script that can identify which password manager a target is using and adapt the attack in real-time. 

Impacted password managers

The vulnerable password managers include: 
  • 1Password 8.11.4.27 
  • Bitwarden 2025.7.0 
  • Enpass 6.11.6 
  • iCloud Passwords 3.1.25
  • LastPass 4.146.3 
  • LogMeOnce 7.12.4 
These services collectively have approximately 40 million users. 

Vendor responses 

Vendor responses have been mixed. 1Password dismissed the report as "out-of-scope/informative," arguing that clickjacking is a general web risk users should mitigate themselves. Similarly, LastPass initially marked the report as "informative" before later acknowledging they're working on fixes. 

Bitwarden downplayed the severity but claims to have addressed the issues in version 2025.8.0. However, LogMeOnce initially failed to respond to any communication attempts, though they later released an update. Several vendors have successfully implemented fixes, including Dashlane, NordPass, ProtonPass, RoboForm, and Keeper.

Safety measures 

Until patches are available, Tóth recommends that users disable autofill functionality in their password managers and rely on manual copy-paste operations instead. This significantly reduces the attack surface while maintaining password manager security benefits. 

The research highlights ongoing challenges in balancing user convenience with security in password management tools, particularly regarding browser extension vulnerabilities.
Read more »
Password Manager
cybersecurity tips Data Breach delete old accounts identity theft protection Online Security Password Manager

Why It’s Critical to Delete Old Online Accounts Before They Endanger Your Security

 

Most people underestimate just how many online accounts they’ve signed up for over the years. From grocery delivery and fitness apps to medical portals and smart home devices, every service requires an account—and almost all require personal information.

Research by NordPass last year revealed that the average person manages close to 170 passwords for different accounts. For anyone who has spent a significant part of their life online, that figure is likely much higher.

Abandoned or forgotten accounts still hold sensitive data—your name, email, address, birthdate, and payment information. All this information is exactly what shows up in massive data breaches and is precisely what cybercriminals look for.

In an era where data leaks often compile older breaches into vast collections of stolen personal details, inactive accounts lacking updated protections like strong passwords or two-factor authentication become major security liabilities.

Once hackers gain access to your information, they can leverage it in countless ways. For example, if they compromise your email or social media, they can impersonate you to launch phishing attacks or send scams to your contacts. They might also try to trick your friends and colleagues into downloading malware.

Dormant accounts can hold even more sensitive material, such as scans of IDs or insurance documents, which can be exploited for identity theft or fraud. Accounts with saved financial information are an even bigger risk since attackers can drain funds or resell the details on dark web marketplaces.

Deleting old accounts is one of the simplest yet most effective ways to strengthen your online security. It may seem tedious, but it’s something you can easily do while catching up on your favorite shows.

Start by searching your email inbox for common registration keywords like “welcome,” “thank you for signing up,” “verify account,” or “validate account.” A password manager can also help you see which logins you’ve saved over time.

Check the saved password lists in your browser:
  • Chrome: Settings > Passwords
  • Safari: Preferences > Passwords
  • Firefox: Preferences > Privacy & Security > Saved Logins
  • Edge: Settings > Profiles > Passwords > Saved Passwords
Many services let you sign in with Google, Facebook, Twitter, or Apple ID. Review the list of connected apps and services—while disconnecting them doesn’t automatically delete accounts, it shows what you need to remove.

Visit Have I Been Pwned? to check if your email has been involved in breaches. This resource can remind you of forgotten accounts and alert you to which passwords should be changed immediately.

If you spot apps you no longer use on your phone or laptop, log in, close the accounts, and delete the apps from your device. Some antivirus tools, such as Bitdefender, offer features to find all accounts you’ve created using your email with a single click.

Certain platforms intentionally make deletion difficult. If you’re struggling, search the site’s name along with “delete account,” or use justdelete.me, a helpful directory with step-by-step removal guides. If that fails, reach out to the site’s support team.

If you cannot fully delete an account, take steps to minimize the risk:

  • Remove saved payment information.
  • Delete personal details such as your name, birthdate, and shipping address.
  • Clear any stored files or sensitive messages.
  • Use a fake name and a disposable email like Mailinator.

Before creating new accounts in the future, consider whether you can use a guest checkout or a dedicated email address just for sign-ups.

For accounts you decide to keep, always update your passwords, store them securely in a password manager, and enable multi-factor authentication or passkeys to strengthen security.
Read more »
VPN for public Wi-Fi
AI Privacy cybersecurity tips Incogni data removal Passkeys Password Manager Protect Personal Data Technology two-factor authentication VPN for public Wi-Fi

Digital Safety 101: Essential Cybersecurity Tips for Everyday Internet Users

 9to5Mac is brought to you by Incogni: a service that helps you wipe your personal data—including your phone number, address, and email—from data brokers and people-search websites. With a 30-day money-back guarantee, Incogni offers peace of mind for anyone looking to guard their privacy.


1. Use a Password Manager

The old advice to create strong, unique passwords for each website still holds true—but is only realistic if you use a password manager. Fortunately, Apple’s built-in Passwords app makes this easy, and there are many third-party options too. Use these tools to generate and save complex passwords every time you sign up for a new service.

2. Update Old Passwords

Accounts created years ago may still have weak or repeated passwords. This makes you vulnerable to credential stuffing attacks—where hackers use stolen logins from one site to access others. Prioritize updating your passwords for financial services, Apple, Google, Amazon, and any accounts that have already been compromised. To check this, enter your email on Have I Been Pwned.

3. Enable Passkeys Where Available

Passkeys are becoming the modern alternative to passwords. Instead of storing a traditional password, your device uses Face ID or Touch ID to verify your identity, and only sends confirmation of that identity to the site—never the actual password. This reduces the risk of your credentials being hacked or stolen.

4. Use Two-Factor Authentication (2FA)

2FA provides an added layer of security by requiring a rolling code each time you log in. Avoid SMS-based 2FA—it's prone to SIM-swap attacks. Instead, opt for an authenticator app like Google Authenticator or use the built-in support in Apple’s Passwords app. Set this up using the QR code provided by the service.

5. Monitor Last Login Activity

Some platforms, especially banking apps, show the date and time of your last login. Get into the habit of checking this regularly. Unexpected logins are an immediate red flag and could signal that your account has been compromised.

6. Use a VPN on Public Wi-Fi

Public Wi-Fi networks can be unsafe and vulnerable to “Man-in-the-Middle” (MitM) attacks. These involve a rogue device impersonating a Wi-Fi hotspot to intercept your internet traffic. While HTTPS reduces the risk, using a VPN is still the best protection. Choose a trusted provider that maintains a no-logs policy and undergoes third-party audits. “I use NordVPN for this reason.”

7. Don’t Share Personal Info With AI Chatbots

Conversations with AI chatbots may be stored or used as training data. Avoid typing anything sensitive, such as passwords, addresses, or identification numbers—just as you wouldn’t post them publicly online.

8. Consider Data Removal Services

Your personal information may already be listed with data brokers, exposing you to spam and scams. Manually removing this data can be tedious, but services like Incogni can automate the process and reduce your digital footprint efficiently.

9. Verify Any Request for Money

If someone asks for money—even if it looks like a friend, family member, or colleague—double-check their identity using a separate communication method.

“If they emailed you, phone them. If they phoned you, email or message them.”

Also, if you're asked to send gift cards or wire money, it's almost always a scam. Be especially cautious if you're told a bank account has changed—confirm directly before transferring funds.
Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
Windows
Google Google Chrome Password Manager Technology Windows

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Google says “sorry” after a bug stopped Windows users from finding or saving their passwords. The issue began on 24th July and stayed till 25th July, before it was fixed. The problem, google said was due to “a change in product behavior without proper feature guard,” an incident sharing similarities with the recent Crowdstrike disruption.

The disappearing password problem affected Chrome users worldwide, causing them trouble finding saved passwords. Users even had trouble finding newly saved passwords. Google has fixed the issue now, saying the problem was in the M127 version of Chrome Browser on Windows devices.

Who were the victims?

It is difficult to pinpoint the exact numbers, but based on Google’s 3 Billion Chrome users worldwide, with the majority of Chrome users, we can get a positive estimate. According to experts, around 15 million users experienced the vanishing password problem.  "Impacted users were unable to find passwords in Chrome's password manager. Users can save passwords, however it was not visible to them. The impact was limited to the M127 version of Chrome Browser on the Windows platform," said Google.

The password problem is now fixed

Fortunately, Google has now fixed the issue, users only need to restart their Chrome browsers. “We apologize for the inconvenience this service disruption/outage may have caused,” said Google. If a user has any inconveniences beyond what Google has covered, they are free to contact Google Workplace Support.

Chrome Password Manager: How to use it?

Google's Chrome password manager may be accessed through the browser's three-dot menu by selecting Passwords & Autofill, then Google Password Manager. Alternatively, you can install the password manager Chrome app from the password manager settings and then access it from the Google Apps menu. If Chrome invites you to autofill a password, clicking Manage Passwords will take you directly there.

Things that went missing besides passwords recently

According to cybersecurity reporter Brian Krebs, the email verification while creating a new Google Workplace Account also went missing for a few Chrome users. 

The authentication problem, which is now fixed, allowed threat actors to skip the email verification needed to create a Google Workplace account, allowing them to mimic a domain holder at third-party services. This allowed a threat actor to log in to third-party services like a Dropbox account.  

Read more »
Technology
App security LastPass Password Manager Tech Giant Technology

Tech Giant Apple Launches Its Own Password Manager App

 

People with knowledge of the matter claim that Apple Inc. launched a new homegrown app this week called Passwords, with the goal of making it simpler for users to log in to websites and apps. 

The company introduced the new app as part of iOS 18, iPadOS 18 and macOS 15, the next major versions of its iPhone, iPad and Mac operating systems, said the people, who asked not to be identified because the initiative hasn’t been announced. The password-generating and password-tracking software was unveiled on June 10 at Apple's Worldwide Developers Conference. 

The new app is backed by iCloud Keychain, a long-standing Apple tool for syncing passwords and account information across several devices. This capability was previously concealed within the company's settings app or displayed when a user logged into a website. 

Apple is attempting to encourage more people to use safe passwords and improve the privacy of its devices by making the feature available as a standalone app. However, the action increases competition with third-party apps. The new app will compete with password managers such as 1Password and LastPass, and Apple will allow users to import credentials from rival services. 

The app displays a list of user logins and divides them into categories such as accounts, Wi-Fi networks, and Passkeys, an Apple-supported password replacement that uses Face ID and Touch ID.

Like most password managers, the data can be auto-filled into websites and apps when a user logs in. The software will also function with the Vision Pro headset and Windows computers. It also supports verification codes and functions as an authentication software similar to Google Authenticator. 

The Passwords push is only one part of the WWDC event. The primary focus will be Apple's artificial intelligence project, which will include features such as notification summaries, fast photo editing, AI-generated emoji, and a more powerful Siri digital assistant. Apple will also announce a collaboration with OpenAI to utilise the ChatGPT chatbot.
Read more »
Vulnerabilties and Exploits
Android AutoSpill AutoSpill attack cybersecurity research Password Manager Stolen Credentials Vulnerabilties and Exploits

AutoSpill Attack Steal Credentials from Android Password Managers


Security researchers from the International Institute of Information Technology (IIIT) in Hyderabad, India, have discovered a new vulnerability with some Android password managers in which some malicious apps may steal or capture users’ data credentials in WebView. 

The threat actors carry out the operation particularly when the password manager is trying to autofill login credentials. 

In a presentation at the Black Hat Europe security conference, the researchers revealed that the majority of Android password managers are susceptible to AutoSpill even in the absence of JavaScript injection. 

How AutoSpill Works

WebView is frequently used in Android apps to render web content, which includes login pages, within the app, rather than redirecting users to the main browser, which would be more challenging on small-screen devices. 

Android password managers automatically enter a user's account information when an app loads the login page for services like Apple, Facebook, Microsoft, or Google by utilizing the WebView component of the platform. 

According to the researchers, it is possible to exploit vulnerabilities in this process to obtain the auto-filled credentials on the app that is being invoked. 

The researchers added that the password managers on Androids will be more vulnerable to the attack if the JavaScript injections are enabled. 

One of the main causes of the issue regarding AutoSpill is Android’s inability to specify who is responsible for handling the auto-filled data securely, which leaves the data vulnerable to leakage or capture by the host app.

In an attack scenario, the user's credentials could be obtained by a rogue app presenting a login form without leaving any trace of the breach.

Impact and Patch Work

Using Android's autofill framework, the researchers tested AutoSpill against a number of password managers on Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to assaults.

It was found that Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 had different technical approaches for the autofill process, wherein they did not compromise data to the host app unless JavaScript injection was used.

The researchers submitted their recommendations for fixing the issue along with their results to the security team of Android and the affected software manufacturers. Their report was accepted as legitimate, however, no information regarding the plans for rectifying it was disclosed.  

Read more »
Vulnerability and Exploits.
2FA Apple Devices Digital Identity iPhone Mac Password Manager PDF Exploits Safari Safari Browser Apple Sensitive Information Unauthorized access Vulnerability and Exploits.

iLeakage Attack: Protecting Your Digital Security

The iLeakage exploit is a new issue that security researchers have discovered for Apple users. This clever hack may reveal private data, including passwords and emails, and it targets Macs and iPhones. It's critical to comprehend how this attack operates and take the necessary safety measures in order to stay safe.

The iLeakage attack, detailed on ileakage.com, leverages vulnerabilities in Apple's Safari browser, which is widely used across their devices. By exploiting these weaknesses, attackers can gain unauthorized access to users' email accounts and steal their passwords. This poses a significant threat to personal privacy and sensitive data.

To safeguard against this threat, it's imperative to take the following steps:

1. Update Software and Applications: Regularly updating your iPhone and Mac, along with the Safari browser, is one of the most effective ways to protect against iLeakage. These updates often contain patches for known vulnerabilities, making it harder for attackers to exploit them.

2. Enable Two-Factor Authentication (2FA): Activating 2FA adds an extra layer of security to your accounts. Even if a hacker manages to obtain your password, they won't be able to access your accounts without the secondary authentication method.

3. Avoid Clicking Suspicious Links: Be cautious when clicking on links, especially in emails or messages from unknown sources. iLeakage can be triggered through malicious links, so refrain from interacting with any that seem suspicious.

4. Use Strong, Unique Passwords: Utilize complex passwords that include a combination of letters, numbers, and special characters. Avoid using easily guessable information, such as birthdays or common words.

5. Regularly Monitor Accounts: Keep a close eye on your email and other accounts for any unusual activities. If you notice anything suspicious, change your passwords immediately and report the incident to your service provider.

6. Install Security Software: Consider using reputable security software that offers additional layers of protection against cyber threats. These programs can detect and prevent various types of attacks, including iLeakage.

7. Educate Yourself and Others: Stay informed about the latest security threats and educate family members or colleagues about best practices for online safety. Awareness is a powerful defense against cyberattacks.

Apple consumers can lower their risk of being victims of the iLeakage assault greatly by implementing these preventive measures. In the current digital environment, being cautious and proactive with cybersecurity is crucial. When it comes to internet security, keep in mind that a little bit of prevention is always better than a lot of treatment.


Read more »
Unauthorized access
2FA Data Breach Email Attacks Encryption Password Password Manager Sensitive data Unauthorized access

Freecycle Data Breach: Urgent Password Update Required

Freecycle, a well-known website for recycling and giving away unwanted stuff, recently announced a huge data breach that has affected millions of its users. This news has shocked the internet world. Concerns over the security of personal information on the internet have been raised by the hack, underscoring once more the significance of using secure passwords and being aware of cybersecurity issues.

According to reports from security experts and Freecycle officials, the breach is estimated to have affected approximately seven million users. The exposed data includes usernames, email addresses, and encrypted passwords. While the company has stated that no financial or highly sensitive information was compromised, this incident serves as a stark reminder of the risks associated with sharing personal data online.

The breach was first reported by cybersecurity researcher Graham Cluley, who emphasized the need for affected users to take immediate action. Freecycle, recognizing the severity of the situation, has issued a statement urging all users to change their passwords as a precautionary measure.

This breach underscores the critical importance of password security. In today's digital age, where data breaches are becoming increasingly common, using strong and unique passwords for each online account is paramount. Here are some key steps users can take to protect their online presence:
  • Change Passwords Regularly: Freecycle users, in particular, should promptly change their passwords to mitigate any potential risks associated with the breach. Additionally, consider changing passwords for other online accounts if you've been using the same password across multiple platforms.
  • Use Strong, Complex Passwords: Create passwords that are difficult to guess, combining uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable information like birthdays or common words.
  • Implement Two-Factor Authentication (2FA): Whenever possible, enable 2FA for your accounts. This adds an extra layer of security by requiring a one-time code or authentication device in addition to your password.
  • Password Manager: Consider using a reputable password manager to generate and store complex passwords securely. These tools can help you keep track of numerous passwords without compromising security.
  • Stay Informed: Regularly monitor your accounts for any suspicious activity and be cautious of phishing emails or messages asking for your login credentials.

Freecycle is not the first and certainly won't be the last platform to experience a data breach. As users, it's our responsibility to take cybersecurity seriously and proactively protect our personal information. While it's concerning that such breaches continue to occur, they serve as reminders that vigilance and good security practices are essential in our interconnected world.
Read more »
Password Manager
Antivirus Data Breach Firewall Infostealer MFA Password Manager

Meduza Stealer Targets Password Managers

 


A critical cybersecurity issue known as Meduza Stealer, a perilous new info stealer, has surfaced. By particularly attacking well-known password managers, this sophisticated virus compromises private user information. Users are urged to exercise caution and take the necessary safety measures by security professionals to protect their data.
According to a recent report by TechRadar Pro, Meduza Stealer has gained notoriety for its ability to bypass traditional security measures, making it challenging to detect and mitigate. The malware primarily focuses on infiltrating prominent password manager applications, a concerning trend given the increasing reliance on such tools to secure online credentials.

The reports state Meduza Stealer has already targeted 19 password managers, putting millions of users at risk. It operates by intercepting and exfiltrating sensitive information stored in these applications, including usernames, passwords, and other confidential data. The stolen information can be used for various malicious purposes, such as unauthorized access to personal accounts, identity theft, or financial fraud.

Meduza Stealer malware adopts evasive techniques to evade detection and remain hidden within targeted systems. Its advanced capabilities enable it to bypass antivirus software and firewalls, making it a significant challenge for security professionals to combat effectively.

Industry experts are urging users of password managers to remain cautious and implement additional security measures. Regularly updating software and using multi-factor authentication are recommended practices that can significantly reduce the risk of falling victim to such attacks. In addition, individuals are advised to exercise caution while clicking on suspicious links or downloading files from unknown sources, as these are often the entry points for malware.

Cybersecurity firms and researchers are working hard to create solutions in response to the threat Meduza Stealer poses. To remain ahead of such new threats, close cooperation between software developers, security professionals, and end users is essential.

Cybersecurity analyst John Smith underlines the value of preventative security measures. He says, "Users must continually upgrade their security procedures and keep up with the most recent threats. People can dramatically lessen their vulnerability to info stealers like Meduza Stealer by using strong passwords, enabling two-factor authentication, and exercising caution."

The development of complex attacks like Meduza Stealer, which are part of the ongoing transformation of the digital environment, highlights the importance of strong security procedures. People may safeguard their important data and reduce the risks brought on by these new cybersecurity threats by keeping themselves informed and putting in place thorough security measures.


Read more »
Vulnerabilities and Exploits
Bleeping Computer GitHub KeePass password exploit Password Manager Vulnerabilities and Exploits

KeePass Vulnerability: Hackers May Have Stolen the Master Passwords


One would expect an ideal password manager to at least keep their users’ passwords safe and secure. On the contrary, a new major vulnerability turned out to be putting the KeePass password manager users at serious risk of their passwords being breached.

Apparently, the vulnerability enables an attacker to extract the master password from the target computer's memory and take it away in plain text, or in other words, in an unencrypted form. Although it is a fairly easy hack, there are expected to be some unsettling repercussions.

Password managers, like in this case KeePass, lock up a user’s login info encrypted and secure behind a master password in order to keep it safe. The vault is a valuable target for hackers since the user is required to input the master password to access everything within.

How is KeePass Vulnerability a Problem? 

Security researcher 'vdohney,' according to a report by Bleeping Computer, found the KeePass vulnerability and posted a proof-of-concept (PoC) program on GitHub.

With the exception of the initial one or two characters, this tool can almost entirely extract the master password in readable, unencrypted form. Even if KeePass is locked and, possibly, if the app is completely closed, it is still capable of doing this.

All this is because the vulnerability extracts the master password from KeePass’s memory. This can be acquired, as the researcher says, in a number of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit is only possible due to some custom code KeePass uses. Your master password is entered in a unique box named SecureTextBoxEx. Despite its name, it turns out that this box is actually not all that secure since each character that is entered essentially creates a duplicate of itself in the system memory. The PoC tool locates and extracts these remaining characters.

‘A Fix is Incoming’ 

Having physical access to the computer from which the master password is to be taken is the only drawback to this security breach. However, that is not always a problem; as the LastPass vulnerability case demonstrated, hackers can access a target's computer by utilizing weak remote access software installed on the device.

In case a device was infected by a malware, it may as well be set up to dump KeePass's memory and send it and the app's database back to the hacker's server, giving the threat actor time to get the master password.

Fortunately, the developer of KeePass promises that a fix is incoming; one of the potential fixes is to add random dummy text that would obscure the password into the app's memory. It may be agonizing to wait until June or July 2023 for the update to be made available for anyone concerned about their master password being compromised. The fix, however, is also available in beta form and may be downloaded from the KeePass website.    

Read more »
User Privacy
Cyber Security Online Safety Passkeys Password Password Manager User Privacy

Passkeys: A Modern Solution For All Your Password Troubles

 

We all use far too many passwords, and they're probably not all that secure. Passkeys are the next development in password technology and are intended to replace passwords with a more secure approach. 

Password troubles 

For a very long time, we have used usernames and passwords to sign in to websites, apps, and gadgets. 

A serious issue with passwords is that nearly entirely their creators are to fault. You must remember the password, thus it's easy to fall into the trap of using real words or phrases. It's also fairly typical to use the same password across several websites and apps in favour of having unique passwords for each one. 

Although it is obviously not very safe, many individuals continue to use passwords like their birthdate or the name of their pet. If they are successful, they can attempt it in every other place you use the same password. Using two-factor authentication and special passwords is essential as a result of this. Password managers, which produce random character strings for you and remember them for you, have been developed to solve this issue. 

Passkey vs. password: What distinguishes them

Over time, not much has changed with regard to the login and password system. Think of passkeys as a full-fledged alternative for the outdated password system. Basically, the process you use to unlock your phone is the same one you use to sign into apps and websites. 

It is among the fundamental distinctions between passkeys and conventional passwords. All locations where Facebook is accessible accept your Facebook password. On the other hand, a passkey is bound to the machine where it was made. The passkey is far more secure than a password because you're not generating a universal password. 

The same security process can be used to verify a QR code you scanned with your phone to log in on another device. There are no passwords used, thus nothing can be stolen or leaked. Because you must sign in with your phone in hand, you don't need to be afraid about a stranger across the nation using your password. 

Device compatibility 

Passkeys are still very new, but they already work with all the best phones and a majority of the best laptops. This is because the tech behemoths Microsoft, Google, Apple, and others collaborated to create them using the FIDO Alliance and W3C standards. 

Apple introduced passkeys to the iPhone with the release of iOS 16 in the previous fall. Passkeys eliminates the need for a master password on its devices by using TouchID and FaceID for authentication. Here's how to set up passkeys on an iPhone, iPad, or Mac if you want to try them out for yourself.

Your passkeys are stored and synchronised using the Google Password Manager if you have one of the top Android phones or an Android tablet. If you want to use passkeys with it, you must first enable screen lock on your Android device, as this stops people with access to your smartphone from utilising your passkeys. 

In both Windows 10 and Windows 11, you can use Microsoft's Windows Hello to sign into your accounts using passkeys. Because your passkeys are linked to your Microsoft account, you may use them on any device as long as you're signed in.

Regarding your web browser, passkeys are currently supported by Chrome, Edge, Safari, and Firefox. For Chrome/Edge, you must be using version 79 or above, for Safari, version 13 or higher, and for Firefox, version 60 or higher.
Read more »
User Safety
Data Breach Data Leak Data Safety Password Manager Private Data User Privacy User Safety

Before It's Too Late, Switch to a New LastPass Password Manager

 

One of the most well-known password organisers in the world, LastPass, experienced a significant data breach in December, putting the online passwords and personal information of its users at risk. Time is running out if you still haven't changed your passwords. 

On December 22, LastPass CEO Karim Toubba admitted in a blog post that a security breach the business first disclosed in August ultimately resulted in the theft of crucial vault data and customer account information by a "unauthorised entity." The issue is the most recent in a protracted and alarming line of security occurrences affecting LastPass that stretch back to 2011.

According to Toubba, the unauthorised entity was able to acquire unencrypted customer account data including LastPass usernames, business names, billing addresses, email addresses, phone numbers, and IP addresses. The same unauthorised entity also had access to client vault data, which contains both encrypted and unencrypted information including usernames and passwords for all the websites that consumers have saved in their vaults. If you use LastPass, you should consider switching to another password manager given how seriously your passwords and personal information are at risk from this attack. 

How did it get to this point? 

In an article written by Toubba and posted on the LastPass blog in August 2022, the company claimed that it had "determined that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information."

When the threat first surfaced, LastPass "engaged a leading cybersecurity and forensics firm," according to Toubba. This was followed by the implementation of "enhanced security measures." But as the breach's extent progressively increased, that blog article would be modified multiple times over the ensuing months. 

Toubba informed readers that the incident's investigation was over in a blog post update on September 15. 

"Our investigation revealed that the threat actor's activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor's activity and then contained the incident," Toubba stated. "There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults." 

Customers were reassured by Toubba at the time that LastPass would take good care of their passwords and personal information. 

It turned out, however, that the unauthorised person was in fact able to access customer data in the end. 

The company "found that an unauthorised entity, using information gained in the August 2022 event, was able to get access to certain components of our customers' information," according to a Nov. 30 update to the blog post by Toubba. 

On December 22, Toubba published a lengthy update to the blog post detailing the worrying specifics of what client data the hackers had really been able to access during the attack. The public only learned the full extent of the problem at that point, when it was revealed that LastPass users' personal information was in the hands of a threat actor and that all of their passwords stood a major risk of being leaked. 

However, Toubba reassured users who adhere to LastPass's recommended password practises and have the most recent default settings enabled that they don't need to take any further action at this time because their "sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture." 

Toubba cautioned, though, that individuals who don't enable LastPass's default settings and don't adhere to the password manager's best practices run the danger of having their master passwords compromised. Toubba advised those people to think about switching the passwords for the websites they had saved. 

How should LastPass users act? 

The firm did not disclose the number of users who were impacted by the hack, and LastPass did not reply to CNET's request for any information on the incident. But if you're a LastPass user, you should act as though your user and vault data are in the possession of an uninvited person with bad intentions. Although the most sensitive information is encrypted, there is still an issue because the threat actor can use "brute force" attacks on the local files they have stolen. If you've complied with LastPass's recommended procedures, it would reportedly take "millions of years" to figure out your master password. 

If you haven't changed your individual passwords, or if you simply want complete peace of mind, you'll need to put in a lot of time and work. Additionally, you should probably stop using LastPass while you're doing that. 

Keeping that in mind, the following is what you must do immediately if you are a LastPass subscriber:

Look for a fresh password manager: Given LastPass' history of security issues and the seriousness of this most recent leak, it's more important than ever to look for an alternative. 

Immediately change your most vital site-level passwords: Passwords for anything, such as online banking, financial information, internal company logins, and medical data, are included in this. Make sure the passwords you choose are both secure and original. 

Turn on two-factor authentication whenever you can: After changing your passwords, make sure that any online account that supports 2FA has that feature enabled. By warning you and requesting your authorization for each login attempt, this will give you an extra degree of security. As a result, even if someone manages to discover your new password, they shouldn't be able to visit a particular website without your secondary authenticating device (typically your phone).
Read more »
User Security
Cyber Security Data Safety MFA Passkey Password Manager User Security

Picking The Right Password Manager: Five Things To Bear In Mind

 

The best password managers, along with efficient password and credential management, are becoming more crucial as more and more business is conducted online. Your company will be more immune to cybercrime if you make sure the password manager you select provides the majority or all of these. 

Whether through widespread hacking or targeted efforts, cybercrime continues to pose serious hazards to organisations. In light of this, it makes sense for businesses in particular to invest in the best password managers. How can you select from the best password managers, though? 

Below are the five key characteristics you should consider while selecting a password manager. These essential components, in our opinion, are what separate a good platform from a just good service.

1. End-to-end encryption

A password manager's superior encryption is its most crucial component. It is a must. In the end, password managers are really all about data security, and without end-to-end encryption, your data won't be safe enough. 

Your data is indecipherable while it is in transit and at rest thanks to end-to-end encryption. A special authentication key must be given for the platform in order to decode the data. The only person with access to this authentication key is the user thanks to end-to-end encryption.

This implies that no one, not even your provider, can access your passwords. Your encrypted and unreadable data is all that is stored by the platform. Your passwords will therefore be secure even if the provider is compromised. 

End-to-end encryption, also known as zero-knowledge architecture, enables a provider to encrypt and store client data at the greatest levels of security without knowing what data is being stored. It is the first thing you should look for if you want to keep your organization's passwords and credentials in the most secure manner possible. 

2. Multi-factor authentication (MFA) 

While we're talking about security, let's talk about MFA. Users must log in with MFA and a secondary authentication method in addition to their password. This guarantees that a user's account will probably stay secure even if their master password is stolen.

An app-generated unique code or a one-time password are both acceptable forms of secondary authentication. These supplementary techniques are typically connected to a user's personal device, like their mobile phone or personal email address. This makes sure that a user needs their email address or device in addition to the master password to access their account. 

Because user login is one of the most major points of vulnerability across all password managers, MFA is one of the simplest ways to boost your account's security. If a user's master password is compromised and a provider doesn't have MFA procedures in place, then all of the encryption and security measures in the world won't matter and their data could still be exposed. Selecting a password manager with MFA capability is something we strongly advise.

3. Regular updates 

Make sure to verify that your preferred options are up to date because password managers, like any other piece of software, must be kept updated. You should invest in a password organiser that is regularly updated to keep up with the ever-changing security landscape because hackers and other cybercriminals constantly change their tactics and behaviour. 

4. Password creation 

The first challenge we all confront is coming up with a strong password. You should gain the further advantage of the software's ability to produce a new log-in anytime you require it by investing in a high-quality password manager. This will always be considerably superior than anything you generate yourself, therefore it should be secure and safe. 

5. Setting up passwords 

There is an additional benefit to using a password manager if you have been using log-ins for any length of time. There are many password manager programmes that can analyse your current password collection and let you know which ones are weak or possibly have previously been compromised. They frequently have the ability to compare them to databases of compromised log-in details, and they can offer advice on how to update details to best protect against possible assaults.
Read more »
Password Manager
Antivirus Cyber Hacker Data Breach Gen Digital Malicious party Password Manager

Gen Digital Customers' Accounts were Breached by Hackers

 


A Norton LifeLock spokesperson has confirmed that malicious third parties are likely to have gained access to some customers' accounts, possibly even gaining access to their password vaults. 

The document describing affected customers' rights as a result of a data breach is available on the website of the Vermont attorney general's office. Using username and password login combinations, the report suggests hackers may have been able to access the accounts of Norton and Norton Password Manager users. 

According to the vendor, which is owned by Gen Digital, the login information was not obtained by breaching the IT environment of the company itself. This is due to a security breach. 

As one of the leading manufacturers of antivirus software for consumers, Gen Digital Inc. is a publicly traded company. It has been more than a year since Gen Digital, a security company founded in September, was formed when Norton LifeLock Inc. and Avast plc merged. In addition to antivirus software, Gen Digital also sells cybersecurity products that include password managers and virtual private networks tools, and some other cybersecurity products.

A report regarding the breach of some Gen Digital accounts emerged on Friday, indicating that some customers' accounts had been compromised. According to a statement released by the company the next day, it had "secured 925,000 inactive and active accounts that may have been targeted" by hackers during the attack. TechCrunch reported earlier this week that the accounts of 6,450 customers had been compromised as a result of the breach. 

In an attempt to break into Gen Digital's customer database, hackers may have accessed the names, telephone numbers, and mailing addresses of a large number of customers. The company discovered, some of the data stored in its Norton Password Manager tool may have been compromised as a result of the breach. Gen Digital says it is possible that one of the hackers was able to access the login credentials of the users that were affected in Norton Password Manager. This is a password management program. 

It has been reported that Gen Digital was not affected by the breach and that no data had been compromised. Hackers allegedly gained access to customer accounts by stuffing credentials to breach the security of the antivirus maker's systems. That is the term used to describe a type of cyberattack. In this attack, hackers compromise customers of another company by using login credentials they have stolen from one of their competitors. 

There has been no compromise of any systems, and they are safe and operational. However, threat actors are all too common in today’s world of taking credentials that they find elsewhere, like on the dark web, and using them to make automated attacks. This enables them to gain access to other unrelated accounts. According to a spokesperson for the company, the system has not been compromised.  

It was Gen Digital that first recognized the breach on December 12 after discovering an unusually high number of failed login attempts that were aimed at its customers' accounts. Earlier this month, the company identified the lack of security measures by which hackers were able to gain access to customer accounts. 

It was Gen Digital who found out about the breach and notified the affected customers and rewrote their passwords as soon as possible. To ensure that customers are protected, the company also says "additional security measures" have been implemented. 

Earlier this month, one of Gen Digital's major competitors in the password manager market, LastPass US LLP, suffered a breach of its security. This breach coincided with the launch of the company. Earlier in August, a cyberattack against the company was preceded by another breach of security. Hackers accessed LastPass' cloud storage environment using the technical information they stole during the August cyberattack in which technical information was stolen. 

During the hacking operation, hackers gained access to the usernames and billing addresses of customers. A backup copy of LastPass' password manager, which is the most widely used password management tool available, was also obtained by hackers. As per the policy of the company, the encrypted copy of account information cannot be decrypted without the password of the user's account, which was not compromised.
Read more »
Subscribe to: Comments (Atom)